search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.9k stars 3.4k forks source link

CyberArk Conjur lookup plugin does not work with open source Conjur version #13439

Closed obaranov closed 1 year ago

obaranov commented 1 year ago

Please confirm the following

Bug Summary

The CyberArk Conjur Secrets Manager Lookup plugin no longer supports the lookup against the Conjur OSS. Most likely because the opensource conjure version API endpoint does not have the /api/ portion recently added by this change: https://github.com/ansible/awx/pull/13121

AWX version

2.4

Select the relevant components

Installation method

docker development environment

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

  1. Deploy Conjur OSS. We use the latest cyberark/conjur image for that. The Conjur version is 
    Version 1.19.1-3398
API Version 5.3.0
  2. Under the AWX, create the CyberArk Conjur Secrets Manager Lookup credential. Provide Conjure URL, user, and token.
  3. Click Test and provide a path.

Expected results

Connection to Conjur should be established. HTTP 200 response.

Actual results

401 error returned. 

Traceback (most recent call last):
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/tasks/jobs.py", line 504, in run
    args = self.build_args(self.instance, private_data_dir, passwords)
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/tasks/jobs.py", line 937, in build_args
    ssh_username = creds.get_input('username', default='')
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/models/credential/__init__.py", line 275, in get_input
    return self._get_dynamic_input(field_name)
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/models/credential/__init__.py", line 309, in _get_dynamic_input
    return input_source.get_input_value()
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/models/credential/__init__.py", line 1250, in get_input_value
    return backend(**backend_kwargs)
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/credential_plugins/conjur.py", line 72, in conjur_backend
    raise_for_status(resp)
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/credential_plugins/plugin.py", line 12, in raise_for_status
    resp.raise_for_status()
  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://conjureurl.com/api/authn/test/admin/authenticate

Additional information

No response

djyasin commented 1 year ago

@infamousjoeg can you please help us take a look at this?

infamousjoeg commented 1 year ago

I have raised it with our Conjur Open Source R&D team and am having discussions on how it can be resolved. There are a few ways it can be handled.

infamousjoeg commented 1 year ago

We've decided on a fix and I'm working on implementing and testing on my own fork. PR will come in the near future.

infamousjoeg commented 1 year ago

PR #13455 to fix this issue has been submitted.