[ckan-dev] problems with api authentication

• Previous message: [ckan-dev] problems with api authentication
• Next message: [ckan-dev] site login and logouts drop to http when connecting over SSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, it looks like the issue was a maddeningly simple one. It appears that
a developer who worked on the user page template included the wrong
variable for the API key...

In any case, thanks for your assistance.

On Tue, Aug 9, 2016 at 11:42 AM, Sasha Cuerda <scuerda at ctdata.org> wrote:

> Well I'll be...
>
> So the api key returned by paster user does not match the api key shown on
> the user page. However...the former worked like a charm!
>
> Any idea why there would be a mismatch in the api keys?
>
> Thanks for your help btw!
>
> On Tue, Aug 9, 2016 at 11:28 AM, Ian Ward <ian at excess.org> wrote:
>
>> You're using the API key shown on the user page after logging in or
>> from the apikey= result you see when running `paster user <username>`,
>> right? The `paster sysadmin` command doesn't show API keys.
>>
>> On Tue, Aug 9, 2016 at 11:02 AM, Sasha Cuerda <scuerda at ctdata.org> wrote:
>> > Nope. Same issue.
>> >
>> > I confirmed that the user I'm using is set as a sysadmin via the 'paster
>> > sysadmin add' command. Then I tried to reset the user api key via
>> > `user_generate_apikey` with the same Access Denied result.
>> >
>> > Interestingly, when I try to user the `user_show` call, I am not being
>> shown
>> > the email or the api key, so clearly there is something more
>> significant in
>> > terms of authentication going on.
>> >
>> > I'm running this on an ec2 instance, using the documented server config
>> > (Apache w/ modwsgi & Nginx proxy). In reviewing my config files, I
>> don't see
>> > anything that could be resulting in the apikey header being stripped
>> and/or
>> > modified...but I suspect that the issue is somewhere in there.
>> >
>> >
>> >
>> > On Tue, Aug 9, 2016 at 10:46 AM, Adrià Mercader <
>> adria.mercader at okfn.org>
>> > wrote:
>> >>
>> >> I wonder if it something related to the Filestore and its permissions.
>> >> Does it work if you don't upload a file and update say the name or
>> >> description of the resource?
>> >>
>> >> Adrià
>> >>
>> >> On 9 August 2016 at 13:19, Sasha Cuerda <scuerda at ctdata.org> wrote:
>> >> > Ian and Adrià,
>> >> >
>> >> > Thanks for your help.
>> >> >
>> >> > I've tried disabling extensions to no effect.
>> >> >
>> >> > Here is the verbose results from curl...
>> >> >
>> >> >> POST /api/3/action/resource_update HTTP/1.1
>> >> >> Host: data.ctdata.org
>> >> >> User-Agent: curl/7.43.0
>> >> >> Accept: */*
>> >> >> Authorization:<API-KEY>
>> >> >> Content-Length: 300
>> >> >> Expect: 100-continue
>> >> >> Content-Type: multipart/form-data;
>> >> >> boundary=------------------------f8151c03db98b3cd
>> >> >>
>> >> > < HTTP/1.1 100 Continue
>> >> > < HTTP/1.1 403 Forbidden
>> >> > < Server: nginx/1.4.6 (Ubuntu)
>> >> > < Date: Tue, 09 Aug 2016 12:05:08 GMT
>> >> > < Content-Type: application/json;charset=utf-8
>> >> > < Content-Length: 245
>> >> > < Connection: keep-alive
>> >> > < Pragma: no-cache
>> >> > < Cache-Control: no-cache
>> >> > < Access-Control-Allow-Origin: *
>> >> > * HTTP error before end of send, stop sending
>> >> > <
>> >> > * Closing connection 0
>> >> >
>> >> > Does anything here seem "off". It looks reasonable to me.
>> >> >
>> >> > Using the same user account I am able to create and modify resources
>> on
>> >> > the
>> >> > dataset using the GUI...
>> >> >
>> >> >
>> >> > On Tue, Aug 9, 2016 at 8:00 AM, Adrià Mercader <
>> adria.mercader at okfn.org>
>> >> > wrote:
>> >> >>
>> >> >> Also check for new extensions that might be messing with the
>> >> >> authorization (ie try disabling extensions and see if it works)
>> >> >>
>> >> >>
>> >> >> Adrià
>> >> >>
>> >> >> On 9 August 2016 at 12:52, Ian Ward <ian at excess.org> wrote:
>> >> >> > Has anything changed about your web server configuration? run curl
>> >> >> > with -v to see if you're getting a redirect or something. Is it
>> >> >> > possible the header is being stripped out along the way?
>> >> >> >
>> >> >> > On Tue, Aug 9, 2016 at 7:36 AM, Sasha Cuerda <scuerda at ctdata.org>
>> >> >> > wrote:
>> >> >> >> Hello Adrià,
>> >> >> >>
>> >> >> >> Yeah, that's what's so puzzling about this. I have certainly
>> >> >> >> executed
>> >> >> >> this
>> >> >> >> call before, using the same server and the same api key. I
>> created a
>> >> >> >> new
>> >> >> >> sysadmin account and tried using the same call w/ the new api key
>> >> >> >> and
>> >> >> >> received the same error.
>> >> >> >>
>> >> >> >> Is there anything about the group / org permissions that would
>> >> >> >> impact
>> >> >> >> this
>> >> >> >> behavior? I would think that sysadmin's would always have
>> >> >> >> permissions
>> >> >> >> to
>> >> >> >> edit / update any dataset / resource, but I may be
>> misunderstanding
>> >> >> >> the
>> >> >> >> permissions system.
>> >> >> >>
>> >> >> >> Sasha
>> >> >> >>
>> >> >> >> On Tue, Aug 9, 2016 at 5:43 AM, Adrià Mercader
>> >> >> >> <adria.mercader at okfn.org>
>> >> >> >> wrote:
>> >> >> >>>
>> >> >> >>> Hi Sasha,
>> >> >> >>>
>> >> >> >>> On 8 August 2016 at 22:17, Sasha Cuerda <scuerda at ctdata.org>
>> wrote:
>> >> >> >>> > {
>> >> >> >>> >     "message": "Access denied: <function resource_update at
>> >> >> >>> > 0x7efead4c4848>
>> >> >> >>> > requires an authenticated user",
>> >> >> >>> >     "__type": "Authorization Error"
>> >> >> >>> > }
>> >> >> >>> This error occurs when there is no user logged in or an auth
>> header
>> >> >> >>> was not sent at all OR the user was not found (ie the API key is
>> >> >> >>> incorrect). Can you double check your header name and value?
>> >> >> >>>
>> >> >> >>> Other than that your same calls work for me on master.
>> >> >> >>>
>> >> >> >>> Adrià
>> >> >> >>> _______________________________________________
>> >> >> >>> ckan-dev mailing list
>> >> >> >>> ckan-dev at lists.okfn.org
>> >> >> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> >> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> CT Data Collaborative, Director of Technology
>> >> >> >> 805 Brook St Building 4
>> >> >> >> Rocky Hill, CT 06067
>> >> >> >> M: (860) 385-4860
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> ckan-dev mailing list
>> >> >> >> ckan-dev at lists.okfn.org
>> >> >> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> >> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> >> >>
>> >> >> > _______________________________________________
>> >> >> > ckan-dev mailing list
>> >> >> > ckan-dev at lists.okfn.org
>> >> >> > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> >> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> >> _______________________________________________
>> >> >> ckan-dev mailing list
>> >> >> ckan-dev at lists.okfn.org
>> >> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > CT Data Collaborative, Director of Technology
>> >> > 805 Brook St Building 4
>> >> > Rocky Hill, CT 06067
>> >> > M: (860) 385-4860
>> >> >
>> >> > _______________________________________________
>> >> > ckan-dev mailing list
>> >> > ckan-dev at lists.okfn.org
>> >> > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >> >
>> >> _______________________________________________
>> >> ckan-dev mailing list
>> >> ckan-dev at lists.okfn.org
>> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >
>> >
>> >
>> >
>> > --
>> > CT Data Collaborative, Director of Technology
>> > 805 Brook St Building 4
>> > Rocky Hill, CT 06067
>> > M: (860) 385-4860
>> >
>> > _______________________________________________
>> > ckan-dev mailing list
>> > ckan-dev at lists.okfn.org
>> > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>
>
>
> --
> CT Data Collaborative, Director of Technology
> 805 Brook St Building 4
> Rocky Hill, CT 06067
> M: (860) 385-4860
>



-- 
CT Data Collaborative, Director of Technology
805 Brook St Building 4
Rocky Hill, CT 06067
M: (860) 385-4860
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20160809/fd362b38/attachment-0003.html>

• Previous message: [ckan-dev] problems with api authentication
• Next message: [ckan-dev] site login and logouts drop to http when connecting over SSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]