Backend Berechtigungsfehler

Antworten
andré
Beiträge: 324
Registriert: 07 Jan 2014, 10:48

Backend Berechtigungsfehler

Beitrag von andré »

Ich wollte die Clientinstallation über das Bootimage testen, um nicht immer die MAC-Adresse raus suchen zu müssen. Es gibt aber einen Fehler nach Eingabe der Nutzerdaten.

Code: Alles auswählen

Opsi rpc error: Backend permission denied error: Access to method 'configState_getClientToDepotServer' denied for user 'Benutzeraccount'
In der /etc/opsi/backendManager/acl.conf hat die opsiadmin-Gruppe entsprechenden Zugriff:

Code: Alles auswählen

.*_get.*               : sys_group(opsiadmin); opsi_depotserver; opsi_client
Die beiden Nutzer, die ich getestet habe, befinden sich beide in der opsiadmin-Gruppe. Beide Nutzer können über den opsiconfiged Clients anlegen.

Übersehe ich da was?
andré
Beiträge: 324
Registriert: 07 Jan 2014, 10:48

Re: Backend Berechtigungsfehler

Beitrag von andré »

Keine Ideen?
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: Backend Berechtigungsfehler

Beitrag von n.wenselowski »

Hi,

wie sieht die komplette acl.conf aus? Ich vermute, dass er vorher bereits eine passende Methode findet und deshalb dein Setting nicht greift.
Also Loglevel des opsiconfd auf 8 setzen, opsiconfd(s) neu starten und dann in die Logs schauen.


Gruß

Niko

Code: Alles auswählen

import OPSI
andré
Beiträge: 324
Registriert: 07 Jan 2014, 10:48

Re: Backend Berechtigungsfehler

Beitrag von andré »

Ich habe das jetzt mal gemacht und dabei festgestellt, dass die ACL korrekt greift. Zumindest beim ersten Überfliegen verstehe ich nicht, wo das Problem ist.

Meine komplette ACL:

Code: Alles auswählen

backend_deleteBase     : sys_group(opsiadmin)                                                                                                                                                                                                                                                                                                                             
backend_.*             : all
hostControl.showPopup  : sys_group(opsiadmin); opsi_depotserver; opsi_client
hostControl.*          : sys_group(opsiadmin); opsi_depotserver
host_get.*             : sys_group(opsiadmin); opsi_depotserver; self; opsi_client(attributes(!opsiHostKey,!description,!lastSeen,!notes,!hardwareAddress,!inventoryNumber))
auditSoftware_delete.* : sys_group(opsiadmin); opsi_depotserver
auditSoftware_.*       : sys_group(opsiadmin); opsi_depotserver; opsi_client
auditHardware_delete.* : sys_group(opsiadmin); opsi_depotserver
auditHardware_.*       : sys_group(opsiadmin); opsi_depotserver; opsi_client
.*_get.*               : sys_group(opsiadmin); opsi_depotserver; opsi_client
.*                     : sys_group(opsiadmin); opsi_depotserver; self

Die letzten Zeilen des Logs, in dem u.a. die ACL-Abfrage drin ist:

Code: Alles auswählen

 
[7] [May 09 18:40:39] Sending deflated data (backwards compatible - with content-encoding 'deflate') (Worker.py|637)
[7] [May 09 18:40:39] <opsiconfd.workers.WorkerOpsiconfdJsonRpc instance at 0x7f17a211a4d0>._setCookie (Worker.py|434)
[7] [May 09 18:40:39] Freeing session <OpsiconfdSession(<opsiconfd.session.OpsiconfdSessionHandler object at 0x7f17a23c5b90>, name=u'OPSISID', sessionMaxInactiveInterval=120> (Worker.py|318)
[7] [May 09 18:40:39] Now using log-file '/var/log/opsi/opsiconfd/172.16.35.94.log' for object 0x7f17a16cbdd0 (Logger.py|489)
[6] [May 09 18:40:39] Worker <opsiconfd.workers.WorkerOpsiconfdJsonRpc instance at 0x7f17a16cbdd0> started processing (Worker.py|250)
[6] [May 09 18:40:39] Reusing session for client '172.16.35.94', application 'opsi linux bootimage 20180208' (Worker.py|396)
[7] [May 09 18:40:39] Expecting deflate compressed data from client (workers.py|486)
[7] [May 09 18:40:39] Now using log-file '/var/log/opsi/opsiconfd/172.16.35.94.log' for object 0x7f17a21272d0 (Logger.py|489)
[5] [May 09 18:40:39] -----> Executing: getClientIds_list(None, [], None, None, None, None, None, None, None) (JsonRpc.py|128)
[7] [May 09 18:40:39] ExtendedBackend <BackendManager()>: executing 'getClientIds_list' on backend <BackendExtender()> (Backend.py|508)
[7] [May 09 18:40:39] ExtendedBackend <BackendExtender()>: executing 'configState_getClientToDepotserver' on backend <OPSI.Backend.BackendManager.BackendAccessControl object at 0x7f17a16f4990> (Backend.py|508)
[7] [May 09 18:40:39] Access control for method 'configState_getClientToDepotserver' with params {'clientIds': [], 'masterOnly': True, 'productIds': [], 'depotIds': []} (BackendManager.py|820)
[8] [May 09 18:40:39] Testing if ACL pattern u'backend_deleteBase' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'backend_.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'hostControl.showPopup' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'hostControl.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'host_get.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditSoftware_delete.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditSoftware_.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditHardware_delete.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditHardware_.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'.*_get.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[7] [May 09 18:40:39] Found matching acl for method 'configState_getClientToDepotserver': [{'denyAttributes': [], 'type': u'sys_group', 'ids': [u'opsiadmin'], 'allowAttributes': []}, {'denyAttributes': [], 'type': u'opsi_depotserver', 'ids': [], 'allowAttributes': []}, {'denyAttributes': [], 'type': u'opsi_client', 'ids': [], 'allowAttributes': []}] (BackendManager.py|827)
[7] [May 09 18:40:39] Method 'configState_getClientToDepotserver' using acls: [] (BackendManager.py|862)
[6] [May 09 18:40:39] Traceback: (Logger.py|798)
[6] [May 09 18:40:39]   File "/usr/lib/python2.7/dist-packages/OPSI/Service/JsonRpc.py", line 134, in execute
    self.result = eval("instance.%s(*params)" % self.getMethodName())
 (Logger.py|798)
[6] [May 09 18:40:39]   File "<string>", line 1, in <module>
 (Logger.py|798)
[6] [May 09 18:40:39]   File "<string>", line 1, in getClientIds_list
 (Logger.py|798)
[6] [May 09 18:40:39]   File "/usr/lib/python2.7/dist-packages/OPSI/Backend/Backend.py", line 510, in _executeMethod
    return meth(**kwargs)
 (Logger.py|798)
[6] [May 09 18:40:39]   File "/etc/opsi/backendManager/extend.d/20_legacy.conf", line 615, in getClientIds_list
    return [client['hostId'] for client in self.getClients_listOfHashes(serverId, depotIds, groupId, productId, installationStatus, actionRequest, productVersion, packageVersion, hwFilter)]
 (Logger.py|798)
[6] [May 09 18:40:39]   File "/etc/opsi/backendManager/extend.d/20_legacy.conf", line 511, in getClients_listOfHashes
    clientToDepotservers = self.configState_getClientToDepotserver(depotIds=forceHostIdList(depotIds))
 (Logger.py|798)
[6] [May 09 18:40:39]   File "<string>", line 1, in configState_getClientToDepotserver
 (Logger.py|798)
[6] [May 09 18:40:39]   File "/usr/lib/python2.7/dist-packages/OPSI/Backend/Backend.py", line 510, in _executeMethod
    return meth(**kwargs)
 (Logger.py|798)
[6] [May 09 18:40:39]   File "<string>", line 1, in configState_getClientToDepotserver
 (Logger.py|798)
[6] [May 09 18:40:39]   File "/usr/lib/python2.7/dist-packages/OPSI/Backend/BackendManager.py", line 867, in _executeMethodProtected
    raise BackendPermissionDeniedError(u"Access to method '%s' denied for user '%s'" % (methodName, self._username))
 (Logger.py|798)
[6] [May 09 18:40:39]      ==>>> Backend permission denied error: Access to method 'configState_getClientToDepotserver' denied for user 'Benutzername' (JsonRpc.py|139)
[3] [May 09 18:40:39] Execution error: Backend permission denied error: Access to method 'configState_getClientToDepotserver' denied for user 'Benutzername' (JsonRpc.py|140)
[4] [May 09 18:40:39] Failed RPC on u'getClientIds_list' with params [None, [], None, None, None, None, None, None, None]: <BackendPermissionDeniedError(u"Access to method 'configState_getClientToDepotserver' denied for user 'Benutzername'")> (statistics.py|426)
[7] [May 09 18:40:39] Sending deflated data (backwards compatible - with content-encoding 'deflate') (Worker.py|637)
[7] [May 09 18:40:39] <opsiconfd.workers.WorkerOpsiconfdJsonRpc instance at 0x7f17a16cbdd0>._setCookie (Worker.py|434)
[7] [May 09 18:40:39] Freeing session <OpsiconfdSession(<opsiconfd.session.OpsiconfdSessionHandler object at 0x7f17a23c5b90>, name=u'OPSISID', sessionMaxInactiveInterval=120> (Worker.py|318)
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: Backend Berechtigungsfehler

Beitrag von n.wenselowski »

Hi,

das ist der Code zum Check.
Außerdem solltest du im (kompletten) Log finden welchen Gruppen der User angehört. Wird die Gruppe richtig ausgelesen?


Gruß

Niko

Code: Alles auswählen

import OPSI
andré
Beiträge: 324
Registriert: 07 Jan 2014, 10:48

Re: Backend Berechtigungsfehler

Beitrag von andré »

Ich habe mir das nochmal anschauen können. Die Logs haben gezeigt, dass die Authentifizierung korrekt ablief. Ich habe mir daraufhin die opsiconfd.conf nochmal angeschaut.
Das Problem war die Option "admin networks". Mein Rechner von dem aus ich mich einlogge, befindet sich in einem separaten Management-Netz, getrennt von den zu installieren Rechnern. Dass es diese Einstellung beim opsiconfd gibt, hatte ich überhaupt nicht bedacht. Hinzufügen des Client-Netzes zu den admin networks hat das Problem gelöst.
Trotzdem danke für die Hinweise!
Antworten