Closed happy-berry closed 8 months ago
So per that config, only tokens generated for admin@ejabberd.qaq.cn and with scope "ejabberd:admin" will allow you to execute that command. Do you token match those two conditions?
yes, I'm ture. I can generate token , but when I put it in header. return that error
Could you run ejabberdctl oauth_list_tokens
and see if your token is listed here and what fields it has?
like this : Cgsr5372JoTV51lmfitNMbO7FRjV70ti admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 989 seconds P8LIKrBUGfKnxEZCct5jBbhuKJwuWIn1 admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 315345455 seconds hLtaDVPKPaCbfjOEWszIaenyHwfbjzo1 admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 31521957 seconds 93osYtPWpIoKyNEXPpL4iJtvNEE012aU admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 997 seconds
I think all the admin level tokens I generated should be usable, but I found that none of the ones I generated can be used
I see admin@ejabberddev.qaq.cn and not admin@ejabberd.qaq.cn that you have in admin rule, is that from different server, or if not that may be issue here.
now I rollback my new config , I got the same result as before: this is my all update:
hosts:
- ejabberddev.xyplay.cn
-
port: 5280
ip: "::"
module: ejabberd_http
request_handlers:
/oauth: ejabberd_oauth
/api: mod_http_api
/admin: ejabberd_web_admin
/.well-known/acme-challenge: ejabberd_acme
acl:
admin:
user: admin@ejabberddev.xyplay.cn
local:
user_regexp: ""
loopback:
ip:
- 127.0.0.0/8
- ::1/128
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
"admin access":
who:
oauth:
scope: "ejabberd:admin"
access:
allow:
- acl: loopback
- acl: admin
what:
- "*"
- "!stop"
- "!start"
"public commands":
who:
ip: 127.0.0.1/8
what:
- status
- connected_users_number
oauth_access: all
oauth_expire: 3600
Can you also switch loglevel to debug with ejabberdctl set_loglevel debug
and try to execute command and see what is logged about that attempt? (don't forget to switch back loglevel to iniitial value)
Also if you are changing config do you issue ejabberdctl reload_config
after doing it?
no, but I run ejabberdctl restart
Is my log:
2024-01-15 23:38:00.088711+08:00 [debug] <0.1505.0>@ejabberd_http:process_header/2:291 (#Port<0.59>) http query: 'POST' <<"/api/get_room_occupants">>
2024-01-15 23:38:00.089066+08:00 [debug] <0.1505.0>@ejabberd_http:process/1:363 [<<"api">>,<<"get_room_occupants">>] matches [<<"api">>] 2024-01-15 23:38:00.089604+08:00 [info] <0.1505.0>@mod_http_api:log/3:511 API call get_room_occupants [{<<"name">>,<<"room1">>}, {<<"service">>,<<"ejabberddev.xyplay.cn">>}] from ::ffff:192.168.0.57:50592 2024-01-15 23:38:00.095003+08:00 [debug] <0.1505.0>@ejabberd_access_permissions:can_access/2:96 Command 'get_room_occupants' execution denied (CallerInfo=#{tag => <<>>, ip => {0,0,0,0,0, 65535,49320, 57}, usr => {<<"admin">>, <<"ejabberddev.xyplay.cn">>, <<>>}, caller_module => mod_http_api, oauth_scope => [<<"ejabberd:admin">>], caller_server => <<"ejabberddev.xyplay.cn">>})
Ok, now you have this
"admin access":
who:
oauth:
scope: "ejabberd:admin"
access:
allow:
- acl: loopback
- acl: admin
and you will not match - acl: loopback
part - you aren't connecting from 127.0.0.0, try removing this part and try again.
Thank you, I have resolved this error, but I would like to know why this configuration restricts me from accessing only my localhost
This is determined by fragment marked here:
"admin access":
who:
oauth:
scope: "ejabberd:admin"
access:
allow:
- acl: loopback # <---- This part
- acl: admin
what:
- "*"
- "!stop"
- "!start"
This together with acl:admin
says that only person authenticated as admin and issuing request from loopback can execute rules from what:
, if you remove - acl: loopback
leaving only acl: admin
you will get to state where any admin could execute command from all hosts.
so the loopback == localhost ?
You have loopback defined in acl:
section:
loopback:
ip:
- 127.0.0.0/8
- ::1/128
so it's ipv4 or ipv6 address for localhost
oh I understand , I always thought this was an independent configuration similar to a whitelist, but I didn't expect it to be a global IP configuration for loopback , very thanks
(https://github.com/processone/ejabberd/discussions)。
my configuration is already the same as on the official website. why I get err : { "status": "error", "code": 32, "message": "AccessRules: Account does not have the right to perform the operation." }