Bug 2122617

Summary: Kerberos authentication fails for POST, PUT and DELETE api calls
Product: Red Hat Satellite Reporter: Vladimír Sedmík <vsedmik>
Component: AuthenticationAssignee: Oleh Fedorenko <ofedoren>
Status: CLOSED ERRATA QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.12.0CC: aruzicka, lhellebr, lvrtelov, mhulan, ofedoren, pcreech, pmendezh, swadeley
Target Milestone: 6.13.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-3.5.0,foreman-installer-3.5.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 13:21:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1264161    

Description Vladimír Sedmík 2022-08-30 12:29:32 UTC 
Description of problem:
POST, PUT and DELETE calls fail with "Unable to authenticate user" when using kerberos authentication. At the same time, GET calls pass without any issues.


Version-Release number of selected component (if applicable):
6.12.0 snap 8


How reproducible:
always


Steps to Reproduce:
1. Have a Satellite configured for Kerberos authentication.
2. Run kinit <someuser> to get ticket.
3. Call /extlogin to get session_id and store it in a cookie file:
# curl -k -c cookies.txt -u : --negotiate https://satellite.redhat.com/users/extlogin
4. Using the cookie file try GET call to some endpoint, it works:
# curl -b cookies.txt -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X GET -k https://satellite.redhat.com/api/architectures
5. Using the same cookie file try POST/PUT/DELETE call to create/update/delete an entity:
# curl -b cookies.txt -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X POST -d '{"name":"8051"}' -k https://satellite.redhat.com/api/architectures


Actual results:

It fails with this response:
{
  "error": {"message":"Unable to authenticate user "}
}

In the production log we can see:
2022-08-30T04:38:23 [I|app|0dd98e4b] Started POST "/api/architectures" for 10.11.12.13 at 2022-08-30 04:38:23 -0400
2022-08-30T04:38:23 [I|app|0dd98e4b] Processing by Api::V2::ArchitecturesController#create as JSON
2022-08-30T04:38:23 [I|app|0dd98e4b]   Parameters: {"name"=>"8051", "apiv"=>"v2", "architecture"=>{"name"=>"8051"}}
2022-08-30T04:38:23 [W|app|0dd98e4b] Can't verify CSRF token authenticity.
2022-08-30T04:38:23 [I|app|0dd98e4b]   Rendering api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout
2022-08-30T04:38:23 [I|app|0dd98e4b]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (Duration: 6.9ms | Allocations: 6931)
2022-08-30T04:38:23 [I|app|0dd98e4b] Filter chain halted as :authorize rendered or redirected
2022-08-30T04:38:23 [I|app|0dd98e4b] Completed 401 Unauthorized in 14ms (Views: 11.1ms | ActiveRecord: 0.5ms | Allocations: 13914)


Expected results:
Successful authentication, entity created/updated/deleted


Additional info:
This issue impacts the hammer CLI functionality too.
Comment 1 Oleh Fedorenko 2022-09-01 12:37:45 UTC 
Created redmine issue https://projects.theforeman.org/issues/35473 from this bug
Comment 2 Adam Ruzicka 2022-09-14 07:11:22 UTC 
Doing the flag dance per https://issues.redhat.com/browse/SAT-10254?focusedCommentId=20931263
Comment 5 Bryan Kearney 2022-10-31 12:03:28 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35473 has been resolved.
Comment 6 Lukáš Hellebrandt 2023-03-06 17:25:08 UTC 
Verified on Sat 6.13 snap 10.0.

It is now possible to call GET, POST, PUT and DELETE endpoints with correct results.

On a Satellite enrolled to AD:
# kinit foobar.rdu2.redhat.com
# curl -c cookies.txt -u : --negotiate https://$(hostname)/api/users/extlogin
# curl -b cookies.txt -H "Accept:application/json" -H "Content-Type:application/json" -X GET -k https://$(hostname)/api/architectures
<expected result, archs listed>
# curl -b cookies.txt -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X POST -d '{"name":"8051"}' -k https://satellite.redhat.com/api/architectures
# curl -b cookies.txt -H "Accept:application/json" -H "Content-Type:application/json" -X GET -k https://$(hostname)/api/architectures
<expected result, arch added>
# curl -b cookies.txt -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X PUT -d '{"name":"8051a"}' -k https://$(hostname)/api/architectures/2
# curl -b cookies.txt -H "Accept:application/json" -H "Content-Type:application/json" -X GET -k https://$(hostname)/api/architectures
<expected result, arch name changed>
# curl -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X DELETE -k https://$(hostname)/api/architectures/2
# curl -b cookies.txt -H "Accept:application/json" -H "Content-Type:application/json" -X GET -k https://$(hostname)/api/architectures
<expected result, arch deleted>
Comment 9 errata-xmlrpc 2023-05-03 13:21:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097