[ckan-dev] problems with api authentication

Sasha Cuerda scuerda at ctdata.org
Tue Aug 9 15:02:53 UTC 2016


Nope. Same issue.

I confirmed that the user I'm using is set as a sysadmin via the 'paster
sysadmin add' command. Then I tried to reset the user api key via
`user_generate_apikey` with the same Access Denied result.

Interestingly, when I try to user the `user_show` call, I am not being
shown the email or the api key, so clearly there is something more
significant in terms of authentication going on.

I'm running this on an ec2 instance, using the documented server config
(Apache w/ modwsgi & Nginx proxy). In reviewing my config files, I don't
see anything that could be resulting in the apikey header being stripped
and/or modified...but I suspect that the issue is somewhere in there.



On Tue, Aug 9, 2016 at 10:46 AM, Adrià Mercader <adria.mercader at okfn.org>
wrote:

> I wonder if it something related to the Filestore and its permissions.
> Does it work if you don't upload a file and update say the name or
> description of the resource?
>
> Adrià
>
> On 9 August 2016 at 13:19, Sasha Cuerda <scuerda at ctdata.org> wrote:
> > Ian and Adrià,
> >
> > Thanks for your help.
> >
> > I've tried disabling extensions to no effect.
> >
> > Here is the verbose results from curl...
> >
> >> POST /api/3/action/resource_update HTTP/1.1
> >> Host: data.ctdata.org
> >> User-Agent: curl/7.43.0
> >> Accept: */*
> >> Authorization:<API-KEY>
> >> Content-Length: 300
> >> Expect: 100-continue
> >> Content-Type: multipart/form-data;
> >> boundary=------------------------f8151c03db98b3cd
> >>
> > < HTTP/1.1 100 Continue
> > < HTTP/1.1 403 Forbidden
> > < Server: nginx/1.4.6 (Ubuntu)
> > < Date: Tue, 09 Aug 2016 12:05:08 GMT
> > < Content-Type: application/json;charset=utf-8
> > < Content-Length: 245
> > < Connection: keep-alive
> > < Pragma: no-cache
> > < Cache-Control: no-cache
> > < Access-Control-Allow-Origin: *
> > * HTTP error before end of send, stop sending
> > <
> > * Closing connection 0
> >
> > Does anything here seem "off". It looks reasonable to me.
> >
> > Using the same user account I am able to create and modify resources on
> the
> > dataset using the GUI...
> >
> >
> > On Tue, Aug 9, 2016 at 8:00 AM, Adrià Mercader <adria.mercader at okfn.org>
> > wrote:
> >>
> >> Also check for new extensions that might be messing with the
> >> authorization (ie try disabling extensions and see if it works)
> >>
> >>
> >> Adrià
> >>
> >> On 9 August 2016 at 12:52, Ian Ward <ian at excess.org> wrote:
> >> > Has anything changed about your web server configuration? run curl
> >> > with -v to see if you're getting a redirect or something. Is it
> >> > possible the header is being stripped out along the way?
> >> >
> >> > On Tue, Aug 9, 2016 at 7:36 AM, Sasha Cuerda <scuerda at ctdata.org>
> wrote:
> >> >> Hello Adrià,
> >> >>
> >> >> Yeah, that's what's so puzzling about this. I have certainly executed
> >> >> this
> >> >> call before, using the same server and the same api key. I created a
> >> >> new
> >> >> sysadmin account and tried using the same call w/ the new api key and
> >> >> received the same error.
> >> >>
> >> >> Is there anything about the group / org permissions that would impact
> >> >> this
> >> >> behavior? I would think that sysadmin's would always have permissions
> >> >> to
> >> >> edit / update any dataset / resource, but I may be misunderstanding
> the
> >> >> permissions system.
> >> >>
> >> >> Sasha
> >> >>
> >> >> On Tue, Aug 9, 2016 at 5:43 AM, Adrià Mercader
> >> >> <adria.mercader at okfn.org>
> >> >> wrote:
> >> >>>
> >> >>> Hi Sasha,
> >> >>>
> >> >>> On 8 August 2016 at 22:17, Sasha Cuerda <scuerda at ctdata.org> wrote:
> >> >>> > {
> >> >>> >     "message": "Access denied: <function resource_update at
> >> >>> > 0x7efead4c4848>
> >> >>> > requires an authenticated user",
> >> >>> >     "__type": "Authorization Error"
> >> >>> > }
> >> >>> This error occurs when there is no user logged in or an auth header
> >> >>> was not sent at all OR the user was not found (ie the API key is
> >> >>> incorrect). Can you double check your header name and value?
> >> >>>
> >> >>> Other than that your same calls work for me on master.
> >> >>>
> >> >>> Adrià
> >> >>> _______________________________________________
> >> >>> ckan-dev mailing list
> >> >>> ckan-dev at lists.okfn.org
> >> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> CT Data Collaborative, Director of Technology
> >> >> 805 Brook St Building 4
> >> >> Rocky Hill, CT 06067
> >> >> M: (860) 385-4860
> >> >>
> >> >> _______________________________________________
> >> >> ckan-dev mailing list
> >> >> ckan-dev at lists.okfn.org
> >> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> >>
> >> > _______________________________________________
> >> > ckan-dev mailing list
> >> > ckan-dev at lists.okfn.org
> >> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> _______________________________________________
> >> ckan-dev mailing list
> >> ckan-dev at lists.okfn.org
> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >
> >
> >
> >
> > --
> > CT Data Collaborative, Director of Technology
> > 805 Brook St Building 4
> > Rocky Hill, CT 06067
> > M: (860) 385-4860
> >
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>



-- 
CT Data Collaborative, Director of Technology
805 Brook St Building 4
Rocky Hill, CT 06067
M: (860) 385-4860
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20160809/3d2ce8c1/attachment-0003.html>


More information about the ckan-dev mailing list