AccessRules: Account does not have the right to perform the operation

[sibithabijesh]

What version of ejabberd are you using? ejabberd 17.01

I am trying to use oauth rest api for connecting from external server. I have sucessfully generated token. But when I tried to get connected users, I got the below error.

AccessRules: Account does not have the right to perform the operation error message

Code :- curl_setopt_array($curl, array( CURLOPT_PORT => "5280", CURLOPT_URL => "http://Ip:5280/api/get_roster", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"host\":\"localhost\",\"user\":\"testuser\"}", CURLOPT_HTTPHEADER => array( "Authorization: bearer Token", "cache-control: no-cache", "content-type: application/json", "X-Admin: true" ), ));

---

My yml file

###
###'              ejabberd configuration file
###
###

### The parameters used in this configuration file are explained in more detail
### in the ejabberd Installation and Operation Guide.
### Please consult the Guide in case of doubts, it is included with
### your copy of ejabberd, and is also available online at
### http://www.process-one.net/en/ejabberd/docs/

### The configuration file is written in YAML.
### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
### However, ejabberd treats different literals as different types:
###
### - unquoted or single-quoted strings. They are called "atoms".
###   Example: dog, 'Jupiter', '3.14159', YELLOW
###
### - numeric literals. Example: 3, -45.0, .0
###
### - quoted or folded strings.
###   Examples of quoted string: "Lizzard", "orange".
###   Example of folded string:
###   > Art thou not Romeo,
###     and a Montague?

###.  =======
###'  LOGGING

##
## loglevel: Verbosity of log files generated by ejabberd.
## 0: No ejabberd log at all (not recommended)
## 1: Critical
## 2: Error
## 3: Warning
## 4: Info
## 5: Debug
##
loglevel: 4

##
## rotation: Describe how to rotate logs. Either size and/or date can trigger
## log rotation. Setting count to N keeps N rotated logs. Setting count to 0
## does not disable rotation, it instead rotates the file and keeps no previous
## versions around. Setting size to X rotate log when it reaches X bytes.
## To disable rotation set the size to 0 and the date to ""
## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf.
## Some examples:
##  $D0     rotate every night at midnight
##  $D23    rotate every day at 23:00 hr
##  $W0D23  rotate every week on Sunday at 23:00 hr
##  $W5D16  rotate every week on Friday at 16:00 hr
##  $M1D0   rotate on the first day of every month at midnight
##  $M5D6   rotate on every 5th day of the month at 6:00 hr
##
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1

##
## overload protection: If you want to limit the number of messages per second
## allowed from error_logger, which is a good idea if you want to avoid a flood
## of messages when system is overloaded, you can set a limit.
## 100 is ejabberd's default.
log_rate_limit: 100

##
## watchdog_admins: Only useful for developers: if an ejabberd process
## consumes a lot of memory, send live notifications to these XMPP
## accounts.
##
## watchdog_admins:
##   - "bob@example.com"

###.  ===============
###'  NODE PARAMETERS

##
## net_ticktime: Specifies net_kernel tick time in seconds. This options must have
## identical value on all nodes, and in most cases shouldn't be changed at all from
## default value.
##
## net_ticktime: 60

###.  ================
###'  SERVED HOSTNAMES

##
## hosts: Domains served by ejabberd.
## You can define one or several, for example:
## hosts: 
##   - "example.net"
##   - "example.com"
##   - "example.org"
##
hosts:
  - "localhost"

##
## route_subdomains: Delegate subdomains to other XMPP servers.
## For example, if this ejabberd serves example.org and you want
## to allow communication with an XMPP server called im.example.org.
##
## route_subdomains: s2s

###.  ===============
###'  LISTENING PORTS

##
## listen: The ports ejabberd will listen on, which service each is handled
## by and what options to start it with.
##
listen: 
  - 
    port: 5222
    module: ejabberd_c2s
    ##
    ## If TLS is compiled in and you installed a SSL
    ## certificate, specify the full path to the
    ## file and uncomment these lines:
    ##
    ## certfile: "/path/to/ssl.pem"
    ## starttls: true
    ##
    ## To enforce TLS encryption for client connections,
    ## use this instead of the "starttls" option:
    ##
    ## starttls_required: true
    ##
    ## Custom OpenSSL options
    ##
    ## protocol_options:
    ##   - "no_sslv3"
    ##   - "no_tlsv1"
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
  - 
    port: 5269
    module: ejabberd_s2s_in
  ##
  ## ejabberd_service: Interact with external components (transports, ...)
  ##
  ## - 
  ##   port: 8888
  ##   module: ejabberd_service
  ##   access: all
  ##   shaper_rule: fast
  ##   ip: "127.0.0.1"
  ##   privilege_access: 
  ##      roster: "both"
  ##      message: "outgoing"
  ##      presence: "roster"
  ##   delegations:
  ##      "urn:xmpp:mam:1":
  ##        filtering: ["node"]
  ##      "http://jabber.org/protocol/pubsub":
  ##        filtering: []
  ##   hosts:
  ##     "icq.example.org":
  ##       password: "secret"
  ##     "sms.example.org":
  ##       password: "secret"

  ##
  ## ejabberd_stun: Handles STUN Binding requests
  ##
  ## - 
  ##   port: 3478
  ##   transport: udp
  ##   module: ejabberd_stun

  #!yaml

  ## To handle XML-RPC requests that provide admin credentials:
  ##
  # - 
  #   port: 4560
  #   module: ejabberd_xmlrpc
  #  access_commands: {}
  #- 
    port: 5280
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
      "/log": mod_log_http
     # OAuth support:
      "/oauth": ejabberd_oauth
      # ReST API:
      "/api": mod_http_api
    ##  "/pub/archive": mod_http_fileserver
    web_admin: true
    http_bind: true
    ## register: true
    captcha: true
commands_admin_access: configure
commands:

  - add_commands: 
    - connected_users 
#    - user
oauth_expire: 3600
oauth_access: all

###.  ==================
###'  S2S GLOBAL OPTIONS

##
## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
## Allowed values are: false optional required required_trusted
## You must specify a certificate file.
##
## s2s_use_starttls: optional

##
## s2s_certfile: Specify a certificate file.
##
## s2s_certfile: "/path/to/ssl.pem"

## Custom OpenSSL options
##
## s2s_protocol_options:
##   - "no_sslv3"
##   - "no_tlsv1"

##
## domain_certfile: Specify a different certificate for each served hostname.
##
## host_config:
##   "example.org":
##     domain_certfile: "/path/to/example_org.pem"
##   "example.com":
##     domain_certfile: "/path/to/example_com.pem"

##
## S2S whitelist or blacklist
##
## Default s2s policy for undefined hosts.
##
## s2s_access: s2s

##
## Outgoing S2S options
##
## Preferred address families (which to try first) and connect timeout
## in milliseconds.
##
## outgoing_s2s_families:
##   - ipv4
##   - ipv6
## outgoing_s2s_timeout: 10000

###.  ==============
###'  AUTHENTICATION

##
## auth_method: Method used to authenticate the users.
## The default method is the internal.
## If you want to use a different method,
## comment this line and enable the correct ones.
##
auth_method: internal

##
## Store the plain passwords or hashed for SCRAM:
## auth_password_format: plain
## auth_password_format: scram
##
## Define the FQDN if ejabberd doesn't detect it:
## fqdn: "server3.example.com"

##
## Authentication using external script
## Make sure the script is executable by ejabberd.
##
## auth_method: external
## extauth_program: "/path/to/authentication/script"

##
## Authentication using SQL
## Remember to setup a database in the next section.
##
## auth_method: sql

##
## Authentication using PAM
##
## auth_method: pam
## pam_service: "pamservicename"

##
## Authentication using LDAP
##
## auth_method: ldap
##
## List of LDAP servers:
## ldap_servers:
##   - "localhost"
##
## Encryption of connection to LDAP servers:
## ldap_encrypt: none
## ldap_encrypt: tls
##
## Port to connect to on LDAP servers:
## ldap_port: 389
## ldap_port: 636
##
## LDAP manager:
## ldap_rootdn: "dc=example,dc=com"
##
## Password of LDAP manager:
## ldap_password: "******"
##
## Search base of LDAP directory:
## ldap_base: "dc=example,dc=com"
##
## LDAP attribute that holds user ID:
## ldap_uids:
##   - "mail": "%u@mail.example.org"
##
## LDAP filter:
## ldap_filter: "(objectClass=shadowAccount)"

##
## Anonymous login support:
##   auth_method: anonymous
##   anonymous_protocol: sasl_anon | login_anon | both
##   allow_multiple_connections: true | false
##
## host_config:
##   "public.example.org":
##     auth_method: anonymous
##     allow_multiple_connections: false
##     anonymous_protocol: sasl_anon
##
## To use both anonymous and internal authentication:
##
## host_config:
##   "public.example.org":
##     auth_method:
##       - internal
##       - anonymous

###.  ==============
###'  DATABASE SETUP

## ejabberd by default uses the internal Mnesia database,
## so you do not necessarily need this section.
## This section provides configuration examples in case
## you want to use other database backends.
## Please consult the ejabberd Guide for details on database creation.

##
## MySQL server:
##
## sql_type: mysql
## sql_server: "server"
## sql_database: "database"
## sql_username: "username"
## sql_password: "password"
##
## If you want to specify the port:
## sql_port: 1234

##
## PostgreSQL server:
##
## sql_type: pgsql
## sql_server: "server"
## sql_database: "database"
## sql_username: "username"
## sql_password: "password"
##
## If you want to specify the port:
## sql_port: 1234
##
## If you use PostgreSQL, have a large database, and need a
## faster but inexact replacement for "select count(*) from users"
##
## pgsql_users_number_estimate: true

##
## SQLite:
##
## sql_type: sqlite
## sql_database: "/path/to/database.db"

##
## ODBC compatible or MSSQL server:
##
## sql_type: odbc
## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"

##
## Number of connections to open to the database for each virtual host
##
## sql_pool_size: 10

##
## Interval to make a dummy SQL request to keep the connections to the
## database alive. Specify in seconds: for example 28800 means 8 hours
##
## sql_keepalive_interval: undefined

###.  ===============
###'  TRAFFIC SHAPERS

shaper:
  ##
  ## The "normal" shaper limits traffic speed to 1000 B/s
  ##
  normal: 1000

  ##
  ## The "fast" shaper limits traffic speed to 50000 B/s
  ##
  fast: 50000

##
## This option specifies the maximum number of elements in the queue
## of the FSM. Refer to the documentation for details.
##
max_fsm_queue: 1000

###.   ====================
###'   ACCESS CONTROL LISTS
acl:
  ##
  ## The 'admin' ACL grants administrative privileges to XMPP accounts.
  ## You can put here as many accounts as you want.
  ##
#   admin:
#    user:
#   - "admin@localhost" 
  ##     - "aleksey@localhost"
  ##     - "ermine@example.org"
  ##
  ## Blocked users
  ##
  ## blocked:
  ##   user:
  ##     - "baduser@example.org"
  ##     - "test"

  ## Local users: don't modify this.
  ##
  local: 
    user_regexp: ""

  ##
  ## More examples of ACLs
  ##
  ## jabberorg:
  ##   server:
  ##     - "jabber.org"
  ## aleksey:
  ##   user:
  ##     - "aleksey@jabber.ru"
  ## test:
  ##   user_regexp: "^test"
  ##   user_glob: "test*"

  ##
  ## Loopback network
  ##
  loopback:
    ip:
      - "127.0.0.0/8"

  ##
  ## Bad XMPP servers
  ##
  ## bad_servers:
  ##   server:
  ##     - "xmpp.zombie.org"
  ##     - "xmpp.spam.com"

##
## Define specific ACLs in a virtual host.
##
## host_config:
##   "localhost":
##     acl:
##       admin:
##         user:
##           - "bob-local@localhost"

###.  ============
###'  SHAPER RULES

shaper_rules:
  ## Maximum number of simultaneous sessions allowed for a single user:
  max_user_sessions: 10
  ## Maximum number of offline messages that users can have:
  max_user_offline_messages:
    - 5000: admin
    - 100
  ## For C2S connections, all users except admins use the "normal" shaper
  c2s_shaper:
    - none: admin
    - normal
  ## All S2S connections use the "fast" shaper
  s2s_shaper: fast

###.  ============
###'  ACCESS RULES
access_rules:
  ## This rule allows access only for local users:
  local:
    - allow: local
  ## Only non-blocked users can use c2s connections:
  c2s:
    - deny: blocked
    - allow
  ## Only admins can send announcement messages:
  announce:
    - allow: admin
  ## Only admins can use the configuration interface:
  configure: 
    - allow: admin
  ## Only accounts of the local ejabberd server can create rooms:
  muc_create: 
    - allow: local
  ## Only accounts on the local ejabberd server can create Pubsub nodes:
  pubsub_createnode: 
    - allow: local
  ## In-band registration allows registration of any possible username.
  ## To disable in-band registration, replace 'allow' with 'deny'.
  register: 
    - allow
  ## Only allow to register from localhost
  trusted_network: 
    - allow: loopback
  ## Do not establish S2S connections with bad servers
  ## s2s: 
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
  ##   - allow

## ===============
## API PERMISSIONS
## ===============
##
## This section allows you to define who and using what method
## can execute commands offered by ejabberd.
##
## By default "console commands" section allow executing all commands
## issued using ejabberdctl command, and "admin access" section allows
## users in admin acl to  execute all commands except start and stop
## with any available access method (ejabberdctl, http-api, xmlrpc
## depending what is enabled on server).
##
## Remember to not remove "console commands" section when doing modifications
## or ejabberdctl will not be able to execute commands!
##
##
##  api_permissions:
##  "console commands":
##    from:
##      - ejabberd_ctl
##    who: all
##    what: "*"
##  "admin access":
##    who:
##      - admin
##      - oauth:
##        - scope: "ejabberd:admin"
##        - admin
##    what:
##      - "*"
##     - "!stop"
##      - "!start"

## By default the frequency of account registrations from the same IP
## is limited to 1 account every 10 minutes. To disable, specify: infinity
## registration_timeout: 600

##
## Define specific Access Rules in a virtual host.
##
## host_config:
##   "localhost":
##     access:
##       c2s:
##         - allow: admin
##         - deny
##       register:
##         - allow

###.  ================
###'  DEFAULT LANGUAGE

##
## language: Default language used for server messages.
##
language: "en"

##
## Set a different default language in a virtual host.
##
## host_config:
##   "localhost":
##     language: "ru"

###.  =======
###'  CAPTCHA

##
## Full path to a script that generates the image.
##
## captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"

##
## Host for the URL and port where ejabberd listens for CAPTCHA requests.
##
## captcha_host: "example.org:5280"

##
## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
##
## captcha_limit: 5

###.  =======
###'  MODULES

##
## Modules enabled in all ejabberd virtual hosts.
##
modules: 
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce: # recommends mod_adhoc
    access: announce
  mod_blocking: {} # requires mod_privacy
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {} # requires mod_adhoc
  ##mod_delegation: {} # for xep0356
  mod_disco: {}
  ## mod_echo: {}
  mod_irc: {}
  mod_http_bind: {}
  ## mod_http_fileserver:
  ##   docroot: "/var/www"
  ##   accesslog: "/var/log/ejabberd/access.log"
  mod_last: {}
  mod_muc: 
    ## host: "conference.@HOST@"
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
  ## mod_muc_log: {}
  ## mod_multicast: {}
  mod_offline: 
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  ## mod_pres_counter:
  ##   count: 5
  ##   interval: 60
  mod_privacy: {}
  mod_private: {}
  ## mod_proxy65: {}
  mod_pubsub: 
    access_createnode: pubsub_createnode
    ## reduces resource comsumption, but XEP incompliant
    ignore_pep_from_offline: true
    ## XEP compliant, but increases resource comsumption
    ## ignore_pep_from_offline: false
    last_item_cache: false
    plugins: 
      - "flat"
      - "hometree"
      - "pep" # pep requires mod_caps
  ## mod_register:
    ##
    ## Protect In-Band account registrations with CAPTCHA.
    ##
    ##   captcha_protected: true
    ##
    ## Set the minimum informational entropy for passwords.
    ##
    ##   password_strength: 32
    ##
    ## After successful registration, the user receives
    ## a message with this subject and body.
    ##
    ##   welcome_message:
    ##     subject: "Welcome!"
    ##     body: |-
    ##       Hi.
    ##       Welcome to this XMPP server.
    ##
    ## When a user registers, send a notification to
    ## these XMPP accounts.
    ##
    ##   registration_watchers:
    ##     - "admin1@example.org"
    ##
    ## Only clients in the server machine can register accounts
    ##
    ##   ip_access: trusted_network
    ##
    ## Local c2s or remote s2s users cannot register accounts
    ##
    ##   access_from: deny
    ##   access: register
  mod_roster: {}
  mod_shared_roster: {}
  mod_stats: {}
  mod_time: {}
  mod_vcard:
    search: false
  mod_version: {}

##
## Enable modules with custom options in a specific virtual host
##
## host_config:
##   "localhost":
##     modules:
##       mod_echo:
##         host: "mirror.localhost"

##
## Enable modules management via ejabberdctl for installation and
## uninstallation of public/private contributed modules
## (enabled by default)
##

allow_contrib_modules: true

###.
###'
### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
#
#
acl:
  admin:
      user:
            - "admin": "localhost"

What operating system (version) are you using?

How did you install ejabberd (source, package, distribution)?

What did not work as expected? Are there error messages in the log? What was the unexpected behavior? What was the expected result?

[prefiks]

Hello,

Default permissions definitions allows only executing of commands for user from group admin created with scope "ejabberd:admin"

This can be changed by adding (or uncommenting fragment which is in your config already) api_permissions option, by default it looks like this:

api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      - admin
      - oauth:
        - scope: "ejabberd:admin"
        - admin
    what:
      - "*"
     - "!stop"
     - "!start"

You could add extra rule to api_permission: just for your command like that:

  "oauth get_roster":
    - who
      - oauth:
        - scope: "<Your token scope>"
        - user: "john@server.com"
        - user: "marry@server.com"
    - what:
      - get_roster

Or have your token generated in such way that it matches deafult rule (user from admin group and with token ejabberd:admin, but this will allow to executing almost all commands)

[sibithabijesh]

But in my yml file api_permissions are disabled . Do you mean to enable it as follows :

api_permissions: "console commands": from:

• ejabberd_ctl who: all what: "*" "admin access": who:
  • admin
  • oauth:
    • scope: "ejabberd:admin"
    • admin "oauth get_roster":
  • who
    • oauth:
    • scope: ""
    • user: "john@server.com"
    • user: "marry@server.com"
  • what:
    • get_roster what:
    • "*"
  • "!stop"
  • "!start" Do you mean to ena

[sibithabijesh]

Please let me know the below one is correct

  api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      - admin
      - oauth:
        - scope: "ejabberd:admin"
        - admin

    what:
      - "*"
     - "!stop"
      - "!start"

  "oauth get_roster":
  - who
    - oauth:
      - scope: "<Your token scope>"
      - user: "john@server.com"
      - user: "marry@server.com"
  - what:
    - get_roster  

[sibithabijesh]

Please help me. I am straggling to fix this issue.

When I generated token, I used the scope "user_get_roster+sasl_auth"

[prefiks]

Yeah in your config that part is commented out, it just shows what default value is. So you need to uncomment it.

You also need to modify this part:

    - oauth:
      - scope: "<Your token scope>"
      - user: "john@server.com"
      - user: "marry@server.com"

To enter correct scope (user_get_roster+sasl_auth in your case i guess) and also change those "- user" lines to use correct user name that you used to generate token (this declarations says that user john and marry can call command get_roster when they use oauth authentication with scope "" so you need to adapt that to what you are really using).

[sibithabijesh]

Okay. I will check that and get back to you soon.

Can I use rest api using mod_xmlrpc. Let me know is it deprecated soon .

[sibithabijesh]

still I got the same error . Could you please help me

 api_permissions:
##  "console commands":
##    from:
##      - ejabberd_ctl
##    who: all
##    what: "*"
  "admin access":
    who:
      - admin
      - oauth:
        - scope: "ejabberd:admin"
        - admin

    what:
      - "*"
      - "!stop"
      - "!start"

  "oauth get_roster":

  - who:

      - oauth:

      - scope: "get_roster+sasl_auth"

      - user: "admin@localhost"

  - what:

      - get_roster

[prefiks]

First, you probably don't want to have that "console command" commented, this will block access to commands executed with ejabberdctl. Second, do you have correct indentations in "oauth get_roster" section? it should look simmilar to what you have in "admin access" section.

To help you more i would need to have log entries that ejabberd generates when commands are executed (you may need to bump loglevel to 5 to see them), look for "Command get_roster execution denied...." in ejabberd.log

[sibithabijesh]

Hello, I got below error log from log file

2017-02-27 11:28:32.668 [debug] <0.476.0>@ejabberd_http:process_header:291 (#Port<0.18437>) http query: 'POST' <<"/api/get_roster">>
2017-02-27 11:28:32.668 [debug] <0.476.0>@ejabberd_http:extract_path_query:407 client data: <<"{\"host\":\"localhost\",\"user\":\"sibi\"}">>
2017-02-27 11:28:32.668 [debug] <0.476.0>@ejabberd_http:process:363 [<<"api">>,<<"get_roster">>] matches [<<"api">>]
2017-02-27 11:28:32.669 [info] <0.476.0>@mod_http_api:log:533 API call get_roster [{<<"host">>,<<"localhost">>},{<<"user">>,<<"sibi">>}] from 112.133.229.124:2597
2017-02-27 11:28:32.669 [debug] <0.290.0>@ejabberd_access_permissions:handle_call:149 Command 'get_roster' execution denied (CallerInfo=#{caller_module => mod_http_api,caller_server => <<"localhost">>,ip => {112,133,229,124},oauth_scope => [<<"get_roster">>,<<"sasl_auth">>],usr => {<<"admin">>,<<"localhost">>,<<>>}})

I have provided correct indentation

  api_permissions:
    "console commands":
      from:
        - ejabberd_ctl
      who: all
      what: "*"
  "admin access":
    who:
      - admin
      - oauth:
        - scope: "ejabberd:admin"
        - admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "oauth get_roster":
    - who:
      - oauth:
        - scope: "get_roster+sasl_auth"
        - user: "admin@localhost"
    - what:
      - get_roster

[prefiks]

Ok, could you please try changing scope to just "get_roster" (from "get_roster+sasl_auth") and see if it works?

[sibithabijesh]

Still Got the same error

2017-02-27 11:54:32.461 [debug] <0.461.0>@ejabberd_http:extract_path_query:407 client data: <<"{\"host\":\"localhost\",\"user\":\"sibi\"}">>
2017-02-27 11:54:32.461 [debug] <0.461.0>@ejabberd_http:process:363 [<<"api">>,<<"get_roster">>] matches [<<"api">>]
2017-02-27 11:54:32.461 [info] <0.461.0>@mod_http_api:log:533 API call get_roster [{<<"host">>,<<"localhost">>},{<<"user">>,<<"sibi">>}] from 162.214.3.52:53796
2017-02-27 11:54:32.462 [debug] <0.287.0>@ejabberd_access_permissions:handle_call:149 Command 'get_roster' execution denied (CallerInfo=#{caller_module => mod_http_api,caller_server => <<"localhost">>,ip => {162,214,3,52},oauth_scope => [<<"get_roster">>,<<"sasl_auth">>],usr => {<<"admin">>,<<"localhost">>,<<>>}})

[sibithabijesh]

Also, I can't access /admin portal After enabling api_permissions.

[prefiks]

Ah one more this i missed, please replace this:

  - what:
    - get_roster

with this:

  - what:
    - "get_roster"

Also i don't think enabling api_permissions should change if you can access /admin, but i will check that.

[sibithabijesh]

still getting same error. mod_admin_extra: {} is already enabled. Now I can't access admin portal too :(

when I created token , provided scope "get_roster+sasl_auth". but now I tried to generate token only with get_roster, got invalid_scope error.

[prefiks]

It would help if you could execute "ejabberdctl debug" and after you get to prompt execute this: "ejabberd_access_permissions:show_current_definitions()" and copy paste what this generates.

To exit it just ctrl+c ctrl+c

[prefiks]

I can access /admin without problems when i have api_permissions: in my config, this definitelly doesn't affect it, maybe some other change in config file did that? This function is offered by ejabberd_web_admin not mod_admin_extra

[sibithabijesh]

when I run the cmd "ejabberdctl debug", got below response only

To bypass permanently this warning, add to ejabberdctl.cfg the line:
  EJABBERD_BYPASS_WARNINGS=true
Press return to continue

Erlang/OTP 17 [erts-6.1] [source] [64-bit] [smp:8:8] [async-threads:10] [kernel-poll:true]

Eshell V6.1  (abort with ^G)
(ejabberd@localhost)1> ejabberd_access_permissions:show_current_definitions() 
(ejabberd@localhost)1>

[prefiks]

Ah sorry please add "." at end of (if you still have that shell opened just type "." and enter, if not "ejabberd_access_permissions:show_current_definitions()."

[sibithabijesh]

can u pls check yml file. I need to create user, unregister user, add user to group from web server for an app.

###
###'              ejabberd configuration file
###
###

### The parameters used in this configuration file are explained in more detail
### in the ejabberd Installation and Operation Guide.
### Please consult the Guide in case of doubts, it is included with
### your copy of ejabberd, and is also available online at
### http://www.process-one.net/en/ejabberd/docs/

### The configuration file is written in YAML.
### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
### However, ejabberd treats different literals as different types:
###
### - unquoted or single-quoted strings. They are called "atoms".
###   Example: dog, 'Jupiter', '3.14159', YELLOW
###
### - numeric literals. Example: 3, -45.0, .0
###
### - quoted or folded strings.
###   Examples of quoted string: "Lizzard", "orange".
###   Example of folded string:
###   > Art thou not Romeo,
###     and a Montague?

###.  =======
###'  LOGGING

##
## loglevel: Verbosity of log files generated by ejabberd.
## 0: No ejabberd log at all (not recommended)
## 1: Critical
## 2: Error
## 3: Warning
## 4: Info
## 5: Debug
##
loglevel: 5

##
## rotation: Describe how to rotate logs. Either size and/or date can trigger
## log rotation. Setting count to N keeps N rotated logs. Setting count to 0
## does not disable rotation, it instead rotates the file and keeps no previous
## versions around. Setting size to X rotate log when it reaches X bytes.
## To disable rotation set the size to 0 and the date to ""
## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf.
## Some examples:
##  $D0     rotate every night at midnight
##  $D23    rotate every day at 23:00 hr
##  $W0D23  rotate every week on Sunday at 23:00 hr
##  $W5D16  rotate every week on Friday at 16:00 hr
##  $M1D0   rotate on the first day of every month at midnight
##  $M5D6   rotate on every 5th day of the month at 6:00 hr
##
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1

##
## overload protection: If you want to limit the number of messages per second
## allowed from error_logger, which is a good idea if you want to avoid a flood
## of messages when system is overloaded, you can set a limit.
## 100 is ejabberd's default.
log_rate_limit: 100

##
## watchdog_admins: Only useful for developers: if an ejabberd process
## consumes a lot of memory, send live notifications to these XMPP
## accounts.
##
## watchdog_admins:
##   - "bob@example.com"

###.  ===============
###'  NODE PARAMETERS

##
## net_ticktime: Specifies net_kernel tick time in seconds. This options must have
## identical value on all nodes, and in most cases shouldn't be changed at all from
## default value.
##
## net_ticktime: 60

###.  ================
###'  SERVED HOSTNAMES

##
## hosts: Domains served by ejabberd.
## You can define one or several, for example:
## hosts:
##   - "example.net"
##   - "example.com"
##   - "example.org"
##
hosts:
  - "localhost"

##
## route_subdomains: Delegate subdomains to other XMPP servers.
## For example, if this ejabberd serves example.org and you want
## to allow communication with an XMPP server called im.example.org.
##
## route_subdomains: s2s

###.  ===============
###'  LISTENING PORTS

##
## listen: The ports ejabberd will listen on, which service each is handled
## by and what options to start it with.
##
listen:
  -
    port: 5222
    module: ejabberd_c2s
    ##
    ## If TLS is compiled in and you installed a SSL
    ## certificate, specify the full path to the
    ## file and uncomment these lines:
    ##
    ## certfile: "/path/to/ssl.pem"
    ## starttls: true
    ##
    ## To enforce TLS encryption for client connections,
    ## use this instead of the "starttls" option:
    ##
    ## starttls_required: true
    ##
    ## Custom OpenSSL options
    ##
    ## protocol_options:
    ##   - "no_sslv3"
    ##   - "no_tlsv1"
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
  -
    port: 5269
    module: ejabberd_s2s_in
  ##
  ## ejabberd_service: Interact with external components (transports, ...)
  ##
  ## -
  ##   port: 8888
  ##   module: ejabberd_service
  ##   access: all
  ##   shaper_rule: fast
  ##   ip: "127.0.0.1"
  ##   privilege_access:
  ##      roster: "both"
  ##      message: "outgoing"
  ##      presence: "roster"
  ##   delegations:
  ##      "urn:xmpp:mam:1":
  ##        filtering: ["node"]
  ##      "http://jabber.org/protocol/pubsub":
  ##        filtering: []
  ##   hosts:
  ##     "icq.example.org":
  ##       password: "secret"
  ##     "sms.example.org":
  ##       password: "secret"

  ##
  ## ejabberd_stun: Handles STUN Binding requests
  ##
  ## -
  ##   port: 3478
  ##   transport: udp
  ##   module: ejabberd_stun

  #!yaml

  ## To handle XML-RPC requests that provide admin credentials:
  ##
  # -
  #   port: 4560
  #   module: ejabberd_xmlrpc
  #  access_commands: {}
  #-
    port: 5280
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
      "/log": mod_log_http
     # OAuth support:
      "/oauth": ejabberd_oauth
      # ReST API:
      "/api": mod_http_api
    ##  "/pub/archive": mod_http_fileserver
    web_admin: true
    http_bind: true
    ## register: true
    captcha: true
    commands_admin_access: configure
    commands:
      - add_commands:
        - user
    oauth_expire: 3600
    oauth_access: all

###.  ==================
###'  S2S GLOBAL OPTIONS

##
## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
## Allowed values are: false optional required required_trusted
## You must specify a certificate file.
##
## s2s_use_starttls: optional

##
## s2s_certfile: Specify a certificate file.
##
## s2s_certfile: "/path/to/ssl.pem"

## Custom OpenSSL options
##
## s2s_protocol_options:
##   - "no_sslv3"
##   - "no_tlsv1"

##
## domain_certfile: Specify a different certificate for each served hostname.
##
## host_config:
##   "example.org":
##     domain_certfile: "/path/to/example_org.pem"
##   "example.com":
##     domain_certfile: "/path/to/example_com.pem"

##
## S2S whitelist or blacklist
##
## Default s2s policy for undefined hosts.
##
## s2s_access: s2s

##
## Outgoing S2S options
##
## Preferred address families (which to try first) and connect timeout
## in milliseconds.
##
## outgoing_s2s_families:
##   - ipv4
##   - ipv6
## outgoing_s2s_timeout: 10000

###.  ==============
###'  AUTHENTICATION

##
## auth_method: Method used to authenticate the users.
## The default method is the internal.
## If you want to use a different method,
## comment this line and enable the correct ones.
##
auth_method: internal

##
## Store the plain passwords or hashed for SCRAM:
## auth_password_format: plain
## auth_password_format: scram
##
## Define the FQDN if ejabberd doesn't detect it:
## fqdn: "server3.example.com"

##
## Authentication using external script
## Make sure the script is executable by ejabberd.
##
## auth_method: external
## extauth_program: "/path/to/authentication/script"

##
## Authentication using SQL
## Remember to setup a database in the next section.
##
## auth_method: sql

##
## Authentication using PAM
##
## auth_method: pam
## pam_service: "pamservicename"

##
## Authentication using LDAP
##
## auth_method: ldap
##
## List of LDAP servers:
## ldap_servers:
##   - "localhost"
##
## Encryption of connection to LDAP servers:
## ldap_encrypt: none
## ldap_encrypt: tls
##
## Port to connect to on LDAP servers:
## ldap_port: 389
## ldap_port: 636
##
## LDAP manager:
## ldap_rootdn: "dc=example,dc=com"
##
## Password of LDAP manager:
## ldap_password: "******"
##
## Search base of LDAP directory:
## ldap_base: "dc=example,dc=com"
##
## LDAP attribute that holds user ID:
## ldap_uids:
##   - "mail": "%u@mail.example.org"
##
## LDAP filter:
## ldap_filter: "(objectClass=shadowAccount)"

##
## Anonymous login support:
##   auth_method: anonymous
##   anonymous_protocol: sasl_anon | login_anon | both
##   allow_multiple_connections: true | false
##
## host_config:
##   "public.example.org":
##     auth_method: anonymous
##     allow_multiple_connections: false
##     anonymous_protocol: sasl_anon
##
## To use both anonymous and internal authentication:
##
## host_config:
##   "public.example.org":
##     auth_method:
##       - internal
##       - anonymous

###.  ==============
###'  DATABASE SETUP

## ejabberd by default uses the internal Mnesia database,
## so you do not necessarily need this section.
## This section provides configuration examples in case
## you want to use other database backends.
## Please consult the ejabberd Guide for details on database creation.

##
## MySQL server:
##
## sql_type: mysql
## sql_server: "server"
## sql_database: "database"
## sql_username: "username"
## sql_password: "password"
##
## If you want to specify the port:
## sql_port: 1234

##
## PostgreSQL server:
##
## sql_type: pgsql
## sql_server: "server"
## sql_database: "database"
## sql_username: "username"
## sql_password: "password"
##
## If you want to specify the port:
## sql_port: 1234
##
## If you use PostgreSQL, have a large database, and need a
## faster but inexact replacement for "select count(*) from users"
##
## pgsql_users_number_estimate: true

##
## SQLite:
##
## sql_type: sqlite
## sql_database: "/path/to/database.db"

##
## ODBC compatible or MSSQL server:
##
## sql_type: odbc
## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"

##
## Number of connections to open to the database for each virtual host
##
## sql_pool_size: 10

##
## Interval to make a dummy SQL request to keep the connections to the
## database alive. Specify in seconds: for example 28800 means 8 hours
##
## sql_keepalive_interval: undefined

###.  ===============
###'  TRAFFIC SHAPERS

shaper:
  ##
  ## The "normal" shaper limits traffic speed to 1000 B/s
  ##
  normal: 1000

  ##
  ## The "fast" shaper limits traffic speed to 50000 B/s
  ##
  fast: 50000

##
## This option specifies the maximum number of elements in the queue
## of the FSM. Refer to the documentation for details.
##
max_fsm_queue: 1000

###.   ====================
###'   ACCESS CONTROL LISTS
acl:
  ##
  ## The 'admin' ACL grants administrative privileges to XMPP accounts.
  ## You can put here as many accounts as you want.
  ##
#   admin:
#    user:
#   - "admin@localhost"
  ##     - "aleksey@localhost"
  ##     - "ermine@example.org"
  ##
  ## Blocked users
  ##
  ## blocked:
  ##   user:
  ##     - "baduser@example.org"
  ##     - "test"

  ## Local users: don't modify this.
  ##
  local:
    user_regexp: ""

  ##
  ## More examples of ACLs
  ##
  ## jabberorg:
  ##   server:
  ##     - "jabber.org"
  ## aleksey:
  ##   user:
  ##     - "aleksey@jabber.ru"
  ## test:
  ##   user_regexp: "^test"
  ##   user_glob: "test*"

  ##
  ## Loopback network
  ##
  loopback:
    ip:
      - "127.0.0.0/8"

  ##
  ## Bad XMPP servers
  ##
  ## bad_servers:
  ##   server:
  ##     - "xmpp.zombie.org"
  ##     - "xmpp.spam.com"

##
## Define specific ACLs in a virtual host.
##
## host_config:
##   "localhost":
##     acl:
##       admin:
##         user:
##           - "bob-local@localhost"

###.  ============
###'  SHAPER RULES

shaper_rules:
  ## Maximum number of simultaneous sessions allowed for a single user:
  max_user_sessions: 10
  ## Maximum number of offline messages that users can have:
  max_user_offline_messages:
    - 5000: admin
    - 100
  ## For C2S connections, all users except admins use the "normal" shaper
  c2s_shaper:
    - none: admin
    - normal
  ## All S2S connections use the "fast" shaper
  s2s_shaper: fast

###.  ============
###'  ACCESS RULES
access_rules:
  ## This rule allows access only for local users:
  local:
    - allow: local
  ## Only non-blocked users can use c2s connections:
  c2s:
    - deny: blocked
    - allow
  ## Only admins can send announcement messages:
  announce:
    - allow: admin
  ## Only admins can use the configuration interface:
  configure:
    - allow: admin
  ## Only accounts of the local ejabberd server can create rooms:
  muc_create:
    - allow: local
  ## Only accounts on the local ejabberd server can create Pubsub nodes:
  pubsub_createnode:
    - allow: local
  ## In-band registration allows registration of any possible username.
  ## To disable in-band registration, replace 'allow' with 'deny'.
  register:
    - allow
  ## Only allow to register from localhost
  trusted_network:
    - allow: loopback
  ## Do not establish S2S connections with bad servers
  ## s2s:
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
  ##   - allow

## ===============
## API PERMISSIONS
## ===============
##
## This section allows you to define who and using what method
## can execute commands offered by ejabberd.
##
## By default "console commands" section allow executing all commands
## issued using ejabberdctl command, and "admin access" section allows
## users in admin acl to  execute all commands except start and stop
## with any available access method (ejabberdctl, http-api, xmlrpc
## depending what is enabled on server).
##
## Remember to not remove "console commands" section when doing modifications
## or ejabberdctl will not be able to execute commands!
##
##
  api_permissions:
    "console commands":
      from:
        - ejabberd_ctl
      who: all
      what: "*"
  "admin access":
    who:
      - admin
      - oauth:
        - scope: "ejabberd:admin"
        - admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "oauth get_roster":
    - who:
      - oauth:
        - scope: "get_roster"
        - user: "admin@localhost"
    - what:
      - "get_roster"

## By default the frequency of account registrations from the same IP
## is limited to 1 account every 10 minutes. To disable, specify: infinity
## registration_timeout: 600

##
## Define specific Access Rules in a virtual host.
##
## host_config:
##   "localhost":
##     access:
##       c2s:
##         - allow: admin
##         - deny
##       register:
##         - allow

###.  ================
###'  DEFAULT LANGUAGE

##
## language: Default language used for server messages.
##
language: "en"

##
## Set a different default language in a virtual host.
##
## host_config:
##   "localhost":
##     language: "ru"

###.  =======
###'  CAPTCHA

##
## Full path to a script that generates the image.
##
## captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"

##
## Host for the URL and port where ejabberd listens for CAPTCHA requests.
##
## captcha_host: "example.org:5280"

##
## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
##
## captcha_limit: 5

###.  =======
###'  MODULES

##
## Modules enabled in all ejabberd virtual hosts.
##
modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce: # recommends mod_adhoc
    access: announce
  mod_blocking: {} # requires mod_privacy
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {} # requires mod_adhoc
  ##mod_delegation: {} # for xep0356
  mod_disco: {}
  ## mod_echo: {}
  mod_irc: {}
  mod_http_bind: {}
  ## mod_http_fileserver:
  ##   docroot: "/var/www"
  ##   accesslog: "/var/log/ejabberd/access.log"
  mod_last: {}
  mod_muc:
    ## host: "conference.@HOST@"
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
  ## mod_muc_log: {}
  ## mod_multicast: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  ## mod_pres_counter:
  ##   count: 5
  ##   interval: 60
  mod_privacy: {}
  mod_private: {}
  ## mod_proxy65: {}
  mod_pubsub:
    access_createnode: pubsub_createnode
    ## reduces resource comsumption, but XEP incompliant
    ignore_pep_from_offline: true
    ## XEP compliant, but increases resource comsumption
    ## ignore_pep_from_offline: false
    last_item_cache: false
    plugins:
      - "flat"
      - "hometree"
      - "pep" # pep requires mod_caps
  ## mod_register:
    ##
    ## Protect In-Band account registrations with CAPTCHA.
    ##
    ##   captcha_protected: true
    ##
    ## Set the minimum informational entropy for passwords.
    ##
    ##   password_strength: 32
    ##
    ## After successful registration, the user receives
    ## a message with this subject and body.
    ##
    ##   welcome_message:
    ##     subject: "Welcome!"
    ##     body: |-
    ##       Hi.
    ##       Welcome to this XMPP server.
    ##
    ## When a user registers, send a notification to
    ## these XMPP accounts.
    ##
    ##   registration_watchers:
    ##     - "admin1@example.org"
    ##
    ## Only clients in the server machine can register accounts
    ##
    ##   ip_access: trusted_network
    ##
    ## Local c2s or remote s2s users cannot register accounts
    ##
    ##   access_from: deny
    ##   access: register
  mod_roster: {}
  mod_shared_roster: {}
  mod_stats: {}
  mod_time: {}
  mod_vcard:
    search: false
  mod_version: {}

##
## Enable modules with custom options in a specific virtual host
##
## host_config:
##   "localhost":
##     modules:
##       mod_echo:
##         host: "mirror.localhost"

##
## Enable modules management via ejabberdctl for installation and
## uninstallation of public/private contributed modules
## (enabled by default)
##

allow_contrib_modules: true

###.
###'
### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
#
#
acl:
  admin:
      user:
            - "admin": "localhost"

[sibithabijesh]

okay. now I got the response when I execute that cmd

(ejabberd@localhost)1> ejabberd_access_permissions:show_current_definitions().
[{<<"console commands">>,
  {[ejabberd_ctl],
   [{acl,all}],
   [user_sessions_info,user_resources,update_list,update,
    unregister,stop_kindly,stop_all_connections,stop,
    status_num_host,status_num,status_list_host,status_list,
    status,stats_host,stats,srg_user_del,srg_user_add,srg_list,
    srg_get_members,srg_get_info,srg_delete,srg_create,
    set_vcard2_multi|...]}},
 {<<"admin access">>,
  {[],
   [{acl,{acl,admin}},
    {oauth,[<<"ejabberd:admin">>],[{acl,{acl,admin}}]}],
   [user_sessions_info,user_resources,update_list,update,
    unregister,stop_kindly,stop_all_connections,status_num_host,
    status_num,status_list_host,status_list,status,stats_host,
    stats,srg_user_del,srg_user_add,srg_list,srg_get_members,
    srg_get_info,srg_delete,srg_create,set_vcard2_multi|...]}},
 {<<"'commands' option compatibility shim">>,
  {[],[{access,configure}],[connected_users]}}]

[prefiks]

So for one you have this fragment in middle that did disable listener for 5280 (and /admin access with it):

  #!yaml

  ## To handle XML-RPC requests that provide admin credentials:
  ##
  # -
  #   port: 4560
  #   module: ejabberd_xmlrpc
  #  access_commands: {}
  #-

remove it and make sure there is - in line before port: 5280

Second your api_permission has wrong indent, it must be at start of line no spaces before it, you need to indent that whole block that way

[sibithabijesh]

do you mean to remove xmlrpc section from yml

[prefiks]

No you need to have

  -
    port: 5280

like you have in handlers for others port above, you instead have "# -"

[zeropopular]

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred:

mrniceguyzero@gmail.com Domain thezeroworld.com has exceeded the max emails per hour (7/7 (100%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------ Received: from o3.sgmail.github.com ([192.254.112.98]:33723) by node87.certushost.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.88) (envelope-from bounces+848413-7f84-zero=thezeroworld.com@sgmail.github.com) id 1ciQ0C-0004Wz-34 for zero@thezeroworld.com; Mon, 27 Feb 2017 13:26:28 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=gUU959JM2FpwpDQBQ80HzRI8D9g=; b=VJJUF01dplJoBU+4 rm0ECb7emVEepBV/Z1Wr+ZqLZ26+T5t9kYlAYHqsgu3fRBBoJrjgoCnmLEsWLDKf ExYvRFM+AXqtfCdEy8YUz3uwRVO4GWiuJOTWoqSUrjcsCGus6Rt7pbjVAQTv7pqe qNX6G/enyzDsGHHhUv9mdzrUh0E= Received: by filter0338p1las1.sendgrid.net with SMTP id filter0338p1las1-24297-58B46F16-8D 2017-02-27 18:25:26.962849264 +0000 UTC Received: from github-smtp2b-ext-cp1-prd.iad.github.net (github-smtp2b-ext-cp1-prd.iad.github.net [192.30.253.17]) by ismtpd0006p1iad1.sendgrid.net (SG) with ESMTP id 7s1gkuf8Qjumk-FqHz9UMg for zero@thezeroworld.com; Mon, 27 Feb 2017 18:25:26.716 +0000 (UTC) Date: Mon, 27 Feb 2017 10:25:26 -0800 From: Paweł Chmielowski notifications@github.com Reply-To: processone/ejabberd reply@reply.github.com To: processone/ejabberd ejabberd@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Message-ID: processone/ejabberd/issues/1568/282805592@github.com In-Reply-To: processone/ejabberd/issues/1568@github.com References: processone/ejabberd/issues/1568@github.com Subject: Re: [processone/ejabberd] AccessRules: Account does not have the right to perform the operation (#1568) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: prefiks X-GitHub-Recipient: zeropopular X-GitHub-Reason: subscribed List-ID: processone/ejabberd List-Archive: https://github.com/processone/ejabberd List-Post: mailto:reply@reply.github.com List-Unsubscribe: mailto:unsub+0091af5cc5bb1c6e48e18a3421c042061a2e06925aa3d83b92cf0000000114cc311692a169ce0c8c0105@reply.github.com, https://github.com/notifications/unsubscribe/AJGvXOFKJwfrgS3qmwGmPxU-oQRaCejNks5rgxUWgaJpZM4MNLcS X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: zero@thezeroworld.com X-SG-EID: rpikuZA24eiIeOyW4lkLu3QfRibsk6PIQjn8Ws0nyrGwdbnyegVtyzep89vCSLgN/Q3djhNxRltNfx AXne3hUhLaRz+89ZmSWkzLJBvLFf6J+fXLVAT/FFQYQET8eH1EfTMraMplVs78xI9hz1vfNJZwdyGD nK7U5PPOz4uXemWMl3DzyQZhjFOLn/Efae9+B7Qvjl4pwfXlshH0H7E58DAhDjLDW8byFnDT6ARF9e M=

----==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit

No you need to have

  -
    port: 5280

like you have in handlers for others port above, you instead have "# -"

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/processone/ejabberd/issues/1568#issuecomment-282805592 ----==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

No you need to have

  -
    port: 5280

like you have in handlers for others port above, you instead have "# -"

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

----==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8--

[sibithabijesh]

now I can access /admin. but when I run the script, got same error

{"status":"error","code":32,"message":"AccessRules: Account does not have the right to perform the operation."}

[prefiks]

Can you run that command in "ejabberdctl debug" again? Your previous output did show that it was not parsed correctly (probably from that indentation problem) and default value was used. Let see if after that fix it's recognized ok.

[sibithabijesh]

response

(ejabberd@localhost)1> ejabberd_access_permissions:show_current_definitions().
[{<<"console commands">>,
  {[ejabberd_ctl],
   [{acl,all}],
   [user_sessions_info,user_resources,update_list,update,
    unregister,stop_kindly,stop_all_connections,stop,
    status_num_host,status_num,status_list_host,status_list,
    status,stats_host,stats,srg_user_del,srg_user_add,srg_list,
    srg_get_members,srg_get_info,srg_delete,srg_create,
    set_vcard2_multi|...]}},
 {<<"admin access">>,
  {[],
   [{acl,{acl,admin}},
    {oauth,[<<"ejabberd:admin">>],[{acl,{acl,admin}}]}],
   [user_sessions_info,user_resources,update_list,update,
    unregister,stop_kindly,stop_all_connections,status_num_host,
    status_num,status_list_host,status_list,status,stats_host,
    stats,srg_user_del,srg_user_add,srg_list,srg_get_members,
    srg_get_info,srg_delete,srg_create,set_vcard2_multi|...]}},
 {<<"'commands' option compatibility shim">>,
  {[],[{access,none}],[]}}]

[prefiks]

So it's still uses default settings, not what you entered. Please make sure that there is no indentation before api_permissions:

[sibithabijesh]

Can you please help me to fix indentation problem. attached my yml file. could you please correct it there

yml.txt

[prefiks]

Ok, looks like you hit a bug in parser code, but you should be able to workaround it by replacing line with "- user: "admin@localhost"" with "- admin"

[sibithabijesh]

now I got response "400 Bad Request"

[sibithabijesh]

this is the latest changes in the api permission

"oauth get_roster":
    - who:
      - oauth:
        - scope: "get_roster"
        - admin
    - what:
      - "get_roster"

[prefiks]

Can you check in ejabberd.log what is generated after you execute command?

[sibithabijesh]

2017-02-27 14:22:02.564 [info] <0.476.0>@mod_http_api:log:533 API call unregister [{<<"host">>,<<"localhost">>},{<<"user">>,<<"sibi">>}] from 112.133.236.185:62395
2017-02-27 14:22:02.565 [debug] <0.476.0>@mod_http_api:process:192 Bad Request: {noproc,{gen_server,call,[ejabberd_access_permissions,{can_access,unregister,#{caller_module => mod_http_api,caller_server => <<"localhost">>,ip => {112,133,236,185},oauth_scope => [<<"get_roster">>,<<"sasl_auth">>],usr => {<<"admin">>,<<"localhost">>,<<>>}}}]}} [{gen_server,call,2,[{file,"gen_server.erl"},{line,182}]},{ejabberd_commands,execute_command2,4,[{file,"src/ejabberd_commands.erl"},{line,471}]},{mod_http_api,handle2,4,[{file,"src/mod_http_api.erl"},{line,327}]},{mod_http_api,handle,4,[{file,"src/mod_http_api.erl"},{line,285}]},{mod_http_api,perform_call,4,[{file,"src/mod_http_api.erl"},{line,230}]},{mod_http_api,process,2,[{file,"src/mod_http_api.erl"},{line,183}]},{ejabberd_http,process,5,[{file,"src/ejabberd_http.erl"},{line,373}]},{ejabberd_http,process_request,1,[{file,"src/ejabberd_http.erl"},{line,464}]}]

[prefiks]

Hm, looks like one of command that i told you to run in "ejabberdctl debug" did close one of processes, you could try executing inside shell "ejabberd_access_permissions:start_link()." or try to restarting server.

[sibithabijesh]

now got the previous error {"status":"error","code":32,"message":"AccessRules: Account does not have the right to perform the operation."}

[prefiks]

And ejabberd.log show what?

[sibithabijesh]

2017-02-27 14:33:30.583 [debug] <0.455.0>@ejabberd_http:process_header:291 (#Port<0.18555>) http query: 'POST' <<"/api/unregister">>
2017-02-27 14:33:30.583 [debug] <0.455.0>@ejabberd_http:extract_path_query:407 client data: <<"{\"host\":\"localhost\",\"user\":\"sibi\"}">>
2017-02-27 14:33:30.583 [debug] <0.455.0>@ejabberd_http:process:363 [<<"api">>,<<"unregister">>] matches [<<"api">>]
2017-02-27 14:33:30.584 [info] <0.455.0>@mod_http_api:log:533 API call unregister [{<<"host">>,<<"localhost">>},{<<"user">>,<<"sibi">>}] from 112.133.236.185:8389
2017-02-27 14:33:30.584 [debug] <0.287.0>@ejabberd_access_permissions:handle_call:149 Command 'unregister' execution denied (CallerInfo=#{caller_module => mod_http_api,caller_server => <<"localhost">>,ip => {112,133,236,185},oauth_scope => [<<"get_roster">>,<<"sasl_auth">>],usr => {<<"admin">>,<<"localhost">>,<<>>

[prefiks]

This show that now you are executing command "unregister" but that rule that was added allows only "get_roster", if you want to allow access to more commands, you must list them in "what:" section:

  "oauth get_roster":
    who:
      - oauth:
        - scope: "get_roster"
        - user: "admin@localhost"
    what:
      - "get_roster"
      - "unregister"

etc.

[sibithabijesh]

but get_roster is also not working. thats why I tried unregister

[sibithabijesh]

Is there any ejabbered library in php for rest api .

It would be very helpful, if you can add more examples based on rest API and their permission in the ejabbered doc

[sibithabijesh]

Can you help me. REST API is not working

[prefiks]

Could you please run "ejabberdctl reload_config" and see if this helps? If not could you check error.log to see if it has "invalid option 'api_permission'"?

[sibithabijesh]

I got below error while I tired to execute the register cmd via xmlrpc with token

A problem '{error,access_rules_unauthorized}' occurred executing the command register with arguments
[{user,<<"vishnu">>},{host,<<"localhost">>},{password,<<"123456">>}]

xmlrpc with password is working fine. But token is not working. Please advice me

[prefiks]

Please check ejabberd.log for coresponding line with ejabberd_access_permissions:handle_call

[prefiks]

Also please give me api_permissions from your current config file

[sibithabijesh]

I tried many changes in API. yesterday you mentioned to add extra permission.

api_permissions:
  "console commands":
    from:
     - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
     - admin
     - oauth:
        - scope: "ejabberd:admin"
        - admin
    what:
     - "*"
     - "!stop"
     - "!start"      
  "oauth sasl_auth":
    - who:
      - oauth:
        - scope: "sasl_auth"
        - user: "admin@localhost"
    - what:
      - "status"
      - "[tag:account]"

This also tried

"oauth get_roster":
    - who:
      - oauth:
        - scope: "get_roster"
        - admin
    - what:
      - "get_roster"

-
    port: 5280
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
      "/log": mod_log_http
     # OAuth support:
      "/oauth": ejabberd_oauth
      # ReST API:
      "/api": mod_http_api
    ##  "/pub/archive": mod_http_fileserver
    web_admin: true
    http_bind: true
    ## register: true
    captcha: true
    commands_admin_access: configure
    commands:
     - add_commands: [status, register]      
    oauth_expire: 3600
    oauth_access: all

[sibithabijesh]

this is the log file

2017-02-28 06:24:14.510 [debug] <0.487.0>@ejabberd_http:process:363 [] matches []
2017-02-28 06:24:14.510 [debug] <0.487.0>@ejabberd_xmlrpc:process:246 got XML-RPC request: {call,register,[{struct,[{user,<<"admin">>},{host,<<"localhost">>},{server,<<"localhost">>},{token,<<"YkH5rM9NTH1kfCkLf4CJddddddx2I0ummt5J4a">>}]},{struct,[{user,<<"vishnu">>},{host,<<"localhost">>},{password,<<"123456">>}]}]}
2017-02-28 06:24:14.510 [debug] <0.487.0>@ejabberd_xmlrpc:extract_auth:263 AUTHLIST [{user,<<"admin">>},{host,<<"localhost">>},{server,<<"localhost">>},{token,<<"YkHddddd5rM9NTH1kfCkLf4CJx2I0ummt5J4a">>}]
2017-02-28 06:24:14.512 [debug] <0.295.0>@ejabberd_access_permissions:handle_call:149 Command 'register' execution denied (CallerInfo=#{caller_module => ejabberd_xmlrpc,caller_server => <<"localhost">>,extra_permissions => [],ip => {112,133,236,202},oauth_scope => [<<"get_roster">>,<<"sasl_auth">>],usr => {<<"admin">>,<<"localhost">>,<<>>}})
2017-02-28 06:24:14.512 [warning] <0.487.0>@ejabberd_xmlrpc:build_fault_response:421 Error -118
A problem '{error,access_rules_unauthorized}' occurred executing the command register with arguments
[{user,<<"vishnu">>},{host,<<"localhost">>},{password,<<"123456">>}]

[sibithabijesh]

do you need full yml file ?

[sibithabijesh]

can you please help me to figure out this issue. I need to make REST API Call via webservice. tried lots of config mentioned . But it doesn't work in my case.

If it is so particular to indent issue, could you please help me to resolve that issue. I will post yml if u need to look at all the config value