HTTPS Basic Authentication to Access /source/api/v1/configuration from External Host

[bjrdeja]

Hello,

Could really use some assistance! I am attempting to manage my OpenGrok configuration remotely using /source/api/v1/configuration, and I have precisely followed the steps outlined the HTTP Basic Authentication documentation.

https://github.com/oracle/opengrok/wiki/Authorization-based-on-HTTP-Basic-Authentication

I have also implemented HTTPS in my Tomcat 10 instance. Authentication works perfectly when using search, etc. over HTTPS from an external host. However, when calling https://192.xxx.xxx.xxx:8443/source/api/v1/configuration with basic authentication, I get a "HTTP Status 401 – Unauthorized". I am only able to access it from https://localhost:8443/source/api/v1/configuration.

I have tried to read through previous questions/issues about authentication, and I am stuck.

Any help would be greatly appreciated!

[vladak]

To access privileged parts of the API you need to use Bearer token. See https://github.com/oracle/opengrok/wiki/Web-services#authenticationauthorization

[bjrdeja]

Thank you @vladak ! Should anyone need the steps to implement a bearer token, you would add the following to the readonly-configuration.xml file:

<void property="authenticationTokens">
   <void method="add">
    <string>the-token</string>
   </void>
  </void>

Then run the indexer.

And finally you would submit a request with the token using the header below?

curl -H "Content-Type: application/xml" -H "Authorization: Bearer the-token" "https://192.xxx.xxx.xxx:8443/source/api/v1/configuration"

[vladak]

yep, that should work.

[Leo-Adlakha]

Hi, I tried using this, but doesn't seem to work for me. I suppose this should return my configuration.

I followed the exact thing from here.

Thank you @vladak ! Should anyone need the steps to implement a bearer token, you would add the following to the readonly-configuration.xml file:

<void property="authenticationTokens">
   <void method="add">
    <string>the-token</string>
   </void>
  </void>

Then run the indexer.

And finally you would submit a request with the token using the header below?

curl -H "Content-Type: application/xml" -H "Authorization: Bearer the-token" "https://192.xxx.xxx.xxx:8443/source/api/v1/configuration"

[Leo-Adlakha]

It returns me nothing.

username@host:<path-to-cwd>$ curl -H "Content-Type: application/xml" -H "Authorization: Bearer the-token" "https://<DNS-entry>/api/v1/configuration"

[vladak]

Add --verbose to the curl command to see what is going on.

[vladak]

Or use any of the classic network debugging techniques - first try to connect to the port using Netcat/Socat to see if there is anything listening there, then you may try sniffing the traffic and perform analysis, etc.

[Leo-Adlakha]

I want to use this primarily for uploading the new config after reindexing, as currently I get some warnings when I index my sources, like -

02:25:41 WARNING: Could not notify the webapp that project xxxxxx:indexed=true,history=true was indexed: InboundJaxrsResponse{context=ClientResponse{method=PUT, uri=https://<DNS-entry>/api/v1/projects/xxxxx/indexed, status=401, reason=Unauthorized}}
02:25:43 SEVERE: Failed to send configuration to https://<DNS-etntry> (is web application server running with opengrok deployed?)
java.io.IOException: InboundJaxrsResponse{context=ClientResponse{method=PUT, uri=https://<DNS-entry>/api/v1/configuration?reindex=true, status=401, reason=Unauthorized}}
        at org.opengrok.indexer.configuration.RuntimeEnvironment.writeConfiguration(RuntimeEnvironment.java:1555)
        at org.opengrok.indexer.index.Indexer.sendToConfigHost(Indexer.java:1161)
        at org.opengrok.indexer.index.Indexer.main(Indexer.java:399)

[vladak]

The exception is basically bubbling the HTTP 401 Unauthorized error back to the client, which in this case is the indexer. For the indexer, you can make it use the token via the --token option, however storing the token in read-only configuration should work too, assuming the indexer is running with the correct -R _path_to_read_only_configuration_ argument. There, you have to use the indexerAuthenticationToken property as documented on the wiki.

[Leo-Adlakha]

I am a little confused, we want to pass the authentication token right ? I am using Kerberos, hence can't really pass a token for this. I was thinking of something like - protect some endpoints of the app by Simple HTTP Auth as mentioned in the doc and rest via Kerberos. Is that possible ?

[vladak]

In order to perform actions with configuration in the webapp via non-localhost access, the caller (whatever it is - curl, Indexer, Python code using the requests module, ...) has to be authorized with a bearer token. The bearer tokens for the webapp are configured with the authenticationTokens - this property is for server side. This is the set of tokens that the webapp uses to check the API requests. When the indexer is not running locally, it has to use one of these tokens to be able to set the configuration at the end of the indexing. For that, use either --token or indexerAuthenticationToken property - this property is for the client side. This is the token that is sent in the API request so that the request can be authorized.

As for Kerberos, this would be whole another discussion (also, Kerberos has tickets, not tokens I believe). There are multiple distinct things - user authentication (which OpenGrok does not participate in at all), user authorization (that can be configured via authorization framework) and API authorization (that we are discussing here, I believe).