candid icon indicating copy to clipboard operation
candid copied to clipboard
verified publisher icon canonical

Trouble with discharging

Open fggec opened this issue 1 year ago • 2 comments

If i use candid to authenticate with maas i get the following error message

image

This is what the log says

2024-09-17T22:22:14Z candid.candidsrv[38254]: 2024-09-17 22:22:14 INFO candid.meeting meeting.go:377 Wait "d321dc3431dc8c84250c69a6022d6987a5525de4f492539204f5f4c5231be396"
2024-09-17T22:22:14Z candid.candidsrv[38254]: 2024-09-17 22:22:14 INFO candid.meeting meeting.go:264 localWait "d321dc3431dc8c84250c69a6022d6987a5525de4f492539204f5f4c5231be396"
2024-09-17T22:22:14Z candid.candidsrv[38254]: 2024-09-17 22:22:14 INFO candid.meeting meeting.go:277 timeout 1m0s
2024-09-17T22:22:23Z candid.candidsrv[38254]: 2024-09-17 22:22:23 DEBUG candid.internal.discharger api.go:116 opForRequest &discharger.loginCompleteRequest{Route:httprequest.Route{}, State:"9JfGMoKk6MYKviPRd3rnZjDoMwlRszP_kR51ku6fQ5E", Code:"bdwkP1oTRGE_FOpBIfPPpjAZ7AJqNWdjg__WqL4nXlg", ErrorCode:"", Error:""} -> bakery.Op{Entity:"global", Action:"login"}
2024-09-17T22:22:23Z candid.candidsrv[38254]: 2024-09-17 22:22:23 DEBUG candid.internal.discharger discharge.go:134 authorization for &auth.Identity{Identity:store.Identity{ID:"2", ProviderID:"static:fgarbe1", Username:"fgarbe1", Name:"fgarbe", Email:"[email protected]", Groups:[]string(nil), PublicKeys:[]bakery.PublicKey(nil), LastLogin:time.Time{wall:0x38185de8, ext:63862208543, loc:(*time.Location)(0xc000137a40)}, LastDischarge:time.Time{wall:0x7b8ab58, ext:63862208283, loc:(*time.Location)(0xc000137a40)}, ProviderInfo:map[string][]string{}, ExtraInfo:map[string][]string{}, Owner:""}, authorizer:(*auth.Authorizer)(0xc000368140), resolvedGroups:[]string(nil)} succeeded
2024-09-17T22:22:24Z candid.candidsrv[38254]: 2024-09-17 22:22:24 DEBUG candid.internal.v1 api.go:47 opForRequest &params.UserGroupsRequest{Route:httprequest.Route{}, Username:"fgarbe1"} -> bakery.Op{Entity:"u-fgarbe1", Action:"readGroups"}
2024-09-17T22:22:24Z candid.candidsrv[38254]: 2024-09-17 22:22:24 DEBUG candid.internal.identity json.go:33 API error response (bakery): 401 (Unauthorized) macaroon discharge required: authentication required
2024-09-17T22:22:24Z candid.candidsrv[38254]: 2024-09-17 22:22:24 DEBUG candid.internal.identity json.go:33 API error response (bakery): 401 (Unauthorized) macaroon discharge required: authentication required
2024-09-17T22:22:24Z candid.candidsrv[38254]: 2024-09-17 22:22:24 DEBUG candid.internal.discharger api.go:116 opForRequest &discharger.agentLoginRequest{Route:httprequest.Route{}, DischargeID:"69d75211de431094e096fd315116383e4dbf88afb9a44cb45236052a57ee2978", Username:"a-042cce0ac39083f2e7fd56e2159125fb", PublicKey:(*bakery.PublicKey)(0xc00012c5e0)} -> bakery.Op{Entity:"global", Action:"login"}
2024-09-17T22:22:24Z candid.candidsrv[38254]: 2024-09-17 22:22:24 DEBUG candid.internal.identity json.go:33 API error response (bakery): 401 (Unauthorized) macaroon discharge required: authentication required

and my config

## Documentation can be found here: https://github.com/CanonicalLtd/candid/blob/master/docs/configuration.md

## Server URLs and ports
listen-address: :8081
private-addr: 172.16.1.31
location: 'https://172.16.1.31:8081'

## Persistent storage
# Defaults to non-persistent memory storage, install PostgreSQL or MongoDB
# and configure them below before using this service in production
#storage:
#  type: memory

#storage:
#  type: mongodb
#  address: 127.0.0.1:27017

storage:
  type: postgres
  connection-string: postgres://candid:[email protected]/candid

tls-key: |
        -----BEGIN PRIVATE KEY-----
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        -----END PRIVATE KEY-----

tls-cert: |
        -----BEGIN CERTIFICATE-----
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        -----END CERTIFICATE-----


## Identity providers
# Configure this with whatever authentication system you're using
identity-providers:
- type: static
  name: static
  users:
    fgarbe1:
      name: fgarbe
      email: [email protected]
      password: pass1234
      groups: [admin, group3]
    user2:
      name: User Two
      email: [email protected]
      password: password2
      groups:
       - group2
       - group3

## Logging
logging-config: DEBUG

## Authentication keys
public-key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
private-key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

admin-agent-public-key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# Don't change, snap-specific paths
access-log: /var/snap/candid/common/logs/candid.access.log
resource-path: /snap/candid/current/www/

Maybe somebody can help

fggec avatar Sep 17 '24 22:09 fggec

Hi,

does MAAS use agent authentication with Candid? i think MAAS might be trying to fetch group information for a user and getting a 401 - which would mean that the agent is not part of the ACL that would allow it to fetch group information.

alesstimec avatar Sep 18 '24 06:09 alesstimec

i'm able to do that with maas maas configauth --rbac-url '' --candid-agent-file /var/snap/maas/current/maas.agent --candid-admin-group admin

also the maas logs in addition

2024-09-18T08:46:18Z maas-http[2839]:  message repeated 5 times: [ 172.16.1.31 - - [18/Sep/2024:08:45:51 +0000] "POST /MAAS/metadata/2012-03-01/ HTTP/1.1" 200 2 "-" "Python-urllib/3.10"]
2024-09-18T08:46:18Z maas-http[2839]:  192.168.0.24 - - [18/Sep/2024:08:46:18 +0000] "GET /MAAS/r/ HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-18T08:46:18Z maas-http[2839]:  192.168.0.24 - - [18/Sep/2024:08:46:18 +0000] "GET /MAAS/accounts/login/ HTTP/1.1" 200 92 "http://172.16.1.31:5240/MAAS/r/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-18T08:46:18Z maas-http[2839]:  192.168.0.24 - - [18/Sep/2024:08:46:18 +0000] "GET /MAAS/r/maas-favicon-32px.png HTTP/1.1" 200 732 "http://172.16.1.31:5240/MAAS/r/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-18T08:46:19Z maas-http[2839]:  192.168.0.24 - - [18/Sep/2024:08:46:19 +0000] "GET /MAAS/accounts/discharge-request/ HTTP/1.1" 401 998 "http://172.16.1.31:5240/MAAS/r/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-18T08:46:32Z maas-regiond[2698]: maasserver: [error] ################################ Exception: third party refused dischargex: discharge failed with code 401 ################################
2024-09-18T08:46:32Z maas-regiond[2698]: maasserver: [error] Traceback (most recent call last):
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/django/core/handlers/base.py", line 181, in _get_response
2024-09-18T08:46:32Z maas-regiond[2698]:     response = wrapped_callback(request, *callback_args, **callback_kwargs)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/lib/python3.10/site-packages/maasserver/utils/views.py", line 298, in view_atomic_with_post_commit_savepoint
2024-09-18T08:46:32Z maas-regiond[2698]:     return view_atomic(*args, **kwargs)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/usr/lib/python3.10/contextlib.py", line 79, in inner
2024-09-18T08:46:32Z maas-regiond[2698]:     return func(*args, **kwds)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/lib/python3.10/site-packages/maasserver/macaroon_auth.py", line 158, in __call__
2024-09-18T08:46:32Z maas-regiond[2698]:     user = authenticate(request, identity=auth_info.identity)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
2024-09-18T08:46:32Z maas-regiond[2698]:     return func(*func_args, **func_kwargs)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/django/contrib/auth/__init__.py", line 76, in authenticate
2024-09-18T08:46:32Z maas-regiond[2698]:     user = backend.authenticate(request, **credentials)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/lib/python3.10/site-packages/maasserver/macaroon_auth.py", line 69, in authenticate
2024-09-18T08:46:32Z maas-regiond[2698]:     if not validate_user_external_auth(
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/lib/python3.10/site-packages/maasserver/macaroon_auth.py", line 398, in validate_user_external_auth
2024-09-18T08:46:32Z maas-regiond[2698]:     active, superuser, details = _validate_user_candid(
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/lib/python3.10/site-packages/maasserver/macaroon_auth.py", line 424, in _validate_user_candid
2024-09-18T08:46:32Z maas-regiond[2698]:     groups = client.get_groups(username)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/lib/python3.10/site-packages/maasserver/macaroon_auth.py", line 356, in get_groups
2024-09-18T08:46:32Z maas-regiond[2698]:     return self._request("GET", url)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/lib/python3.10/site-packages/maasserver/macaroon_auth.py", line 321, in _request
2024-09-18T08:46:32Z maas-regiond[2698]:     resp = requests.request(
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/requests_unixsocket/__init__.py", line 46, in request
2024-09-18T08:46:32Z maas-regiond[2698]:     return session.request(method=method, url=url, **kwargs)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/requests/sessions.py", line 544, in request
2024-09-18T08:46:32Z maas-regiond[2698]:     resp = self.send(prep, **send_kwargs)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/requests/sessions.py", line 664, in send
2024-09-18T08:46:32Z maas-regiond[2698]:     r = dispatch_hook('response', hooks, r, **kwargs)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
2024-09-18T08:46:32Z maas-regiond[2698]:     _hook_data = hook(hook_data, **kwargs)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/macaroonbakery/httpbakery/_client.py", line 295, in hook
2024-09-18T08:46:32Z maas-regiond[2698]:     client.handle_error(error, req.url)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/macaroonbakery/httpbakery/_client.py", line 101, in handle_error
2024-09-18T08:46:32Z maas-regiond[2698]:     discharges = bakery.discharge_all(
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/macaroonbakery/bakery/_discharge.py", line 77, in discharge_all
2024-09-18T08:46:32Z maas-regiond[2698]:     dm = get_discharge(cav.cav, cav.encrypted_caveat)
2024-09-18T08:46:32Z maas-regiond[2698]:   File "/snap/maas/36889/usr/lib/python3/dist-packages/macaroonbakery/httpbakery/_client.py", line 155, in acquire_discharge
2024-09-18T08:46:32Z maas-regiond[2698]:     raise DischargeError(
2024-09-18T08:46:32Z maas-regiond[2698]: macaroonbakery.httpbakery._error.DischargeError: third party refused dischargex: discharge failed with code 401
2024-09-18T08:46:32Z maas-http[2839]:  192.168.0.24 - - [18/Sep/2024:08:46:32 +0000] "GET /MAAS/accounts/discharge-request/ HTTP/1.1" 500 62 "http://172.16.1.31:5240/MAAS/r/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"

fggec avatar Sep 18 '24 08:09 fggec