Setup/permissions for ansible inventory

Hello,
i am testing v2.0 (docker) and want to use the dynamic ansible inventory feature.
My config is the same as with v1.7.2 (which works well): an automation user is member of a group with only the “base.exportd.job.run”-right assigned, but in v2.0 i get the following error:

“Unauthorized: http://vmdgerry2/rest/exportdjob/pull/ansible-inventory-all","status”:401

Are there any new requirements for this, or any hints on how to debug my current setup?

Thanks in advance, kind regards
Michael

Hi @MiB ,
there were no changes made to the Ansible section in the last release. Could you provide us some more information so that we can reproduce the issue ?

BR Adnan

Hi,
using the inventoy script i still get the message:

{"description":"The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.","joke":"Even a blind squirrel finds a nut once in a while.","message":"","response":"Unauthorized: http://vmdgerry2/rest/exportdjob/pull/ansible-inventory-all","status":401}

I get this message even if i assign the rights “base.*” or “base.*” and “base.exportd.job.*” to the group that the ansible user belongs to.
Using the URL “http://ansible:<password>@vmdgerry2/rest/” works with the attached browser message, so the password should be correct. The browser then shows the JSON response:

title	"DATAGERRY"
version	"2.0.0"
connected	true

Kind regards,
Michael

Hi Michael, Hi Adnan,

run into the exact same issue by upgrading from 1.7.2 to 2.0 on docker. Did you find a solution?

Kind regards,
Steffen

Hello,
i still haven’t found the solution to this issue. Have started nginx in debug mode, this is what i get from the logs:
access.log:
192.168.122.1 - ansible [28/Nov/2023:18:48:33 +0000] “GET /rest/exportdjob/pull/ansible-inventory-all HTTP/1.1” 401 412 “-” “curl/7.81.0” “-”

excerpt from error.log:
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “Host”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “vmdgerry2”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “X-Real-IP”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “192.168.122.1”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “X-Forwarded-For”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “192.168.122.1”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “X-Forwarded-Proto”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “http”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “Connection”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “close”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Authorization: Basic YW5zaWJsZTphbnNpYmxlcHdkIQ==”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “User-Agent: curl/7.81.0”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Accept: /”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header:
2023/11/28 18:48:33 [debug] 9#9: *86 http cleanup add: 0000559E528D37D0
2023/11/28 18:48:33 [debug] 9#9: malloc: 0000559E52876DE0:224
2023/11/28 18:48:33 [debug] 9#9: resolve: “datagerry”
2023/11/28 18:48:33 [debug] 9#9: resolve cached
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream resolve: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 name was resolved to 172.18.0.4
2023/11/28 18:48:33 [debug] 9#9: resolve name done: 0
2023/11/28 18:48:33 [debug] 9#9: resolver expire
2023/11/28 18:48:33 [debug] 9#9: *86 get rr peer, try: 1
2023/11/28 18:48:33 [debug] 9#9: *86 stream socket 12
2023/11/28 18:48:33 [debug] 9#9: *86 epoll add connection: fd:12 ev:80002005
2023/11/28 18:48:33 [debug] 9#9: *86 connect to 172.18.0.4:4000, fd:12 #87
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream connect: -2
2023/11/28 18:48:33 [debug] 9#9: *86 posix_memalign: 0000559E528701E0:128 @16
2023/11/28 18:48:33 [debug] 9#9: *86 event timer add: 12: 60000:657682
2023/11/28 18:48:33 [debug] 9#9: *86 http finalize request: -4, “/rest/exportdjob/pull/ansible-inventory-all?” a:1, c:2
2023/11/28 18:48:33 [debug] 9#9: *86 http request count:2 blk:0
2023/11/28 18:48:33 [debug] 9#9: timer delta: 0
2023/11/28 18:48:33 [debug] 9#9: worker cycle
2023/11/28 18:48:33 [debug] 9#9: epoll timer: 60000
2023/11/28 18:48:33 [debug] 9#9: epoll: fd:3 ev:0004 d:00007F3EBB428581
2023/11/28 18:48:33 [debug] 9#9: *86 http run request: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream check client, write event:1, “/rest/exportdjob/pull/ansible-inventory-all”
2023/11/28 18:48:33 [debug] 9#9: epoll: fd:12 ev:0004 d:00007F3EBB428921
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream request: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream send request handler
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream send request
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream send request body
2023/11/28 18:48:33 [debug] 9#9: *86 chain writer buf fl:1 s:268
2023/11/28 18:48:33 [debug] 9#9: *86 chain writer in: 0000559E528D3A98
2023/11/28 18:48:33 [debug] 9#9: *86 writev: 268 of 268
2023/11/28 18:48:33 [debug] 9#9: *86 chain writer out: 0000000000000000
2023/11/28 18:48:33 [debug] 9#9: *86 event timer del: 12: 657682
2023/11/28 18:48:33 [debug] 9#9: *86 event timer add: 12: 60000:657682
2023/11/28 18:48:33 [debug] 9#9: timer delta: 0
2023/11/28 18:48:33 [debug] 9#9: worker cycle
2023/11/28 18:48:33 [debug] 9#9: epoll timer: 60000
2023/11/28 18:48:33 [debug] 9#9: epoll: fd:12 ev:0005 d:00007F3EBB428921
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream request: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream process header
2023/11/28 18:48:33 [debug] 9#9: *86 malloc: 0000559E528D3C10:4096
2023/11/28 18:48:33 [debug] 9#9: *86 posix_memalign: 0000559E528D5030:4096 @16
2023/11/28 18:48:33 [debug] 9#9: *86 recv: eof:0, avail:-1
2023/11/28 18:48:33 [debug] 9#9: *86 recv: fd:12 661 of 4096
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy status 401 “401 UNAUTHORIZED”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Server: gunicorn”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Date: Tue, 28 Nov 2023 18:48:33 GMT”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Connection: close”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Content-Type: application/json”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Content-Length: 412”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Access-Control-Allow-Origin: *”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Access-Control-Expose-Headers: X-API-Version, X-Total-Count”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header done
2023/11/28 18:48:33 [debug] 9#9: *86 HTTP/1.1 401 UNAUTHORIZED
2023/11/28 18:48:33 [debug] 9#9: *86 write new buf t:1 f:0 0000559E528D52B8, pos 0000559E528D52B8, size: 258 file: 0, size: 0
2023/11/28 18:48:33 [debug] 9#9: *86 http write filter: l:0 f:0 s:258
2023/11/28 18:48:33 [debug] 9#9: *86 http cacheable: 0
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy filter init s:401 h:0 c:0 l:412
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream process upstream
2023/11/28 18:48:33 [debug] 9#9: *86 pipe read upstream: 0
2023/11/28 18:48:33 [debug] 9#9: *86 pipe preread: 412

I tried to start datagerry in debug-mode but did not succeed. Any hints on how to modify the container to achieve this?
Regards, Michael

Hi all,

I have exactly the same problem. After playing around for a while, it now seems that you first have to authenticate yourself and query a bearer token, then you can query the REST endpoint.

authentication:

curl \
-X POST ${DATAGERRY_REST_URL}/auth/login \
--silent \
-H 'Content-Type: application/json' \
-d '{"password":"<SOME_PASS>","user_name":"<SOME_USER>"}' \

In the response you will now receive a token with which you can make the query

{
  "user": {
    "public_id": 2,
    "user_name": "xxxxxxxxxxx",
    "active": true,
    "group_id": X,
    "registration_time": "2022-06-30T12:35:15.722000",
    "authenticator": "LocalAuthenticationProvider",
    "email": "xxxxxxxxxxxxxxxxxx",
    "password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "image": null,
    "first_name": "xxxxxxxx",
    "last_name": "xxxxxxxxxxxxxxxxxxx"
  },
  "token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "token_issued_at": 1701241760,
  "token_expire": 1701325760
}

Now you can query the endpoint again:

curl -XGET -H 'Content-Type: application/json' -H 'Authorization: Bearer xxxxxxxxxx' --silent ${DATAGERRY_REST_URL}/exportdjob/pull/ansible

This isn’t documented anywhere and I’m not sure if this is the “official” way, but at least that’s how it works.

I hope it helps!
Alex

Hi,
I adapted the script. For it to work, jq must be installed!

Here is the script:

#!/bin/bash -e

# DATAGERRY - OpenSource Enterprise CMDB
# Copyright (C) 2019 NETHINKS GmbH
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

# small helper script for ansible dynamic inventory 

# config variables
DATAGERRY_EXPORT_TASK=ansible
DATAGERRY_REST_URL=https://datagerry.example.com/rest
DATAGERRY_REST_USER=<USERNAME>
DATAGERRY_REST_PASSWORD=<PASSWORD>
DATAGERRY_BEARER_TOKEN=$(curl -sX POST ${DATAGERRY_REST_URL}/auth/login \
  -H 'Content-Type: application/json' \
  -d "{\"password\":\"${DATAGERRY_REST_PASSWORD}\",\"user_name\":\"${DATAGERRY_REST_USER}\"}" | jq -r .token) 

# create output
if [ "$1" == "--list" ]
then
	# execute task
	curl \
        -XGET \
        -H "Authorization: Bearer ${DATAGERRY_BEARER_TOKEN}" \
        --silent \
        ${DATAGERRY_REST_URL}/exportdjob/pull/${DATAGERRY_EXPORT_TASK}
else
	echo "[]"
fi

Works for me too, thanks a lot, Alex!

Thanks for all the input, we will have a look at it.

BR Adnan

Hi Adnan,

are there any news on the topic? Was BasicAuth dropped? If so, do you plan to implement and document it again?

Hi @Alex ,
BasicAuth was not dropped, the first guess is that one of the many package updates changed something. We will have a closer look at it and try to integrate the fix in the next minor release.

BR Adnan

Hi,
the issue with basic auth should be fixed with the next release. Please let us know if there are still issues on this topic in version 2.1.0(which will be released soon).

BR Adnan