Make RestAPI access work out of the box

oar-team / oar-vagrant

Using Vagrant to test OAR's different flavors of installation

http://oar.imag.fr/dokuwiki/doku.php?id=wiki:oar-vagrant

GNU General Public License v2.0

1 stars 0 forks source link

Make RestAPI access work out of the box #9

Open mickours opened 9 years ago

mickours commented 9 years ago

I'm triing to work with the Rest API but I got trouble to authenticate to the frontend. I have to add an ident daemon on my laptop + add my laptop address on the Allow from 192.168.35.1 of the apache config but still I get this strange error: { "message" : "Oardodo error: 52: [OARDODO] ERROR: Cannot get user to become information (Success)\n\n", "title" : "Permission denied", "code" : 401 }

Any idea how to go through this or even a better way to allow my laptop to access automatically?

bzizou commented 9 years ago

Can you check the apache access.log file and see if ident worked? The second field of the log line should be your user id and this id should exist on your vagrant oar frontend/api. Exemple here with docker: ::1 docker - [03/Nov/2015:15:33:57 +0100] "GET /oarapi/jobs.yaml HTTP/1.1" 200 289 "-" "Wget/1.16 (linux-gnu)"

Also check that you have enabled mod_ident (a2enmod ident).

mickours commented 9 years ago

OK, the problem is that I try to access the API from a browser running AJAX that runs on the host and not the frontend (even if the website is on the frontend). So maybe a simple LDAP service with a default host would be the right way to do it because even if I make ident work it will not be the common use case. What do you think?

bzizou commented 9 years ago

Yes, a simple basic htpasswd file auth is even simpler than an ldap_auth...

mickours commented 9 years ago

Yes I saw this on the doc but there is no example on the conf file so I wonder if it is still supported?

npf commented 9 years ago

For oar-vagrant, NIS is in charge of sharing the user accounts among frontend and node(s). However regarding the API, using htpasswd would be sufficient, enabling access to the 4 test users: vagrant, user1 user2 and user3.

Googling "X_REMOTE_IDENT htpasswd" gets back to us ;-)

bzizou commented 9 years ago

You can try something like that:

# Into the apache config: 
       ScriptAlias /oarapi-priv /var/www/cgi-bin/oarapi/oarapi.cgi
      <Location /oarapi-priv>
        Options ExecCGI -MultiViews FollowSymLinks
        AuthType      basic
        AuthUserfile  /etc/oar/api-users
        AuthName      "OAR API authentication"
        Require valid-user
        RewriteEngine On
        RewriteCond %{REMOTE_IDENT} (.*)
        RewriteRule .* - [E=X_REMOTE_IDENT:%1]
        RequestHeader add X_REMOTE_IDENT %{X_REMOTE_IDENT}e
      </Location>

(the Rewrite part may be useless actualy)

# into a root shell
htpasswd -b -c /etc/oar/api-users user1 user1
htpasswd -b -c /etc/oar/api-users user2 user2
htpasswd -b -c /etc/oar/api-users user3 user3
htpasswd -b -c /etc/oar/api-users oar oar

mickours commented 9 years ago

OK, I cannot manage to make the authentication work and I think it is an apache configuration problem. So, I live it for now to the apache expert :) https://github.com/mickours/oar-ui If you want to give it a try...