search

rstudio / rsconnect

Publish Shiny Applications, RMarkdown Documents, Jupyter Notebooks, Plumber APIs, and more
http://rstudio.github.io/rsconnect/
131 stars 80 forks source link

Kerberos options issues with connectApiUser #427

Open colearendt opened 4 years ago

colearendt commented 4 years ago

Related to #422

It seems that certain paths within rsconnect do not utilize the options("rsconnect.libcurl.options") while others do.

options("rsconnect.libcurl.options" = list(gssapi_delegation = curl::curl_symbols("CURLGSSAPI_DELEGATION_FLAG")$value,
     httpauth = curl::curl_symbols("CURLAUTH_GSSAPI")$value,
     userpwd = ":"
   ))
options(rsconnect.http.verbose = TRUE)
options(rsconnect.http.trace.json = TRUE)

Success:

Failure:

Is this because rsconnect::connectApiUser sets the Authorization header? Is this related to #405 ?

Success

> rsconnect::connectUser("bobo", "apache-kerb")
* Hostname in DNS cache was stale, zapped
*   Trying 172.31.0.3...
* TCP_NODELAY set
* Connected to apache-kerb (172.31.0.3) port 80 (#12)
> POST /rsconnect/__api__/tokens HTTP/1.1
Host: apache-kerb
User-Agent: rsconnect/0.8.16
Accept: */*
Accept-Encoding: deflate, gzip
X-Auth-Token: anonymous-access
cookie: rscid=MTU4OTgwMTkzOHxEdi1CQkFFQ180SUFBUkFCRUFBQU52LUNBQU1HYzNSeWFXNW5EQVlBQkVkVlNVUVNZMjl1Ym1WamRDOXpkRzl5WlM1SFZVbEVfNE1HQVFFRVIxVkpSQUhfaEFBQUFCRF9oUVlCQVFSVlZVbEVBZi1HQUFBQVZmLUVFZ0FRZDc5dzFNMldTNHlzZmJxRmwwUWRyUVp6ZEhKcGJtY01DUUFIWTNKbFlYUmxaQVZwYm5RMk5BUUdBUHk5aE9la0JuTjBjbWx1Wnd3SkFBZHlaV1p5WlhOb0JXbHVkRFkwQkFZQV9MMkU1NlE9fK216aE5thAHABEuZvQM9LSxU303C0YWoSQ_mXnSl02Q
Content-Type: application/json
Content-Length: 478

* upload completely sent off: 478 out of 478 bytes
< HTTP/1.1 401 Unauthorized
< Date: Mon, 18 May 2020 12:01:47 GMT
< Server: Apache/2.4.35 (Unix) mod_auth_kerb/5.4
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Kerberos Login"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #12 to host apache-kerb left intact
* Issue another request to this URL: 'http://apache-kerb/rsconnect/__api__/tokens'
* Found bundle for host apache-kerb: 0x555d4300b6c0 [can pipeline]
* Re-using existing connection! (#12) with host apache-kerb
* Connected to apache-kerb (172.31.0.3) port 80 (#12)
* Server auth using Negotiate with user ''
> POST /rsconnect/__api__/tokens HTTP/1.1
Host: apache-kerb
Authorization: Negotiate YIIFYAYGKwYBBQUCoIIFVDCCBVCgDTALBgkqhkiG9xIBAgKiggU9BIIFOWCCBTUGCSqGSIb3EgECAgEAboIFJDCCBSCgAwIBBaEDAgEOogcDBQAgAAAAo4IBYWGCAV0wggFZoAMCAQWhFBsSRE9DS0VSLVJTVFVESU8uQ09Noh4wHKADAgEDoRUwExsESFRUUBsLYXBhY2hlLWtlcmKjggEaMIIBFqADAgESoQMCAQiiggEIBIIBBHL/YwOgQB4d9TfvDUbai2CWWil58GS1KjOSETTsOX7kPKBu6elHdNSs0xw9OuHzMTi86A2WG4GItud+HG4z0chuQlV8U7h2XhxM4TF1UgqTDbTCzMuB7TsqQgonjLAvCem+pdPQNmxyZZIwu6V2kwOAQmR8qO8urTnWcMGSwhuLh11jwYJ52FaHcKh4FT+HIn+GhRAiGvXdC8Y9+9z1zNODd/lwARZAMApieiCBNwhl2uVzxp9zfzysn78A5mu1CCwrVdgEXD9z6Gpdzz5Lfnd8HQkRWDS6DiM4rheC1nKBnOe5lkbksxEKHbXdPxrt+BxYUAiLps8GdWuohszmYmHER1MqpIIDpDCCA6CgAwIBEqKCA5cEggOTyplRod4ZX7NoiX43/ZMt15YiNYztNbj2HOrcUCNGoi1FHUCP14j2OMC7kfetsy3MyGu2BmuOzrJpHij2Lm2yIZyX7LmuILXul758aI8QIF8uFpXWnAegAVq7uYDPJ2F+qS4ZRh0p8/fxaukqnQ6O35Mz8nr9+qcFNY0KlNMQOcxXOjVJecWNFIXQap4QRYZO7ukJbJ9FfWnk7aABgwRAda81Pf55HmP9JOOZtropLpccbNDt45K08EoXvJbYqe8Z1Z7j1jtLrM5f/Ns7LVOWIIih8LG3+Hq3oSNtVTXqtaq16DCQIEGpA2RWMwzHnv3WrdMxqJKk8EO2UlKdx8ngZvYly6y5l2JUqWyNDL63KzQQj3OFAPdxgAojFNY8EopG2O/1uvXy+hFL2RjZtd6RmhUMgUhKasoEdUttUpt89XLvmLZ4v+Z4tOf+F3IkhEcY0q27YyMU/n3zdFQf6ELyYXCThiZ2I/dPtKJmNlubzXF2zil9MXMFkoUMo4ebK19yDbgBdU4K/kdYq832FHbYb4PuG03erYWgOh6mVcCwwi7mhSMMJTnn4sU0eZgAlbbpN14n+cJ5tdt/cRS1qjx15quBFQT3kjkS2K/GqfBH3Ghhe4/2bPAHVVjTGmvyhGv/kR9UbS35qQVbVB6L6bXH/PCRZ34MjkUSEez9WEH0BHU25Veb/cUjaSm+vcir0qGAH6Gai1+2BXHv6GBoLkNNODmiVBva9l0zpu8DhPQH353Mpp9pLHdd6yzmZMTPQ4B2R+yhMeUYUZe0oTIo1nYJQP3A2ibCJkURTNoy4zzHIZ/GONb8wKA1mV3veZAnuzZ0/Ej9sjmmGjq2jQgzbSL1qUVi3TfA464LlWnn7xYEYvPkW/yYgCg8ZWritSaDCbg+rnK5mNo8mK0z5U3xqOOQzszCd51bSdZi3GpOQS0q+CljmhrOK433chtOw92sGtEhIPGMaKPzb/PQAomGu9nYSWpYzI8YehvrY4AKzAYLuwmtlW+d/uAI6kg9f11v/4VrexQrtYll7a3AHH2oXRFgme/IkfWpj/j2haIuK72M97+bPahl+FK3kw5egDer6euWgnpu4ZBZ7mHHJwbbYiS1/Z+DsPpVp069Kh9PKtQhDxdvZavHUGPS9fV6h0jR2Z2LIYggMhZOp0L92VuiwYaTbaxXbKx1gZXJUzm4YwY3eajWHZn2jZGVNDsDXWUNehh1hzzr
User-Agent: rsconnect/0.8.16
Accept: */*
Accept-Encoding: deflate, gzip
X-Auth-Token: anonymous-access
cookie: rscid=MTU4OTgwMTkzOHxEdi1CQkFFQ180SUFBUkFCRUFBQU52LUNBQU1HYzNSeWFXNW5EQVlBQkVkVlNVUVNZMjl1Ym1WamRDOXpkRzl5WlM1SFZVbEVfNE1HQVFFRVIxVkpSQUhfaEFBQUFCRF9oUVlCQVFSVlZVbEVBZi1HQUFBQVZmLUVFZ0FRZDc5dzFNMldTNHlzZmJxRmwwUWRyUVp6ZEhKcGJtY01DUUFIWTNKbFlYUmxaQVZwYm5RMk5BUUdBUHk5aE9la0JuTjBjbWx1Wnd3SkFBZHlaV1p5WlhOb0JXbHVkRFkwQkFZQV9MMkU1NlE9fK216aE5thAHABEuZvQM9LSxU303C0YWoSQ_mXnSl02Q
Content-Type: application/json
Content-Length: 478

* upload completely sent off: 478 out of 478 bytes
< HTTP/1.1 200 OK
< Date: Mon, 18 May 2020 12:01:47 GMT
< Server: RStudio Connect v1.8.2-10
< Cache-Control: no-cache, no-store, must-revalidate
< Content-Type: application/json; charset=utf-8
< Expires: 0
< Pragma: no-cache
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< Content-Length: 124
< 
* Closing connection 12
A browser window should open; if it doesn't, you may authenticate manually by visiting http://apache-kerb/rsconnect/connect/#/tokens/Tbb2086db43ad5452b5ab4c1f0eb41d95/activate.
Waiting for authentication...
* Hostname apache-kerb was found in DNS cache
*   Trying 172.31.0.3...
* TCP_NODELAY set
* Connected to apache-kerb (172.31.0.3) port 80 (#13)
> GET /rsconnect/__api__/users/current HTTP/1.1
Host: apache-kerb
User-Agent: rsconnect/0.8.16
Accept: */*
Accept-Encoding: deflate, gzip
Date: Mon, 18 May 2020 12:01:48 GMT
X-Auth-Token: Tbb2086db43ad5452b5ab4c1f0eb41d95
X-Auth-Signature: F6grzTOTS+qUragUJcECQTsgeJVnAlz0zVlsqXjsyc9Eo0Of06PYlEfY7FjnFGgoIvgYINbzDzcqmPwK/GkMVFF428Zeb6SuHQM8Y463dhO2frUEP0e0RkDPFtf44XABpV5IyRfYJ/h/WVF+fRkSNy/wX5qOMZtqoJRY2yHvQ+OuvGItgca+wE79wbiHkTKGrbrPFNRSdzQKZKUxXPb/QP1zVv8sth6oQwfOoM+BedeFwd0XpqlExy2HXJCtFSxdPYxRMLFgc0aIvy8o9cf30CcoKeY+hHVT8o5Lu3klf1z6o42q/7uyU2ZxuAqFRDuZXV3qwrIt5hHA73bEGYNOcw==
X-Content-Checksum: 1B2M2Y8AsgTpgAmY7PhCfg==
cookie: rscid=MTU4OTgwMTkzOHxEdi1CQkFFQ180SUFBUkFCRUFBQU52LUNBQU1HYzNSeWFXNW5EQVlBQkVkVlNVUVNZMjl1Ym1WamRDOXpkRzl5WlM1SFZVbEVfNE1HQVFFRVIxVkpSQUhfaEFBQUFCRF9oUVlCQVFSVlZVbEVBZi1HQUFBQVZmLUVFZ0FRZDc5dzFNMldTNHlzZmJxRmwwUWRyUVp6ZEhKcGJtY01DUUFIWTNKbFlYUmxaQVZwYm5RMk5BUUdBUHk5aE9la0JuTjBjbWx1Wnd3SkFBZHlaV1p5WlhOb0JXbHVkRFkwQkFZQV9MMkU1NlE9fK216aE5thAHABEuZvQM9LSxU303C0YWoSQ_mXnSl02Q

< HTTP/1.1 401 Unauthorized
< Date: Mon, 18 May 2020 12:01:48 GMT
< Server: Apache/2.4.35 (Unix) mod_auth_kerb/5.4
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Kerberos Login"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #13 to host apache-kerb left intact
* Issue another request to this URL: 'http://apache-kerb/rsconnect/__api__/users/current'
* Found bundle for host apache-kerb: 0x555d45d0b7c0 [can pipeline]
* Re-using existing connection! (#13) with host apache-kerb
* Connected to apache-kerb (172.31.0.3) port 80 (#13)
* Server auth using Negotiate with user ''
> GET /rsconnect/__api__/users/current HTTP/1.1
Host: apache-kerb
Authorization: Negotiate YIIFXgYGKwYBBQUCoIIFUjCCBU6gDTALBgkqhkiG9xIBAgKiggU7BIIFN2CCBTMGCSqGSIb3EgECAgEAboIFIjCCBR6gAwIBBaEDAgEOogcDBQAgAAAAo4IBYWGCAV0wggFZoAMCAQWhFBsSRE9DS0VSLVJTVFVESU8uQ09Noh4wHKADAgEDoRUwExsESFRUUBsLYXBhY2hlLWtlcmKjggEaMIIBFqADAgESoQMCAQiiggEIBIIBBHL/YwOgQB4d9TfvDUbai2CWWil58GS1KjOSETTsOX7kPKBu6elHdNSs0xw9OuHzMTi86A2WG4GItud+HG4z0chuQlV8U7h2XhxM4TF1UgqTDbTCzMuB7TsqQgonjLAvCem+pdPQNmxyZZIwu6V2kwOAQmR8qO8urTnWcMGSwhuLh11jwYJ52FaHcKh4FT+HIn+GhRAiGvXdC8Y9+9z1zNODd/lwARZAMApieiCBNwhl2uVzxp9zfzysn78A5mu1CCwrVdgEXD9z6Gpdzz5Lfnd8HQkRWDS6DiM4rheC1nKBnOe5lkbksxEKHbXdPxrt+BxYUAiLps8GdWuohszmYmHER1MqpIIDojCCA56gAwIBEqKCA5UEggORYXXOl3Cyvf11XVroq5u1PLTdKmNXVD0R13B7wlZgGK0IIZq5DqEEmyykwkmRDQWO3aTLMsCh7ziFpem9IxvQOgSFpAa/hdU6XjFMP+hWL84DCj7vqEVrcIP+1Az7VnZnVXOKWNwc+CrqKKAjNAVvn0LZXNV6F4xzfbZc61EBxEl1DAerY5f8Q5Nqqy29fo7mnMeOQox+I/oWEJSj0fqX2MFcYjoxR47nt21b/9PSA5dZAbjg6s3kgVJn6AHGSB7y9ZN0m6T5spwOKI0rxrGEI5uIMQNXwlgEo2Isquq32rXI2BtHbYmz+03+ZANhyQ9Wa6eWjzXTg2hX+iD89jDdCxYQkARFtry+udPV8fjomOu5Ya3J1C1UDa2qUWdk5mtkKGD0aFz0tNgvom45yTUhu5GbcGBLTRshA7tLZQDR/EyMN8Yz8eITKlAAgR03VmKHxRSIuR50Yyxx6ciq+MG+cT4LBp1Tlpb+lMOgO7//58+Ft41d/dFefB/57ob2XDTyViYN6jTu8cMSprbF4rsG1idNM9s2mI/EMjP2ge4lQ6J296XBVs9+qWUol6I65OpH20wydkgfVWltE8eYVyyquut+4v6zZN8t7uxlKWOceQxTDM2fImj+cnA6R3SccwArLgGha8IyjKOM3NXH7g6l+gE6cCIscADnN3Z1W+TS+rQZNkMLgjFhPjaD9tVddttQtpwUuhVKO6O/Wm2AqmbXFqmc4AfbDFSeuoLnJ3JOgpwjVH1HLr8f2Tj2PuFbTtTbkF6cUO18jv++y0k/RmaepNuyCa180ZoGAQUPSuTxU3v3WJz7kMPeqKq2njIkC6Ys1F16h4cOCLamklO8LV8bmpPR1BIJNqjJkN4ZON9cgJ3qGx7D0MreLhwBRNxXT+Owj2odI3DrnsEiclI6qktMHfSlBWk9B/AK/edwVgLUD65KzOMljfDfGebLOO/EO+qQQFpjBp4F1nhOuDwvZkqoTl6w88SCw0s3SZL0KtN5nyiIz/JILnuHIi0PgciQuOM9kSzNuhHBRr4xAPk0BPGdleX2OrFhj2rq8tLEaQI7Ka6mtPvbPWQkih/T6P5Gsv9yignNZysffJ6hCpEDdz4sZZN36I5gZbmx2KAoVQVQwuW7RRVVASyLtLQXwFQ+iPfEHGrVEc79Z9vGgTpSbHsZ85o8SaDdiqCJFrO2S5L6Lr810zw/b8pIShtwN0k6P7dwfg==
User-Agent: rsconnect/0.8.16
Accept: */*
Accept-Encoding: deflate, gzip
Date: Mon, 18 May 2020 12:01:48 GMT
X-Auth-Token: Tbb2086db43ad5452b5ab4c1f0eb41d95
X-Auth-Signature: F6grzTOTS+qUragUJcECQTsgeJVnAlz0zVlsqXjsyc9Eo0Of06PYlEfY7FjnFGgoIvgYINbzDzcqmPwK/GkMVFF428Zeb6SuHQM8Y463dhO2frUEP0e0RkDPFtf44XABpV5IyRfYJ/h/WVF+fRkSNy/wX5qOMZtqoJRY2yHvQ+OuvGItgca+wE79wbiHkTKGrbrPFNRSdzQKZKUxXPb/QP1zVv8sth6oQwfOoM+BedeFwd0XpqlExy2HXJCtFSxdPYxRMLFgc0aIvy8o9cf30CcoKeY+hHVT8o5Lu3klf1z6o42q/7uyU2ZxuAqFRDuZXV3qwrIt5hHA73bEGYNOcw==
X-Content-Checksum: 1B2M2Y8AsgTpgAmY7PhCfg==
cookie: rscid=MTU4OTgwMTkzOHxEdi1CQkFFQ180SUFBUkFCRUFBQU52LUNBQU1HYzNSeWFXNW5EQVlBQkVkVlNVUVNZMjl1Ym1WamRDOXpkRzl5WlM1SFZVbEVfNE1HQVFFRVIxVkpSQUhfaEFBQUFCRF9oUVlCQVFSVlZVbEVBZi1HQUFBQVZmLUVFZ0FRZDc5dzFNMldTNHlzZmJxRmwwUWRyUVp6ZEhKcGJtY01DUUFIWTNKbFlYUmxaQVZwYm5RMk5BUUdBUHk5aE9la0JuTjBjbWx1Wnd3SkFBZHlaV1p5WlhOb0JXbHVkRFkwQkFZQV9MMkU1NlE9fK216aE5thAHABEuZvQM9LSxU303C0YWoSQ_mXnSl02Q

< HTTP/1.1 200 OK
< Date: Mon, 18 May 2020 12:01:48 GMT
< Server: RStudio Connect v1.8.2-10
< Cache-Control: no-cache, no-store, must-revalidate
< Content-Type: application/json; charset=utf-8
< Expires: 0
< Pragma: no-cache
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< Content-Length: 683
< 
* Closing connection 13
Account registered successfully:   (bobo@DOCKER-RSTUDIO.COM)

Failure


# connectApiUser
> rsconnect::connectApiUser("bobo", "apache-kerb", "test")
* Hostname in DNS cache was stale, zapped
*   Trying 172.31.0.3...
* TCP_NODELAY set
* Connected to apache-kerb (172.31.0.3) port 80 (#14)
> GET /rsconnect/__api__/users/current HTTP/1.1
Host: apache-kerb
User-Agent: rsconnect/0.8.16
Accept: */*
Accept-Encoding: deflate, gzip
Authorization: Key test
cookie: rscid=MTU4OTgwMTkzOHxEdi1CQkFFQ180SUFBUkFCRUFBQU52LUNBQU1HYzNSeWFXNW5EQVlBQkVkVlNVUVNZMjl1Ym1WamRDOXpkRzl5WlM1SFZVbEVfNE1HQVFFRVIxVkpSQUhfaEFBQUFCRF9oUVlCQVFSVlZVbEVBZi1HQUFBQVZmLUVFZ0FRZDc5dzFNMldTNHlzZmJxRmwwUWRyUVp6ZEhKcGJtY01DUUFIWTNKbFlYUmxaQVZwYm5RMk5BUUdBUHk5aE9la0JuTjBjbWx1Wnd3SkFBZHlaV1p5WlhOb0JXbHVkRFkwQkFZQV9MMkU1NlE9fK216aE5thAHABEuZvQM9LSxU303C0YWoSQ_mXnSl02Q

< HTTP/1.1 401 Unauthorized
< Date: Mon, 18 May 2020 12:03:01 GMT
< Server: Apache/2.4.35 (Unix) mod_auth_kerb/5.4
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
< 
* Connection #14 to host apache-kerb left intact
Error: HTTP 401
GET http://apache-kerb/rsconnect/__api__/users/current

<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
hadley commented 1 year ago

@colearendt do you expect to use connectApiUser() with an existing account registered locally, or does it create one?