Export from command-line permission issues

jamf / JamfMigrator

A tool to migrate data granularly between Jamf Pro servers

MIT License

143 stars 10 forks source link

Export from command-line permission issues #100

Open jshirle2 opened 8 months ago

jshirle2 commented 8 months ago

I am receiving the following error message when trying to export raw XML from the command-line:

20240118_135546 ----------- Starting Export Only -----------
20240118_135546 [JamfPro.getToken] Skip getToken for dest: 
20240118_135546 [JamfPro.getToken] Token for source server is 0 minutes old.
20240118_135546 [JamfPro.getToken] Attempting to retrieve token from https://SERVERNAME/api/v1/auth/token
20240118_135546 [JamfPro.getToken] Failed to authenticate to https://SERVERNAME.jamfcloud.com.  Response error: 401.

I have been using an account with read-only access for migration and that has worked fine with this same account. Are there different permissions required for exporting rather than migrating? I assumed they were the same. The odd thing is I have the credentials stored in the keychain, and I can see those credentials (JPMA-SERVERNAME) but it seems to just not be using those credentials when exporting via CLI.

Thanks for the great app!

BIG-RAT commented 8 months ago

What command line options are you using to launch the app? Using -sourceUseClientId and -sourceClientId? Note, API client info should be stored as jamf-migrator-apiClient-<server> in the keychain, at least with the latest version. /Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -help to view all command line options.

jshirle2 commented 8 months ago

We have not switched things over to use API Roles and Clients. The command I have been testing with is

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source https://SERVER -export -objects building

I plan to export many more objects but wanted to get this error message sorted first.

I did notice something odd... We are running Jamf Migrator automatically, on a schedule, to clone our production instance to our test instance. This is done on our Mac Mini that we use for automation tasks. I left JAMF Migrator in Export mode after testing with it manually yesterday, and then the automated task to migrate failed this morning. Does the CLI not switch between modes properly? Just a thought.

BIG-RAT commented 8 months ago

I must have API client stuck on the brain, sorry for the misdirect. Try adding the following switch to help the keychain lookup: -sourceUser <someUser> Of course replace <someUser> with the account that’s stored in the keychain entry.

jshirle2 commented 8 months ago

I tried

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source SERVER -export -objects buildings -sourceUser APIUSER

as well as

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source SERVER -export -objects buildings -sourceUser KEYCHAINITEMNAME (EG JPMA-SERVER)

In both cases, I received the output

[Credentials.itemLookup] start search for: JPMA-SERVER
[JamfPro] source received a new token

Which again, is odd because the Keychain Item is there it just seemingly isn't finding it.

BIG-RAT commented 8 months ago

v7.4.2 should have the issue resolved. Let me know how it goes as time permits.