Authentication denied in FreeBSD

Question

Authentication denied in FreeBSD

andrewhotlab opened this issue 9 months ago · comments

First of all, thank you so much @mattLLVW for this precious piece of software!

Unfortunately, I'm having trouble making it work in our FreeBSD environment, and I'd be very grateful if anyone might point me to the right direction for troubleshoot this issue.

Salt (v3006.1) Master, API and ALCALI (vrunning all in FreeBSD 12.4. I'm pretty new on Salt, thus I'm likely missing something here...

I setup ALCALI to authenticate with its eauth module to salt-api, and it seems to me that there is no problem at authenticating the alcali admin user account by using curl:

# alcali manage_token admin
user admin's token: 396f9d6f9906b8f9c480722f2edc2ecaaa6209b7

# curl -ski https://localhost:8080/login -H 'Accept: application/json' -d eauth='alcali' -d username='admin' -d password='396f9d6f9906b8f9c480722f2edc2ecaaa6209b7'
HTTP/1.1 200 OK
Content-Type: application/json
Server: CherryPy/18.8.0
Date: Fri, 15 Sep 2023 16:55:00 GMT
Allow: GET, HEAD, POST
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: GET, POST
Access-Control-Allow-Credentials: true
X-Auth-Token: 913d982bf7f2517d6506dbd4dd9a3d8801130691
Vary: Accept-Encoding
Content-Length: 209
Set-Cookie: session_id=913d982bf7f2517d6506dbd4dd9a3d8801130691; expires=Sat, 16 Sep 2023 02:55:00 GMT; Max-Age=36000; Path=/

{"return": [{"token": "913d982bf7f2517d6506dbd4dd9a3d8801130691", "expire": 1694840100.9966853, "start": 1694796900.996685, "user": "admin", "eauth": "alcali", "perms": [".*", "@local", "@runner", "@wheel"]}]}

But when I login into the web UI and try to refresh keys, I receive this error:

Here are the relevant lines from salt-api logs:

[INFO    ] [api_acl] Authentication not checked for user admin from IP 192.168.171.8
[TRACE   ] ReqChannel send clear load={'username': 'admin', 'password': '396f9d6f9906b8f9c480722f2edc2ecaaa6209b7', 'eauth': 'alcali', 'cmd': 'mk_token'}
[DEBUG   ] Closing AsyncReqChannel instance
[15/Sep/2023:19:07:00] ENGINE Started monitor thread 'Session cleanup'.
[INFO    ] [15/Sep/2023:19:07:00] ENGINE Started monitor thread 'Session cleanup'.
192.168.171.8 - - [15/Sep/2023:19:07:00] "POST /login HTTP/1.1" 200 209 "" "Python-urllib/3.9"
[INFO    ] 192.168.171.8 - - [15/Sep/2023:19:07:00] "POST /login HTTP/1.1" 200 209 "" "Python-urllib/3.9"
[TRACE   ] ReqChannel send clear load={'client': 'wheel', 'token': '860d6fc7193f1a53d223e7b195b08158650f686644d3edcfbf39d8931f862267', 'fun': 'key.list_all', 'cmd': 'wheel'}
[DEBUG   ] Closing AsyncReqChannel instance
[ERROR   ] Authentication failure of type "token" occurred for user admin.
192.168.171.8 - - [15/Sep/2023:19:07:00] "POST / HTTP/1.1" 401 3023 "" "Python-urllib/3.9"
[INFO    ] 192.168.171.8 - - [15/Sep/2023:19:07:00] "POST / HTTP/1.1" 401 3023 "" "Python-urllib/3.9"

Relevant lines in files under /usr/local/etc/master.d/:

rest_cherrypy:
  port: 8080
  host: 0.0.0.0
  debug: True
  ssl_crt: /usr/local/etc/salt/pki/tls/certs/localhost.crt
  ssl_key: /usr/local/etc/salt/pki/tls/certs/localhost.key
keep_acl_in_token: True
netapi_enable_clients:
  - local
  - local_async
  - local_batch
  - local_subset
  - runner
  - runner_async
  - wheel
  - wheel_async
auth_dirs: [/usr/local/etc/salt/auth]
external_auth:
  alcali:
    admin:
      - .*
      - '@local'
      - '@runner'
      - '@wheel'

I also tried with the REST eauth module, but it seems that the salt-api response at login misses the permissions list:

curl -ski https://localhost:8080/login -H 'Accept: application/json' -d eauth='rest' -d username='admin' -d password='396f9d6f9906b8f9c480722f2edc2ecaaa6209b7'
HTTP/1.1 200 OK
Content-Type: application/json
Server: CherryPy/18.8.0
Date: Fri, 15 Sep 2023 17:10:20 GMT
Allow: GET, HEAD, POST
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: GET, POST
Access-Control-Allow-Credentials: true
X-Auth-Token: f21e710df7be8b040b04e50661adfeefeb2b464a
Vary: Accept-Encoding
Content-Length: 173
Set-Cookie: session_id=f21e710df7be8b040b04e50661adfeefeb2b464a; expires=Sat, 16 Sep 2023 03:10:20 GMT; Max-Age=36000; Path=/

{"return": [{"token": "f21e710df7be8b040b04e50661adfeefeb2b464a", "expire": 1694841020.3685005, "start": 1694797820.3685002, "user": "admin", "eauth": "rest", "perms": {}}]}

For this tentative, I used the same config lines above except these ones (obviously I modified the ALCALI .env file accordingly) :

external_auth:
  rest:
    ^url: http://localhost:8000/api/token/verify
    admin:
      - .*
      - '@local'
      - '@runner'
      - '@wheel'

Since I haven't a long experience with SaltStack and its API, my troubleshooting tools are pretty basic: I can't do much more than run the daemons with debug logging and try to interpret the output... maybe someone can suggest me how to better investigate the cause of this?

TIA

Matt Melquiond · Answer 1 · Sat Oct 21 2023 02:31:12 GMT+0800 (China Standard Time)

it should be fixed by #507

Andrew · Answer 2 · Sat Oct 21 2023 23:58:01 GMT+0800 (China Standard Time)

Wonderful, thank you @mattLLVW : it's working now! :)