FAQ
hi, i'm trying to access the various functions via the API as a wheel
client and for some reason i always get an "401 Unauthorized" error even
though it looks to me like everything is configured correctly. i have
created a user on the salt master that is used for API access, i added
'@wheel' for the external authentication for the user in the salt master
configuration file and have also added the user to the wheel group on the
host even though i haven't seen anything requiring that in the
documentation but i always get the authentication error (i always restarted
salt-master and salt-api after making any changes for testing). does
anybody have any ideas or suggestions? everything seems to work OK if the
client argument is set to local. here is the output of curl on the salt
master:

[root@srv ~]# curl -i -sSk https://localhost:8888/run -H 'Accept:
application/x-yaml' -d username=XXXX -d password=XXXX -d eauth=pam -d
fun=salt.wheel.key.list_all -d client=wheel
HTTP/1.1 401 Unauthorized
Content-Length: 1196
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Server: CherryPy/3.2.2
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Mon, 16 Mar 2015 21:31:41 GMT
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
     <meta http-equiv="Content-Type" content="text/html;
charset=utf-8"></meta>
     <title>401 Unauthorized</title>
     <style type="text/css">
     #powered_by {
         margin-top: 20px;
         border-top: 2px solid black;
         font-style: italic;
     }

     #traceback {
         color: red;
     }
     </style>
</head>
     <body>
         <h2>401 Unauthorized</h2>
         <p>No permission -- see authorization schemes</p>
         <pre id="traceback">Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656,
in respond
     response.body = self.handler()
   File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line
188, in __call__
     self.body = self.oldhandler(*args, **kwargs)
   File "/usr/lib/python2.7/site-packages/salt/netapi/rest_cherrypy/app.py",
line 390, in hypermedia_handler
     raise cherrypy.HTTPError(401)
HTTPError: (401, None)
</pre>
     <div id="powered_by">
     <span>Powered by <a href="http://www.cherrypy.org">CherryPy
3.2.2</a></span>
     </div>
     </body>
</html>

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Hober Smith at Mar 18, 2015 at 1:36 am
    hi, when trying this with token authentication the same problem occurs.
    you can see that the user authentication is successful when logging in and
    that the user has permissions set correctly for the wheel group:

    [root@XXX ~]# curl -sSk https://localhost:8888/login -H 'Accept:
    application/x-yaml' -d username=XXX -d password=XXX -d eauth=pam
    return:
    - eauth: pam
       expire: 1426685169.392385
       perms:
       - .*
       - '@wheel'
       - '@runner'
       - '@jobs'
       start: 1426641969.392382
       token: 742dc72e45cbb0f9e59d37b206b9ab33c5b94721
       user: XXX
    [root@XXX ~]#

    yet when i try to list the keys i get an authentication unauthorized/no
    permissions error:

    [root@XXX ~]# curl -sSk https://localhost:8888 -H 'Accept:
    application/x-yaml' -H 'X-Auth-Token:
    742dc72e45cbb0f9e59d37b206b9ab33c5b94721' -d fun=wheel.key.list_all -d
    client=wheel
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
         <meta http-equiv="Content-Type" content="text/html;
    charset=utf-8"></meta>
         <title>401 Unauthorized</title>
         <style type="text/css">
         #powered_by {
             margin-top: 20px;
             border-top: 2px solid black;
             font-style: italic;
         }

         #traceback {
             color: red;
         }
         </style>
    </head>
         <body>
             <h2>401 Unauthorized</h2>
             <p>No permission -- see authorization schemes</p>
             <pre id="traceback">Traceback (most recent call last):
       File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656,
    in respond
         response.body = self.handler()
       File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line
    188, in __call__
         self.body = self.oldhandler(*args, **kwargs)
       File "/usr/lib/python2.7/site-packages/salt/netapi/rest_cherrypy/app.py",
    line 390, in hypermedia_handler
         raise cherrypy.HTTPError(401)
    HTTPError: (401, None)
    </pre>
         <div id="powered_by">
         <span>Powered by <a href="http://www.cherrypy.org">CherryPy
    3.2.2</a></span>
         </div>
         </body>
    </html>

    does anybody have any suggestions? after spending a whole day on this and
    trying everything i can think of besides looking here and at the
    documentation there is no clear reason as to why this is occuring. if i
    have something set incorrectly in the key request then i should get a
    different type of error besides the authorization errorr. i'm currently
    using salt salt-2014.7.2-1 on centos 7. any kind of help will be
    appreciated. thanks.

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Seth House at Mar 25, 2015 at 3:34 am
    Hi, Hober. The `fun` argument should only be `key.list_all`. The rest of
    both examples looks correct.

    This causes an authorization failure because Salt's eauth system performs
    pattern-matching against the function you are requesting to run and that
    check does not match any of the eauth patterns in your config. I think this
    error message can be improved although I'm not sure exactly where or how.
    I've filled this issue below to collect ideas:

    https://github.com/saltstack/salt/issues/21969
    On Tuesday, March 17, 2015 at 9:36:12 PM UTC-4, Hober Smith wrote:

    hi, when trying this with token authentication the same problem occurs.
    you can see that the user authentication is successful when logging in and
    that the user has permissions set correctly for the wheel group:

    [root@XXX ~]# curl -sSk https://localhost:8888/login -H 'Accept:
    application/x-yaml' -d username=XXX -d password=XXX -d eauth=pam
    return:
    - eauth: pam
    expire: 1426685169.392385
    perms:
    - .*
    - '@wheel'
    - '@runner'
    - '@jobs'
    start: 1426641969.392382
    token: 742dc72e45cbb0f9e59d37b206b9ab33c5b94721
    user: XXX
    [root@XXX ~]#

    yet when i try to list the keys i get an authentication unauthorized/no
    permissions error:

    [root@XXX ~]# curl -sSk https://localhost:8888 -H 'Accept:
    application/x-yaml' -H 'X-Auth-Token:
    742dc72e45cbb0f9e59d37b206b9ab33c5b94721' -d fun=wheel.key.list_all -d
    client=wheel
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html;
    charset=utf-8"></meta>
    <title>401 Unauthorized</title>
    <style type="text/css">
    #powered_by {
    margin-top: 20px;
    border-top: 2px solid black;
    font-style: italic;
    }

    #traceback {
    color: red;
    }
    </style>
    </head>
    <body>
    <h2>401 Unauthorized</h2>
    <p>No permission -- see authorization schemes</p>
    <pre id="traceback">Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line
    656, in respond
    response.body = self.handler()
    File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line
    188, in __call__
    self.body = self.oldhandler(*args, **kwargs)
    File
    "/usr/lib/python2.7/site-packages/salt/netapi/rest_cherrypy/app.py", line
    390, in hypermedia_handler
    raise cherrypy.HTTPError(401)
    HTTPError: (401, None)
    </pre>
    <div id="powered_by">
    <span>Powered by <a href="http://www.cherrypy.org">CherryPy
    3.2.2</a></span>
    </div>
    </body>
    </html>

    does anybody have any suggestions? after spending a whole day on this and
    trying everything i can think of besides looking here and at the
    documentation there is no clear reason as to why this is occuring. if i
    have something set incorrectly in the key request then i should get a
    different type of error besides the authorization errorr. i'm currently
    using salt salt-2014.7.2-1 on centos 7. any kind of help will be
    appreciated. thanks.
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Hober Smith at Mar 28, 2015 at 2:57 pm
    thanks...i had figured that out as far as the argument list goes and was
    going to mention it here when i saw your reply. i agree with you that the
    error message could be improved.

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupsalt-users @
postedMar 16, '15 at 9:36p
activeMar 28, '15 at 2:57p
posts4
users2

2 users in discussion

Hober Smith: 3 posts Seth House: 1 post

People

Translate

site design / logo © 2022 Grokbase