[ckan-dev] problems with api authentication

Ian Ward ian at excess.org
Tue Aug 9 15:28:45 UTC 2016


You're using the API key shown on the user page after logging in or
from the apikey= result you see when running `paster user <username>`,
right? The `paster sysadmin` command doesn't show API keys.

On Tue, Aug 9, 2016 at 11:02 AM, Sasha Cuerda <scuerda at ctdata.org> wrote:
> Nope. Same issue.
>
> I confirmed that the user I'm using is set as a sysadmin via the 'paster
> sysadmin add' command. Then I tried to reset the user api key via
> `user_generate_apikey` with the same Access Denied result.
>
> Interestingly, when I try to user the `user_show` call, I am not being shown
> the email or the api key, so clearly there is something more significant in
> terms of authentication going on.
>
> I'm running this on an ec2 instance, using the documented server config
> (Apache w/ modwsgi & Nginx proxy). In reviewing my config files, I don't see
> anything that could be resulting in the apikey header being stripped and/or
> modified...but I suspect that the issue is somewhere in there.
>
>
>
> On Tue, Aug 9, 2016 at 10:46 AM, Adrià Mercader <adria.mercader at okfn.org>
> wrote:
>>
>> I wonder if it something related to the Filestore and its permissions.
>> Does it work if you don't upload a file and update say the name or
>> description of the resource?
>>
>> Adrià
>>
>> On 9 August 2016 at 13:19, Sasha Cuerda <scuerda at ctdata.org> wrote:
>> > Ian and Adrià,
>> >
>> > Thanks for your help.
>> >
>> > I've tried disabling extensions to no effect.
>> >
>> > Here is the verbose results from curl...
>> >
>> >> POST /api/3/action/resource_update HTTP/1.1
>> >> Host: data.ctdata.org
>> >> User-Agent: curl/7.43.0
>> >> Accept: */*
>> >> Authorization:<API-KEY>
>> >> Content-Length: 300
>> >> Expect: 100-continue
>> >> Content-Type: multipart/form-data;
>> >> boundary=------------------------f8151c03db98b3cd
>> >>
>> > < HTTP/1.1 100 Continue
>> > < HTTP/1.1 403 Forbidden
>> > < Server: nginx/1.4.6 (Ubuntu)
>> > < Date: Tue, 09 Aug 2016 12:05:08 GMT
>> > < Content-Type: application/json;charset=utf-8
>> > < Content-Length: 245
>> > < Connection: keep-alive
>> > < Pragma: no-cache
>> > < Cache-Control: no-cache
>> > < Access-Control-Allow-Origin: *
>> > * HTTP error before end of send, stop sending
>> > <
>> > * Closing connection 0
>> >
>> > Does anything here seem "off". It looks reasonable to me.
>> >
>> > Using the same user account I am able to create and modify resources on
>> > the
>> > dataset using the GUI...
>> >
>> >
>> > On Tue, Aug 9, 2016 at 8:00 AM, Adrià Mercader <adria.mercader at okfn.org>
>> > wrote:
>> >>
>> >> Also check for new extensions that might be messing with the
>> >> authorization (ie try disabling extensions and see if it works)
>> >>
>> >>
>> >> Adrià
>> >>
>> >> On 9 August 2016 at 12:52, Ian Ward <ian at excess.org> wrote:
>> >> > Has anything changed about your web server configuration? run curl
>> >> > with -v to see if you're getting a redirect or something. Is it
>> >> > possible the header is being stripped out along the way?
>> >> >
>> >> > On Tue, Aug 9, 2016 at 7:36 AM, Sasha Cuerda <scuerda at ctdata.org>
>> >> > wrote:
>> >> >> Hello Adrià,
>> >> >>
>> >> >> Yeah, that's what's so puzzling about this. I have certainly
>> >> >> executed
>> >> >> this
>> >> >> call before, using the same server and the same api key. I created a
>> >> >> new
>> >> >> sysadmin account and tried using the same call w/ the new api key
>> >> >> and
>> >> >> received the same error.
>> >> >>
>> >> >> Is there anything about the group / org permissions that would
>> >> >> impact
>> >> >> this
>> >> >> behavior? I would think that sysadmin's would always have
>> >> >> permissions
>> >> >> to
>> >> >> edit / update any dataset / resource, but I may be misunderstanding
>> >> >> the
>> >> >> permissions system.
>> >> >>
>> >> >> Sasha
>> >> >>
>> >> >> On Tue, Aug 9, 2016 at 5:43 AM, Adrià Mercader
>> >> >> <adria.mercader at okfn.org>
>> >> >> wrote:
>> >> >>>
>> >> >>> Hi Sasha,
>> >> >>>
>> >> >>> On 8 August 2016 at 22:17, Sasha Cuerda <scuerda at ctdata.org> wrote:
>> >> >>> > {
>> >> >>> >     "message": "Access denied: <function resource_update at
>> >> >>> > 0x7efead4c4848>
>> >> >>> > requires an authenticated user",
>> >> >>> >     "__type": "Authorization Error"
>> >> >>> > }
>> >> >>> This error occurs when there is no user logged in or an auth header
>> >> >>> was not sent at all OR the user was not found (ie the API key is
>> >> >>> incorrect). Can you double check your header name and value?
>> >> >>>
>> >> >>> Other than that your same calls work for me on master.
>> >> >>>
>> >> >>> Adrià
>> >> >>> _______________________________________________
>> >> >>> ckan-dev mailing list
>> >> >>> ckan-dev at lists.okfn.org
>> >> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> CT Data Collaborative, Director of Technology
>> >> >> 805 Brook St Building 4
>> >> >> Rocky Hill, CT 06067
>> >> >> M: (860) 385-4860
>> >> >>
>> >> >> _______________________________________________
>> >> >> ckan-dev mailing list
>> >> >> ckan-dev at lists.okfn.org
>> >> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> >>
>> >> > _______________________________________________
>> >> > ckan-dev mailing list
>> >> > ckan-dev at lists.okfn.org
>> >> > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> _______________________________________________
>> >> ckan-dev mailing list
>> >> ckan-dev at lists.okfn.org
>> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >
>> >
>> >
>> >
>> > --
>> > CT Data Collaborative, Director of Technology
>> > 805 Brook St Building 4
>> > Rocky Hill, CT 06067
>> > M: (860) 385-4860
>> >
>> > _______________________________________________
>> > ckan-dev mailing list
>> > ckan-dev at lists.okfn.org
>> > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
>
>
> --
> CT Data Collaborative, Director of Technology
> 805 Brook St Building 4
> Rocky Hill, CT 06067
> M: (860) 385-4860
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>



More information about the ckan-dev mailing list