Authentication security using Shiro breaks CLI

asked 2017-02-07 10:10:14 -0500

lennyi gravatar image

updated 2017-02-08 14:07:05 -0500

DarylW gravatar image

Hello, We recently enabled authentication security using Shiro and now find that we can no longer use the razor cli. How do we pass credentials to the cli without doing something like the below?

razor -u https://user:password@razorserver/api/...

Additionally, after enabling the localhost to bypass authentication, we found that from the razor server read-only commands worked (i.e., razor nodes), but create/update/register/delete commands no longer worked. We would get a 500 error as follows:

from /var/log/puppetlabs/razor-server/server.log:

15:35:35,274 INFO  [razor.web.log] (http-/0.0.0.0:8151-3) 127.0.0.1 - - [03/Feb/2017:15:35:35 -0600] "GET /api " 200 6629 0.0120
15:35:35,356 INFO  [razor.web.log] (http-/0.0.0.0:8151-3) 127.0.0.1 - - [03/Feb/2017:15:35:35 -0600] "**GET /api/commands/register-node " 200** 6205 0.0140
15:35:35,419 INFO  [razor.web.api] (http-/0.0.0.0:8151-2) 2017-02-03 15:35:35 - **Java::OrgApacheShiroAuthz::UnauthenticatedException - This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against.  A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager.  This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again.  Because an identity is currently not known due to any of these conditions, authorization is denied.:**
    org.apache.shiro.subject.support.DelegatingSubject.assertAuthzCheckPossible(org/apache/shiro/subject/support/DelegatingSubject.java:199)
    org.apache.shiro.subject.support.DelegatingSubject.checkPermissions(org/apache/shiro/subject/support/DelegatingSubject.java:214)
    java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:498)
    RUBY.validate!(/opt/puppetlabs/server/apps/razor-server/share/razor-server/lib/razor/validation/hash_schema.rb:149)
    RUBY.validate!(/opt/puppetlabs/server/apps/razor-server/share/torquebox/jruby/lib/ruby/1.9/forwardable.rb:201)
    RUBY.handle_http_post(/opt/puppetlabs/server/apps/razor-server/share/razor-server/lib/razor/command.rb:33)
    RUBY.POST /api/commands/:name(/opt/puppetlabs/server/apps/razor-server/share/razor-server/app.rb:610)
    org.jruby.RubyMethod.call(org/jruby/RubyMethod.java:124)
    RUBY.compile!(/opt/puppetlabs/server/apps/razor-server/share/razor-server/vendor/bundle/jruby/1.9/gems/sinatra-1.4.6/lib/sinatra/base.rb:1610)
    org.jruby.RubyProc.call(org/jruby/RubyProc.java:271)
    Sinatra::Base.route!(/opt/puppetlabs/server/apps/razor-server/share/razor-server/vendor/bundle/jruby/1.9/gems/sinatra-1.4.6/lib/sinatra/base.rb:974)
    Sinatra::Base.route!(/opt/puppetlabs/server/apps/razor-server/share/razor-server/vendor/bundle/jruby/1.9/gems/sinatra-1.4.6/lib/sinatra/base.rb:974)
    Sinatra::Base.route_eval(/opt/puppetlabs/server/apps/razor-server/share/razor-server/vendor/bundle/jruby/1.9/gems/sinatra-1.4.6/lib/sinatra/base.rb:993)
    Sinatra::Base.route_eval(/opt/puppetlabs/server/apps/razor-server/share/razor-server/vendor/bundle/jruby/1.9/gems/sinatra-1.4.6/lib/sinatra/base.rb:993)
    Sinatra ...
(more)
edit retag flag offensive close merge delete