API unauthorized request

  • Hi,


    I've added test api user to icinga2 but for some reason it does't work. What am I missing?


    Code
    1. root:/etc/icinga2/conf.d> cat api-users.conf
    2. object ApiUser "director" {
    3. password = "test"
    4. permissions = [ "*" ]
    5. }
    Code
    1. root:/etc/icinga2/conf.d> curl -k -s -u director:test 'https://localhost:5665/v1'
    2. <h1>Unauthorized</h1>
    Code: /var/log/icinga2/icinga2.log
    1. [2016-11-04 16:54:09 +0000] information/HttpServerConnection: Request: GET /v1 (from [127.0.0.1]:58064, user: <unauthenticated>)
    2. [2016-11-04 16:54:09 +0000] warning/HttpServerConnection: Unauthorized request: GET /v1
  • I'm assuming you defined the following in your /etc/icinga2/zones.conf?

  • @watermelon:
    As long as he uses curl i can not see where your post matters.


    just added the below to api-users.conf

    Code
    1. object ApiUser "director" {
    2. password = "test"
    3. permissions = [ "*" ]
    4. }

    and did a service icinga2 reload
    followed by a curl -k -s -u director:test 'https://localhost:5665/v1/objects/hosts'


    and it worked for me.

  • Master zone was created using puppet-icinga2-rewrite module

  • Hi,
    i can not see a relation to zones with running API querys.


    Is feature api enabled ?
    icinga2 feature list

  • it is enabled and I also run icinga2 api setup. I'm running icinga2-2.5.4-1.el7.centos.x86_64


    Code
    1. root:/etc/icinga2> icinga2 feature list
    2. Disabled features: debuglog gelf graphite influxdb livestatus opentsdb perfdata syslog
    3. Enabled features: api checker command compatlog ido-mysql mainlog notification statusdata
  • icinga2 feature enable debuglog


    retry.
    Any helpfull output in
    /var/log/icinga2/icinga2.log
    /var/log/icinga2/debuglog.log


    ?


    icinga2 feature disable debuglog

  • Code
    1. [2016-11-07 11:24:58 +0000] information/ApiListener: New client connection from [127.0.0.1]:33896 (no client certificate)
    2. [2016-11-07 11:24:58 +0000] notice/ApiListener: New HTTP client
    3. [2016-11-07 11:24:58 +0000] debug/HttpRequest: line: GET /v1 HTTP/1.1, tokens: 3
    4. [2016-11-07 11:24:58 +0000] notice/WorkQueue: Spawning WorkQueue threads for 'HttpServerConnection'
    5. [2016-11-07 11:24:58 +0000] information/HttpServerConnection: Request: GET /v1 (from [127.0.0.1]:33896, user: <unauthenticated>)
    6. [2016-11-07 11:24:58 +0000] warning/HttpServerConnection: Unauthorized request: GET /v1
    7. [2016-11-07 11:24:58 +0000] debug/HttpServerConnection: Http client disconnected
    8. [2016-11-07 11:24:58 +0000] notice/WorkQueue: Stopped WorkQueue threads for 'HttpServerConnection'

    I just tried a fresh icinga2 installation followed by icinga2 api setup on another host and all works fine. Surely there is something wrong on this server.


    Just tried removing certs and generated new ones followed by api setup but still no joy.



    The post was edited 1 time, last by kobazik ().

  • At my machine:

    Code
    1. [2016-11-07 12:48:17 +0100] information/ApiListener: New client connection from [127.0.0.1]:58825 (no client certificate)
    2. [2016-11-07 12:48:17 +0100] notice/ApiListener: New HTTP client
    3. [2016-11-07 12:48:17 +0100] debug/HttpRequest: line: GET /v1/objects/hosts HTTP/1.1, tokens: 3
    4. [2016-11-07 12:48:17 +0100] notice/WorkQueue: Spawning WorkQueue threads for 'HttpServerConnection'
    5. [2016-11-07 12:48:17 +0100] information/HttpServerConnection: Request: GET /v1/objects/hosts (from [127.0.0.1]:58825, user: director)
    6. [2016-11-07 12:48:17 +0100] debug/HttpServerConnection: Http client disconnected

    Notice: user: director


    I have no ideas in the moment, may be @dnsmichi can explain that.

  • curl -k -s -u root:cb44d833ecbbffed 'https://localhost:5665/v1'

    Code
    1. [2016-11-07 11:55:56 +0000] information/ApiListener: New client connection from [127.0.0.1]:47638 (no client certificate)
    2. [2016-11-07 11:55:56 +0000] notice/ApiListener: New HTTP client
    3. [2016-11-07 11:55:56 +0000] debug/HttpRequest: line: GET /v1 HTTP/1.1, tokens: 3
    4. [2016-11-07 11:55:56 +0000] notice/WorkQueue: Spawning WorkQueue threads for 'HttpServerConnection'
    5. [2016-11-07 11:55:56 +0000] information/HttpServerConnection: Request: GET /v1 (from [127.0.0.1]:47638, user: <unauthenticated>)
    6. [2016-11-07 11:55:56 +0000] warning/HttpServerConnection: Unauthorized request: GET /v1
    7. [2016-11-07 11:55:56 +0000] debug/HttpServerConnection: Http client disconnected
    8. [2016-11-07 11:55:56 +0000] notice/WorkQueue: Stopped WorkQueue threads for 'HttpServerConnection'
  • Omg it was include_recursive "conf.d" missing in /etc/icinga2/icinga2.conf :)


    Looks like puppet-icinga2-rewrite module generates a config without conf.d include by default as in their hiera example.


    All I had to to do is change icinga2::confd: false to icinga2::confd: true in my hiera host file.



    The post was edited 2 times, last by kobazik ().

  • Cool that you found it !

  • Hi guys,


    I'm also facing the same issue while configuring Director module.
    My setup is as below:
    icinga2 : 2.6.0
    icingaweb2 : 2.4.0
    icinga is running as standalone(cluster not configured) and using nrpe for client hosts.


    I tried installing director module 1.2.0 version.
    While running
    curl -k -s -u root:*** 'https://localhost:5665/v1/objects/hosts'
    i'm getting currect output but while running web kickstart wizard and doing "Run Import" its showing error:

    Code
    1. I was unable to re-establish a connection to the Endpoint "***" (127.0.0.1:5665). When reconnecting to the configured Endpoint (***:5665) I get an error: CURL ERROR: couldn't connect to host Please re-check your Icinga 2 endpoint configuration




    & getting this in debug.log

    Code
    1. [2017-01-11 02:36:13 -0700] information/ApiListener: New client connection from [127.0.0.1]:36872 (no client certificate)
    2. [2017-01-11 02:36:13 -0700] notice/ApiListener: New HTTP client
    3. [2017-01-11 02:36:13 -0700] debug/HttpRequest: line: GET /v1/objects/zones HTTP/1.1, tokens: 3
    4. [2017-01-11 02:36:13 -0700] notice/WorkQueue: Spawning WorkQueue threads for 'HttpServerConnection'
    5. [2017-01-11 02:36:13 -0700] information/HttpServerConnection: Request: GET /v1/objects/zones (from [127.0.0.1]:36872, user: root)
    6. [2017-01-11 02:36:13 -0700] debug/HttpRequest: line: GET /v1/objects/endpoints HTTP/1.1, tokens: 3
    7. [2017-01-11 02:36:13 -0700] information/HttpServerConnection: Request: GET /v1/objects/endpoints (from [127.0.0.1]:36872, user: root)
    8. [2017-01-11 02:36:13 -0700] debug/HttpServerConnection: Http client disconnected

    This is my zone.conf file

    Code
    1. object Endpoint NodeName {
    2. host = NodeName
    3. }
    4. object Zone NodeName {
    5. endpoints = [ NodeName ]
    6. }


    My api-users.conf is

    Code
    1. object ApiUser "root" {
    2. password = "***"
    3. client_cn = "CN name"
    4. permissions = [ "*" ]
    5. }

    My CN-Name & Endpoint name is same. api.conf is

    Code
    1. object ApiListener "api" {
    2. cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
    3. key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"
    4. ca_path = SysconfDir + "/icinga2/pki/ca.crt"
    5. ticket_salt = TicketSalt
    6. }

    My /etc/icinga2/icinga2.conf contains all parameters(include_recursive "conf.d").
    I'm not sure what wrong I'm doing & what else i've missed. Kindly help.

  • i guess director needs the cluster to be configured.
    Please run icinga2 node wizard and do a master setup as described in the docs.
    That will create the certificates and the zone for the master.
    It will not harm you if you do not use clients and satellites yet, but from the debug log i tell that icinga2 is expected to have the api configured.

  • Thanks for the quick response.
    I tried that too by deleteing all previous files but no help.


    Still getting same error.

  • it would be nice to see a debuglog with a higher verbosity.


    My api-user.conf looks like the following:

    could you try to use curl with the following url: 'https://localhost:5665/v1/objects/zones'
    It seemes, that the director has some problem with zones, maybe some error or bug there

    Linux is dead, long live Linux

  • Got below output by running `curl -k -s -u root:*** 'https://localhost:5665/v1/objects/zones'`:


    Code
    1. {"results":[{"attrs":{"__name":"***","active":true,"endpoints":["***"],"global":false,"ha_mode":0.0,"name":"***","original_attributes":null,"package":"_etc","parent":"","paused":false,"templates":["***"],"type":"Zone","version":0.0,"zone":""},"joins":{},"meta":{},"name":"***","type":"Zone"},{"attrs":{"__name":"***","active":true,"endpoints":["***"],"global":false,"ha_mode":0.0,"name":"***","original_attributes":null,"package":"_etc","parent":"***","paused":false,"templates":["***"],"type":"Zone","version":0.0,"zone":""},"joins":{},"meta":{},"name":"***","type":"Zone"},{"attrs":{"__name":"***","active":true,"endpoints":["***"],"global":false,"ha_mode":0.0,"name":"***","original_attributes":null,"package":"_etc","parent":"***","paused":false,"templates":["***"],"type":"Zone","version":0.0,"zone":""},"joins":{},"meta":{},"name":"***","type":"Zone"},{"attrs":{"__name":"***","active":true,"endpoints":["***"],"global":false,"ha_mode":0.0,"name":"***","original_attributes":null,"package":"_etc","parent":"***","paused":false,"templates":["***"],"type":"Zone","version":0.0,"zone":""},"joins":{},"meta":{},"name":"***","type":"Zone"},{"attrs":{"__name":"***","active":true,"endpoints":["***"],"global":false,"ha_mode":0.0,"name":"***","original_attributes":null,"package":"_etc","parent":"***","paused":false,"templates":["***"],"type":"Zone","version":0.0,"zone":""},"joins":{},"meta":{},"name":"***","type":"Zone"}]}

    I've replaced all endpoints name with '***'

  • & got below logs in debug.log while i hit the curl command:


    Code
    1. [2017-01-11 07:11:00 -0700] information/ApiListener: New client connection from [127.0.0.1]:40592 (no client certificate)
    2. [2017-01-11 07:11:00 -0700] notice/ApiListener: New HTTP client
    3. [2017-01-11 07:11:00 -0700] debug/HttpRequest: line: GET /v1/objects/zones HTTP/1.1, tokens: 3
    4. [2017-01-11 07:11:00 -0700] notice/WorkQueue: Spawning WorkQueue threads for 'HttpServerConnection'
    5. [2017-01-11 07:11:00 -0700] information/HttpServerConnection: Request: GET /v1/objects/zones (from [127.0.0.1]:40592, user: root)
    6. [2017-01-11 07:11:00 -0700] notice/CheckerComponent: Pending checkables: 0; Idle checkables: 357; Checks/s: 4.73333
    7. [2017-01-11 07:11:00 -0700] debug/HttpServerConnection: Http client disconnected
    8. [2017-01-11 07:11:00 -0700] notice/WorkQueue: Stopped WorkQueue threads for 'HttpServerConnection'