Setup/permissions for ansible inventory

MiB · November 16, 2023, 12:59pm

Hello,
i am testing v2.0 (docker) and want to use the dynamic ansible inventory feature.
My config is the same as with v1.7.2 (which works well): an automation user is member of a group with only the “base.exportd.job.run”-right assigned, but in v2.0 i get the following error:

“Unauthorized: http://vmdgerry2/rest/exportdjob/pull/ansible-inventory-all","status”:401

Are there any new requirements for this, or any hints on how to debug my current setup?

Thanks in advance, kind regards
Michael

adnan.smajic · November 20, 2023, 10:47am

Hi @MiB ,
there were no changes made to the Ansible section in the last release. Could you provide us some more information so that we can reproduce the issue ?

BR Adnan

MiB · November 23, 2023, 11:54am

20231123-dg2-ansible-rest
Hi,
using the inventoy script i still get the message:

{"description":"The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.","joke":"Even a blind squirrel finds a nut once in a while.","message":"","response":"Unauthorized: http://vmdgerry2/rest/exportdjob/pull/ansible-inventory-all","status":401}

I get this message even if i assign the rights “base.*” or “base.*” and “base.exportd.job.*” to the group that the ansible user belongs to.
Using the URL “http://ansible:<password>@vmdgerry2/rest/” works with the attached browser message, so the password should be correct. The browser then shows the JSON response:

title	"DATAGERRY"
version	"2.0.0"
connected	true

Kind regards,
Michael

sklein · November 28, 2023, 3:58pm

Hi Michael, Hi Adnan,

run into the exact same issue by upgrading from 1.7.2 to 2.0 on docker. Did you find a solution?

Kind regards,
Steffen

MiB · November 28, 2023, 8:47pm

Hello,
i still haven’t found the solution to this issue. Have started nginx in debug mode, this is what i get from the logs:
access.log:
192.168.122.1 - ansible [28/Nov/2023:18:48:33 +0000] “GET /rest/exportdjob/pull/ansible-inventory-all HTTP/1.1” 401 412 “-” “curl/7.81.0” “-”

excerpt from error.log:
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “Host”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “vmdgerry2”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “X-Real-IP”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “192.168.122.1”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “X-Forwarded-For”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “192.168.122.1”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “X-Forwarded-Proto”
2023/11/28 18:48:33 [debug] 9#9: *86 http script var: “http”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “Connection”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “close”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “”
2023/11/28 18:48:33 [debug] 9#9: *86 http script copy: “”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Authorization: Basic YW5zaWJsZTphbnNpYmxlcHdkIQ==”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “User-Agent: curl/7.81.0”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Accept: /”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header:
2023/11/28 18:48:33 [debug] 9#9: *86 http cleanup add: 0000559E528D37D0
2023/11/28 18:48:33 [debug] 9#9: malloc: 0000559E52876DE0:224
2023/11/28 18:48:33 [debug] 9#9: resolve: “datagerry”
2023/11/28 18:48:33 [debug] 9#9: resolve cached
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream resolve: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 name was resolved to 172.18.0.4
2023/11/28 18:48:33 [debug] 9#9: resolve name done: 0
2023/11/28 18:48:33 [debug] 9#9: resolver expire
2023/11/28 18:48:33 [debug] 9#9: *86 get rr peer, try: 1
2023/11/28 18:48:33 [debug] 9#9: *86 stream socket 12
2023/11/28 18:48:33 [debug] 9#9: *86 epoll add connection: fd:12 ev:80002005
2023/11/28 18:48:33 [debug] 9#9: *86 connect to 172.18.0.4:4000, fd:12 #87
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream connect: -2
2023/11/28 18:48:33 [debug] 9#9: *86 posix_memalign: 0000559E528701E0:128 @16
2023/11/28 18:48:33 [debug] 9#9: *86 event timer add: 12: 60000:657682
2023/11/28 18:48:33 [debug] 9#9: *86 http finalize request: -4, “/rest/exportdjob/pull/ansible-inventory-all?” a:1, c:2
2023/11/28 18:48:33 [debug] 9#9: *86 http request count:2 blk:0
2023/11/28 18:48:33 [debug] 9#9: timer delta: 0
2023/11/28 18:48:33 [debug] 9#9: worker cycle
2023/11/28 18:48:33 [debug] 9#9: epoll timer: 60000
2023/11/28 18:48:33 [debug] 9#9: epoll: fd:3 ev:0004 d:00007F3EBB428581
2023/11/28 18:48:33 [debug] 9#9: *86 http run request: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream check client, write event:1, “/rest/exportdjob/pull/ansible-inventory-all”
2023/11/28 18:48:33 [debug] 9#9: epoll: fd:12 ev:0004 d:00007F3EBB428921
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream request: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream send request handler
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream send request
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream send request body
2023/11/28 18:48:33 [debug] 9#9: *86 chain writer buf fl:1 s:268
2023/11/28 18:48:33 [debug] 9#9: *86 chain writer in: 0000559E528D3A98
2023/11/28 18:48:33 [debug] 9#9: *86 writev: 268 of 268
2023/11/28 18:48:33 [debug] 9#9: *86 chain writer out: 0000000000000000
2023/11/28 18:48:33 [debug] 9#9: *86 event timer del: 12: 657682
2023/11/28 18:48:33 [debug] 9#9: *86 event timer add: 12: 60000:657682
2023/11/28 18:48:33 [debug] 9#9: timer delta: 0
2023/11/28 18:48:33 [debug] 9#9: worker cycle
2023/11/28 18:48:33 [debug] 9#9: epoll timer: 60000
2023/11/28 18:48:33 [debug] 9#9: epoll: fd:12 ev:0005 d:00007F3EBB428921
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream request: “/rest/exportdjob/pull/ansible-inventory-all?”
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream process header
2023/11/28 18:48:33 [debug] 9#9: *86 malloc: 0000559E528D3C10:4096
2023/11/28 18:48:33 [debug] 9#9: *86 posix_memalign: 0000559E528D5030:4096 @16
2023/11/28 18:48:33 [debug] 9#9: *86 recv: eof:0, avail:-1
2023/11/28 18:48:33 [debug] 9#9: *86 recv: fd:12 661 of 4096
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy status 401 “401 UNAUTHORIZED”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Server: gunicorn”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Date: Tue, 28 Nov 2023 18:48:33 GMT”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Connection: close”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Content-Type: application/json”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Content-Length: 412”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Access-Control-Allow-Origin: *”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header: “Access-Control-Expose-Headers: X-API-Version, X-Total-Count”
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy header done
2023/11/28 18:48:33 [debug] 9#9: *86 HTTP/1.1 401 UNAUTHORIZED
2023/11/28 18:48:33 [debug] 9#9: *86 write new buf t:1 f:0 0000559E528D52B8, pos 0000559E528D52B8, size: 258 file: 0, size: 0
2023/11/28 18:48:33 [debug] 9#9: *86 http write filter: l:0 f:0 s:258
2023/11/28 18:48:33 [debug] 9#9: *86 http cacheable: 0
2023/11/28 18:48:33 [debug] 9#9: *86 http proxy filter init s:401 h:0 c:0 l:412
2023/11/28 18:48:33 [debug] 9#9: *86 http upstream process upstream
2023/11/28 18:48:33 [debug] 9#9: *86 pipe read upstream: 0
2023/11/28 18:48:33 [debug] 9#9: *86 pipe preread: 412

I tried to start datagerry in debug-mode but did not succeed. Any hints on how to modify the container to achieve this?
Regards, Michael

Alex · November 29, 2023, 7:22am

Hi all,

I have exactly the same problem. After playing around for a while, it now seems that you first have to authenticate yourself and query a bearer token, then you can query the REST endpoint.

authentication:

curl \
-X POST ${DATAGERRY_REST_URL}/auth/login \
--silent \
-H 'Content-Type: application/json' \
-d '{"password":"<SOME_PASS>","user_name":"<SOME_USER>"}' \

In the response you will now receive a token with which you can make the query

{
  "user": {
    "public_id": 2,
    "user_name": "xxxxxxxxxxx",
    "active": true,
    "group_id": X,
    "registration_time": "2022-06-30T12:35:15.722000",
    "authenticator": "LocalAuthenticationProvider",
    "email": "xxxxxxxxxxxxxxxxxx",
    "password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "image": null,
    "first_name": "xxxxxxxx",
    "last_name": "xxxxxxxxxxxxxxxxxxx"
  },
  "token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "token_issued_at": 1701241760,
  "token_expire": 1701325760
}

Now you can query the endpoint again:

curl -XGET -H 'Content-Type: application/json' -H 'Authorization: Bearer xxxxxxxxxx' --silent ${DATAGERRY_REST_URL}/exportdjob/pull/ansible

This isn’t documented anywhere and I’m not sure if this is the “official” way, but at least that’s how it works.

I hope it helps!
Alex

Alex · November 29, 2023, 7:58am

Hi,
I adapted the script. For it to work, jq must be installed!

Here is the script:

#!/bin/bash -e

# DATAGERRY - OpenSource Enterprise CMDB
# Copyright (C) 2019 NETHINKS GmbH
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

# small helper script for ansible dynamic inventory 

# config variables
DATAGERRY_EXPORT_TASK=ansible
DATAGERRY_REST_URL=https://datagerry.example.com/rest
DATAGERRY_REST_USER=<USERNAME>
DATAGERRY_REST_PASSWORD=<PASSWORD>
DATAGERRY_BEARER_TOKEN=$(curl -sX POST ${DATAGERRY_REST_URL}/auth/login \
  -H 'Content-Type: application/json' \
  -d "{\"password\":\"${DATAGERRY_REST_PASSWORD}\",\"user_name\":\"${DATAGERRY_REST_USER}\"}" | jq -r .token) 

# create output
if [ "$1" == "--list" ]
then
	# execute task
	curl \
        -XGET \
        -H "Authorization: Bearer ${DATAGERRY_BEARER_TOKEN}" \
        --silent \
        ${DATAGERRY_REST_URL}/exportdjob/pull/${DATAGERRY_EXPORT_TASK}
else
	echo "[]"
fi

MiB · November 29, 2023, 8:38am

Works for me too, thanks a lot, Alex!

adnan.smajic · November 29, 2023, 9:10am

Thanks for all the input, we will have a look at it.

BR Adnan

Alex · November 30, 2023, 1:19pm

Hi Adnan,

are there any news on the topic? Was BasicAuth dropped? If so, do you plan to implement and document it again?

adnan.smajic · November 30, 2023, 2:00pm

Hi @Alex ,
BasicAuth was not dropped, the first guess is that one of the many package updates changed something. We will have a closer look at it and try to integrate the fix in the next minor release.

BR Adnan