Authentication failed using PAM with separate SaltGUI host
pju51 opened this issue · comments
Describe the bug
I always get the "Authentication failed" message on SaltGUI when I try to log with the separate SaltGUI host.
- My version of Saltstack is 3000.3
- I use the last release of SaltGUI.
My Saltstack master config
external_auth:
pam:
salt-api:
- .*
saltgui_user:
- .*
- '@runner'
- '@wheel'
- '@jobs'
rest_cherrypy:
debug: True
port: 8000
ssl_crt: /etc/salt/pki/master/api/salt-api.cert
ssl_key: /etc/salt/pki/master/api/salt-api.key
webhook_disable_auth: True
webhook_url: /hook
it is used by some other internal API, I can't change the config, but I can add user or whatever
The cherrypi server answers on this URL: https://FQDN_MASTER:8000/hook
Separate SaltGUI host config
In saltgui/static/scripts/config.js
I use: "API_URL": "/api",
In my container nginx, I use this default.conf
config:
server {
listen 80;
server_name _;
root /data/www;
index index.html;
# handle internal api (proxy)
location /api/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://FQDN_MASTER:8000/hook/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_ssl_verify off;
proxy_ssl_server_name off;
proxy_redirect off;
}
# handle saltgui web page
location / {
try_files $uri /index.html;
}
}
When I run my docker-compose file with my build image:
version: '3'
services:
saltgui-nginx:
image: saltgui_my_image
hostname: saltgui-nginx
ports:
- 8080:80
restart: on-failure
volumes:
- ../saltgui:/data/www
I can access to saltgui, and the login page, but when I check with my user, I always get the "Authentication failed".
So I tested the login page from SaltGUI with curl,:
curl -sSk http://SALT_GUI:8080/api/login \
-H 'Accept: application/x-yaml' \
-d username=saltgui_user \
-d password=XXX \
-d eauth=pam
I have the result : success: true
so normaly, I should be able to authenticate my user on the SALTGUI page.
same success message if I try the curl directly to my saltstack master:
curl -sSk https://FQDN_MASTER:8000/hook/login \
-H 'Accept: application/x-yaml' \
-d username=saltgui_user \
-d password=XXX \
-d eauth=pam
For information, if in the proxy_pass parameter in my default.conf , I remove /hook/ in the URL, I have this error: no session and I dont have the login page. So it's worse.
what I missing ? is it a bug ? my saltstack version is too old ?
(maybe not a bug, sorry for the labels ;) )
Thanks
my saltstack version is too old ?
SaltGUI supports all SaltStack versions, back to 2017.x
before that version an extra bit of code was needed, and I decided not to add that since no-one should be encouraged to use such version
Thanks @erwindon for you quick response.
I investigate a little bit with your docker-compose stack and I found my problem.
it was in my proxy_pass parameter in the nginx's default.conf file.
I had tried with https://FQDN_MASTER:8000 (not https://FQDN_MASTER:8000/ I forgot the "/" )
and and I thought I should use /hook/ but no.
the answer of the cherrypi, must not return "success: true", it's my mistake but the token:
that looks much better!
are there any remaining questions?
no thanks, you can close the ticket and sorry for the noise.
no problem!