Problems connecting to the api

silversurfer · March 15, 2019, 8:41am

Hi,
I set up the icinga2 api as described on “https://icinga.com/docs/icinga2/latest/doc/12-icinga2-api/#icinga2-api-permissions”.
icinga2 api setup, service icinga2 restart
then i changed the password in the user object to “test” and restarted the service again → service icinga2 restart

object ApiUser "root" {
  password = "test"
  // client_cn = ""

  permissions = [ "*" ]
}

when i perform the cur request curl -k -s -u root:test 'https://localhost:5665/v1" i get an error:

“Unauthorized. Please check your user credentials.”

I am sure the username and password is correct.
Do you have any idea?
The log says:

information/ApiListener: New client connection from [127.0.0.1]:41546 (no client certificate)
information/HttpServerConnection: Unable to process available data, they’re already being processed in another thread
information/HttpServerConnection: Request: GET /v1 (from [127.0.0.1]:41546), user: )
warning/HttpServerConnection: Unauthorized request: GET /v1
Context:
(0) Handling new API client connection

information/HttpServerConnection: HTTP client disconnected (from [127.0.0.1]:41546)

dnsmichi · March 15, 2019, 3:25pm

Hi,

this looks like curl is not sending the basic auth credentials, you might want to add -vvv to the call to see what’s going on. Which icinga2 --version is involved here?

Cheers,
Michael

sethlyons · December 27, 2019, 6:54pm

@silversurfer did you ever solve this? I’m having the exact same issue.
@dnsmichi i added vvv to my curl params and it is sending basic auth as expected.

I had this both on 2.8.8 and 2.11.2.

sethlyons · February 20, 2020, 12:36am

Some additional information:
I’m using rh-php71-php-fpm on CentOS 7 and verified that the necessary FilesMatch section and environment variable are in my apache config.

    # Forward PHP requests to FPM
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    <FilesMatch "\.php$">
       SetHandler "proxy:fcgi://127.0.0.1:9000"
       ErrorDocument 503 /icingaweb2/error_unavailable.html
    </FilesMatch>

icinga2 logs for the api request:

[2020-02-19 19:27:00 -0500] warning/HttpServerConnection: Unauthorized request: GET /index.php/v1
[2020-02-19 19:27:00 -0500] information/HttpServerConnection: HTTP client disconnected (from [<redacted>]:39748)
[2020-02-19 19:27:12 -0500] information/ApiListener: New client connection from [<redacted>]:39758 (no client certificate)
[2020-02-19 19:27:12 -0500] information/HttpServerConnection: Request: GET /v1 (from [<redacted>]:39758), user: <unauthenticated>, agent: curl/7.29.0).
[2020-02-19 19:27:12 -0500] warning/HttpServerConnection: Unauthorized request: GET /v1

curl is sending the username:

 Server auth using Basic with user 'test'
> GET /v1 HTTP/1.1
> Authorization: Basic dGVzdDp0ZXN0
> User-Agent: curl/7.29.0
> Host: <redacted>:5665
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Icinga/2.11.2-1
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Icinga 2"
< Connection: close
< Content-Type: text/html
< Content-Length: 58

anon66228339 · February 20, 2020, 6:13am

Hello,

for the API there is no apache config and its not needed. Please create an api user with a other name then root (its a default user) and check with icinga2 object list --type apiuser if the user was created. I think you both put it in a file which is not getting loaded by icinga2.

Regards,
Carsten

sethlyons · February 20, 2020, 12:27pm

Thanks for your reply! For apache config, I meant what is referenced here to pass the authentication along to php-fpm:

# Forward PHP requests to FPM
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<FilesMatch "\.php$">
  SetHandler "proxy:fcgi://127.0.0.1:9000"
  ErrorDocument 503 /icingaweb2/error_unavailable.html
</FilesMatch>

icinga2 object list --type apiuser returns no results. The icinga2 log doesn’t seem to indicate why. In /etc/icinga2/conf.d/api-users.conf I have a test user:

object ApiUser "test" {
  password = "test"
  permissions = [ "*" ]
}

My setup is distributed with two masters and four satellites, so I know that in general the API is working. But as you helped me realize, for some reason my ApiUser objects aren’t getting created.

anon66228339 · February 20, 2020, 12:30pm

I bet you have disabled the include of /etc/icinga2/conf.d/api-users.conf.
With cluster enabled you should put it under /etc/icinga2/zones.d/MASTERZONENAME/api-usaers.conf

sethlyons · February 20, 2020, 12:40pm

Hmm…you were right that we weren’t including that path! I put the file in /etc/icinga2/zones.d/<master>/api-users.conf and restarted icinga2, but still no apiuer objects :[

I also tried putting it in /etc/icinga2/featuere-enabled/, which we are including, but got the same result.

sethlyons · February 20, 2020, 12:43pm

And this was in the log on the restart:

[2020-02-20 07:41:13 -0500] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/master//_etc/api-users.conf

anon66228339 · February 20, 2020, 1:02pm

Did you test it via icinga object list ....?

sethlyons · February 20, 2020, 1:06pm

I found the objects. needed to use ApiUser. And now I’m able to auth as well. Thank so much for your help!