Setting keep_acl_in_token:True breaks SaltGui

Question

Setting keep_acl_in_token:True breaks SaltGui

pckroon opened this issue a year ago · comments

Heyhey,

if I set keep_acl_in_token: True in my master config, logging into SaltGui no longer works for my PAM user.
Well, authentication works, but authorization breaks (all entries become (error)). The salt-api logs the following:

 [ERROR   ] Authentication failure of type "token" occurred for user <username>

If I put it back to False SaltGui works as intended, so I guess I managed with the whole netapi_client thing.

I'm running SaltGui from the master branch (9d089bc) on salt-master 3006.1

Erwin Dondorp · Answer 1 · Fri Jul 21 2023 18:09:51 GMT+0800 (China Standard Time)

replaying the situation now...

Erwin Dondorp · Answer 2 · Fri Jul 21 2023 18:24:39 GMT+0800 (China Standard Time)

my observation now:

'/login' call succeeds normally (page "Login")
all regular api calls fail with "Unauthorized"
/events call still works (page "Events")
/stats call still works (hidden page "Options/Stats")
logout still works (hidden page "Logout")

I think that this behavior has always been like this in SaltAPI as using keep_acl_in_token:True was never taken into account.

Let's see how we can improve that...

Erwin Dondorp · Answer 3 · Fri Jul 21 2023 20:18:26 GMT+0800 (China Standard Time)

The more I read about this, the more confusion occurs for me.
This may well be the "normal" behavior of salt-api.
And as SaltGUI is just using salt-api, it inherits the behavior.

keep_acl_in_token:true seems to work with predefined access-tokens as handed out by the calls from https://docs.saltproject.io/en/latest/ref/runners/all/salt.runners.auth.html
I imagine that these tokens work INSTEAD of the token as retrieved by the login procedure?
It looks like the api calls in the application (e.g. SaltGUI) must then use the predefined tokens.

can you set up a sequence of salt-api calls (using CURL or WGET) that uses salt-api (e.g. test.ping) with keep_acl_in_token: true?
e.g. the similar script without that is:

curl \
        --data '{"eauth":"pam","password":"sdjgljsldkfhslkjh","username":"erwindon"}' \
        -H "Accept: application/json" \
        -H "Content-type: application/json" \
        http://localhost:8000/login
echo

and:
(fill in the token that was returned in the previous command)

curl \
        --data '[{"client": "local", "tgt": "*", "fun": "test.ping"}]' \
        -H "Accept: application/json" \
        -H "Content-type: application/json" \
        -H "X-Auth-Token: 4027f326fdb049f4bd65bbad97af671e19eeeb85" \
        http://localhost:8000/
echo

Peter C Kroon · Answer 4 · Mon Jul 24 2023 16:56:24 GMT+0800 (China Standard Time)

{"return": [{"token": "a41c1d5d8b6d925963cacbd78233645a15fdca13", "expire": 1690231912.6168978, "start": 1690188712.6168973, "user": "saltgui", "eauth": "pam", "perms": [".*", "@jobs", "@runner", "@wheel"]}]}

curl \
        --data '[{"client": "local", "tgt": "nuc007.bin.bioinf.nl", "fun": "test.ping"}]' \
        -H "Accept: application/json" \
        -H "Content-type: application/json" \
        -H "X-Auth-Token: a41c1d5d8b6d925963cacbd78233645a15fdca13" \
        -k\
        https://192.168.12.56:8080/
echo
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>401 Unauthorized</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>401 Unauthorized</h2>
        <p>Authorization error occurred.</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 18.6.1</a>
      </span>
    </div>
    </body>
</html>

And salt-api logs an authorization error.

I guess you got the same on your end. This is a really low priority issue for me tbh. I guess it's a nice-to-have, but if you have (more) useful things to do, do so ;)

Erwin Dondorp · Answer 5 · Tue Jul 25 2023 03:36:13 GMT+0800 (China Standard Time)

but if you have (more) useful things to do, do so ;)
but these are the interesting cases... it just takes a few minutes of my time and I'm learning something new!

my question was intended to let you create a working combination using salt-api alone.
since SaltGUI uses only the salt-api to do its work, this is my only chance to somehow add support to SaltGUI for keep_acl_in_token: True. When you have a working scenario, just re-open this issue.

Peter C Kroon · Answer 6 · Wed Jul 26 2023 16:23:50 GMT+0800 (China Standard Time)

Hahahaha fair enough.
I'm afraid I really don't know anywhere near enough about salt or salt-api to be able to produce anything anywhere near useful in anywhere near reasonable time (-:

I'd suggest you reopen this with a label low-priority/help-wanted in the hopes someone else comes along.

Erwin Dondorp · Answer 7 · Wed Jul 26 2023 23:17:00 GMT+0800 (China Standard Time)

I'd suggest you reopen this with a label low-priority/help-wanted in the hopes someone else comes along.

I'm the maintainer for SaltGUI since almost 5 years, and using saltstack since 2 years more.
In all that time there was no-one that asked for this feature, or even mentioned the existence of it.
Now I really don't mind adding a feature to SaltGUI for a very limited audience, but there must be a genuine demand.

Peter C Kroon · Answer 8 · Thu Jul 27 2023 17:06:53 GMT+0800 (China Standard Time)

Of course it's up to you to decide if a new feature is worth the maintenance effort.
And know that I'm very happy with SaltGui and your support/maintenance of it!