Command need to be run with admin priviledge

[potenzatk]

Before creating a ticket, please consider if this should fit the discussion forum better: https://github.com/processone/ejabberd/discussions

Environment

• ejabberd version: 16.09
• Erlang version: erl +V
• OS: Amazon Linux release 2 (Karoo)
• Installed from: source https://www.process-one.net/downloads/downloads-action.php?file=/16.09/ejabberd-16.09-linux-x86_64-installer.run

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

loglevel: 4
...

Errors from error.log/crash.log

No errors

Bug description

When I try to Run below API http://ec2-3-135-193-140.us-east-2.compute.amazonaws.com:5280/api/register

I Got "Command need to be run with admin priviledge" error please check below link http://prntscr.com/xXbRVU_nBdYK http://prntscr.com/bsDYMalBWH1N

My \opt\ejabberd-16.09\conf\ejabberd.yml file details

port: 5280
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
      "/api": mod_http_api
    ##  "/pub/archive": mod_http_fileserver
    web_admin: true
    http_bind: true
    ## register: true
    captcha: false

    modules:
      mod_http_api:
        admin_ip_access: admin_ip_access_rule

    access:
      admin_ip_access_rule:
        admin_ip_acl:
          - change password
          - add_rosteritem
          - register
          - delete_rosteritem
          - send_message

    acl:
      admin_ip_acl:
        ip:
         - "3.135.193.140/8"

Please help me how I can fix this issue.

[licaon-kter]

Latest version is 22.05 can you not use a 6 years (!!) old version?

[potenzatk]

I will update latest version but first please help me with this error.

[prefiks]

And are you issuing that call from 3.135.193.140?

[potenzatk]

Yes, I call http://ec2-3-135-193-140.us-east-2.compute.amazonaws.com:5280/api/register API from 3.135.193.140 server and ejabberd also installed on this server.

[prefiks]

Well if you do that rest call on local machine, it's possible that loopback address is used, try adding 127.0.0.1/8 to that acl

[badlop]

Your configuration works correctly for me using 16.09, and changing the IP address to 127.0.0.1/8.

For testing I use those queries. You could try a local client like curl in the ejabberd machine:

curl -X GET \
    http://localhost:5280/api/register?user=user1\&host=localhost\&password=asd1

curl -X POST \
    http://localhost:5280/api/register \
    -d '{"user": "user2", "host": "localhost", "password": "asd2"}'

Then I install ejabberd 22.05, and make those changes to the default configuration (just adding a request_handler and api_permissions:

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 8eb038dd0..a0ac25945 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -65,6 +65,7 @@ listen:
     module: ejabberd_http
     request_handlers:
       /admin: ejabberd_web_admin
+      /api: mod_http_api
       /.well-known/acme-challenge: ejabberd_acme
   -
     port: 3478
@@ -110,6 +111,15 @@ access_rules:
     allow: loopback

 api_permissions:
+  "poten api example":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - change_password
+      - add_rosteritem
+      - register
+      - delete_rosteritem
+      - send_message
   "console commands":
     from:
       - ejabberd_ctl

The curl queries work again correctly.

[potenzatk]

When I Run using CLI same error occurs

[badlop]

As I said, it works for me using 16.09, your configuration (changing IP address), and my curl query running on the same machine. I imagine there are several reasons this can fail in your server... so I tried to reproduce that error message:

If I configure

acl:
  admin_ip_acl:
    ip:
      - "111.0.0.1/8"

Then I run the curl command

curl -X GET \
    http://localhost:5280/api/register?user=user1\&host=localhost\&password=asd1

And the result is:

{"status":"error","code":31,"message":"Command need to be run with admin priviledge."}

Why does it fail? Because I told ejabberd to only accept API queries from 111.0.0.1/8, and I send the query from 127.0.0.1.

Can you try setting

acl:
  admin_ip_acl:
    ip:
      - "127.0.0.1/8"

and run the same curl query that I do in the same machine that runs ejabberd?