[ckan-dev] problems with api authentication

Sasha Cuerda scuerda at ctdata.org
Tue Aug 9 15:42:51 UTC 2016


Well I'll be...

So the api key returned by paster user does not match the api key shown on
the user page. However...the former worked like a charm!

Any idea why there would be a mismatch in the api keys?

Thanks for your help btw!

On Tue, Aug 9, 2016 at 11:28 AM, Ian Ward <ian at excess.org> wrote:

> You're using the API key shown on the user page after logging in or
> from the apikey= result you see when running `paster user <username>`,
> right? The `paster sysadmin` command doesn't show API keys.
>
> On Tue, Aug 9, 2016 at 11:02 AM, Sasha Cuerda <scuerda at ctdata.org> wrote:
> > Nope. Same issue.
> >
> > I confirmed that the user I'm using is set as a sysadmin via the 'paster
> > sysadmin add' command. Then I tried to reset the user api key via
> > `user_generate_apikey` with the same Access Denied result.
> >
> > Interestingly, when I try to user the `user_show` call, I am not being
> shown
> > the email or the api key, so clearly there is something more significant
> in
> > terms of authentication going on.
> >
> > I'm running this on an ec2 instance, using the documented server config
> > (Apache w/ modwsgi & Nginx proxy). In reviewing my config files, I don't
> see
> > anything that could be resulting in the apikey header being stripped
> and/or
> > modified...but I suspect that the issue is somewhere in there.
> >
> >
> >
> > On Tue, Aug 9, 2016 at 10:46 AM, Adrià Mercader <adria.mercader at okfn.org
> >
> > wrote:
> >>
> >> I wonder if it something related to the Filestore and its permissions.
> >> Does it work if you don't upload a file and update say the name or
> >> description of the resource?
> >>
> >> Adrià
> >>
> >> On 9 August 2016 at 13:19, Sasha Cuerda <scuerda at ctdata.org> wrote:
> >> > Ian and Adrià,
> >> >
> >> > Thanks for your help.
> >> >
> >> > I've tried disabling extensions to no effect.
> >> >
> >> > Here is the verbose results from curl...
> >> >
> >> >> POST /api/3/action/resource_update HTTP/1.1
> >> >> Host: data.ctdata.org
> >> >> User-Agent: curl/7.43.0
> >> >> Accept: */*
> >> >> Authorization:<API-KEY>
> >> >> Content-Length: 300
> >> >> Expect: 100-continue
> >> >> Content-Type: multipart/form-data;
> >> >> boundary=------------------------f8151c03db98b3cd
> >> >>
> >> > < HTTP/1.1 100 Continue
> >> > < HTTP/1.1 403 Forbidden
> >> > < Server: nginx/1.4.6 (Ubuntu)
> >> > < Date: Tue, 09 Aug 2016 12:05:08 GMT
> >> > < Content-Type: application/json;charset=utf-8
> >> > < Content-Length: 245
> >> > < Connection: keep-alive
> >> > < Pragma: no-cache
> >> > < Cache-Control: no-cache
> >> > < Access-Control-Allow-Origin: *
> >> > * HTTP error before end of send, stop sending
> >> > <
> >> > * Closing connection 0
> >> >
> >> > Does anything here seem "off". It looks reasonable to me.
> >> >
> >> > Using the same user account I am able to create and modify resources
> on
> >> > the
> >> > dataset using the GUI...
> >> >
> >> >
> >> > On Tue, Aug 9, 2016 at 8:00 AM, Adrià Mercader <
> adria.mercader at okfn.org>
> >> > wrote:
> >> >>
> >> >> Also check for new extensions that might be messing with the
> >> >> authorization (ie try disabling extensions and see if it works)
> >> >>
> >> >>
> >> >> Adrià
> >> >>
> >> >> On 9 August 2016 at 12:52, Ian Ward <ian at excess.org> wrote:
> >> >> > Has anything changed about your web server configuration? run curl
> >> >> > with -v to see if you're getting a redirect or something. Is it
> >> >> > possible the header is being stripped out along the way?
> >> >> >
> >> >> > On Tue, Aug 9, 2016 at 7:36 AM, Sasha Cuerda <scuerda at ctdata.org>
> >> >> > wrote:
> >> >> >> Hello Adrià,
> >> >> >>
> >> >> >> Yeah, that's what's so puzzling about this. I have certainly
> >> >> >> executed
> >> >> >> this
> >> >> >> call before, using the same server and the same api key. I
> created a
> >> >> >> new
> >> >> >> sysadmin account and tried using the same call w/ the new api key
> >> >> >> and
> >> >> >> received the same error.
> >> >> >>
> >> >> >> Is there anything about the group / org permissions that would
> >> >> >> impact
> >> >> >> this
> >> >> >> behavior? I would think that sysadmin's would always have
> >> >> >> permissions
> >> >> >> to
> >> >> >> edit / update any dataset / resource, but I may be
> misunderstanding
> >> >> >> the
> >> >> >> permissions system.
> >> >> >>
> >> >> >> Sasha
> >> >> >>
> >> >> >> On Tue, Aug 9, 2016 at 5:43 AM, Adrià Mercader
> >> >> >> <adria.mercader at okfn.org>
> >> >> >> wrote:
> >> >> >>>
> >> >> >>> Hi Sasha,
> >> >> >>>
> >> >> >>> On 8 August 2016 at 22:17, Sasha Cuerda <scuerda at ctdata.org>
> wrote:
> >> >> >>> > {
> >> >> >>> >     "message": "Access denied: <function resource_update at
> >> >> >>> > 0x7efead4c4848>
> >> >> >>> > requires an authenticated user",
> >> >> >>> >     "__type": "Authorization Error"
> >> >> >>> > }
> >> >> >>> This error occurs when there is no user logged in or an auth
> header
> >> >> >>> was not sent at all OR the user was not found (ie the API key is
> >> >> >>> incorrect). Can you double check your header name and value?
> >> >> >>>
> >> >> >>> Other than that your same calls work for me on master.
> >> >> >>>
> >> >> >>> Adrià
> >> >> >>> _______________________________________________
> >> >> >>> ckan-dev mailing list
> >> >> >>> ckan-dev at lists.okfn.org
> >> >> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> >> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> CT Data Collaborative, Director of Technology
> >> >> >> 805 Brook St Building 4
> >> >> >> Rocky Hill, CT 06067
> >> >> >> M: (860) 385-4860
> >> >> >>
> >> >> >> _______________________________________________
> >> >> >> ckan-dev mailing list
> >> >> >> ckan-dev at lists.okfn.org
> >> >> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> >> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> >> >>
> >> >> > _______________________________________________
> >> >> > ckan-dev mailing list
> >> >> > ckan-dev at lists.okfn.org
> >> >> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> >> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> >> _______________________________________________
> >> >> ckan-dev mailing list
> >> >> ckan-dev at lists.okfn.org
> >> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > CT Data Collaborative, Director of Technology
> >> > 805 Brook St Building 4
> >> > Rocky Hill, CT 06067
> >> > M: (860) 385-4860
> >> >
> >> > _______________________________________________
> >> > ckan-dev mailing list
> >> > ckan-dev at lists.okfn.org
> >> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >> >
> >> _______________________________________________
> >> ckan-dev mailing list
> >> ckan-dev at lists.okfn.org
> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >
> >
> >
> >
> > --
> > CT Data Collaborative, Director of Technology
> > 805 Brook St Building 4
> > Rocky Hill, CT 06067
> > M: (860) 385-4860
> >
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>



-- 
CT Data Collaborative, Director of Technology
805 Brook St Building 4
Rocky Hill, CT 06067
M: (860) 385-4860
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20160809/5c0d978e/attachment-0003.html>


More information about the ckan-dev mailing list