rundeck-cli
rundeck-cli copied to clipboard
rundeck
rd fails to authenticate using password when server URL is modified and a non-default api version is used
The installation is Rundeck 4.3.0-20220602 and RD cli 2.0.0 on Ubuntu 18.04 LTS. Without any customization, rd cli tool works if RD_URL points to http://localhost:4440/api/41 to get job forecast information. Web UI works as expected too.
However, after a customization to the server URL for sitting behind an https reverse proxy, this approach stopped working.
The highlight of the customization includes:
grails.serverURL=https://servername/rundeck framework.server.url = https://servername/rundeck
By putting an Apache web server in the front, users can access the server with https://servername/rundeck. This part works as expected.
But, rd does not seem to like it. With RD_URL=https://servername/rundeck/api/41, it complains:
$ rd projects list -v java.lang.IllegalStateException: Password Authentication failed, expected a successful response. at org.rundeck.client.util.FormAuthInterceptor.authenticate(FormAuthInterceptor.java:82) at org.rundeck.client.util.FormAuthInterceptor.intercept(FormAuthInterceptor.java:59) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) at retrofit2.OkHttpCall.execute(OkHttpCall.java:204) at org.rundeck.client.util.Client.checkErrorDowngradable(Client.java:166) at org.rundeck.client.util.Client.apiCallDowngradable(Client.java:606) at org.rundeck.client.tool.commands.RdToolImpl.apiCallDowngradable(RdToolImpl.java:107) at org.rundeck.client.tool.commands.RdToolImpl.apiCall(RdToolImpl.java:78) at org.rundeck.client.tool.extension.BaseCommand.apiCall(BaseCommand.java:24) at org.rundeck.client.tool.commands.Projects.list(Projects.java:58) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at picocli.CommandLine.executeUserObject(CommandLine.java:1972) at picocli.CommandLine.access$1300(CommandLine.java:145) at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358) at picocli.CommandLine$RunLast.handle(CommandLine.java:2352) at picocli.CommandLine$RunLast.handle(CommandLine.java:2314) at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179) at picocli.CommandLine$RunLast.execute(CommandLine.java:2316) at picocli.CommandLine.execute(CommandLine.java:2078) at org.rundeck.client.tool.Main.main(Main.java:154)
Apache is configured as:
ProxyPass /rundeck http://localhost:4440/rundeck ProxyPassReverse /rundeck http://localhost:4440/rundeck
Apache log shows a 403 error
"POST /rundeck/api/41/j_security_check HTTP/1.1" 403 534 "-" "rd-cli-tool/2.0.0 (rundeck-cli/2.0.0)"
Rundeck log shows: ERROR interceptors.AuthorizationInterceptor - (unauthenticated) UNAUTHORIZED for api/invalid
It works if use RD_TOKEN instead of RD_USERNAME/RD_PASSWORD.
Other details in https://groups.google.com/g/rundeck-discuss/c/T56Ccghczjk/m/-ScroauADAAJ?utm_medium=email&utm_source=footer
Confirmed.
Against Rundeck behind SSL proxy server.
USER/PASSWORD authentication:
TOKEN authentication (it works):
