Re: Python connection error with Prime Infra 3.2 Rest API

david.mahe · ‎04-03-2018

Hello,

I am trying to test API Rest call with a Prime version 3.2

I face an issue with the authentication: I have : "connection failed 503 Service Unavailable"

My script works with another customer and a Prime 3.1

I even tried the script linked in this post Rest API using Python , Template based provisioning with Cisco Prime Infrastructure Part 2

This script works well with the Prime 3.1 and don't work with my customer on Prime 3.2 (I have the same 503 issue)

So I think it doesn't come from my script.

After a few investigation, I find a difference in the answer of Prime server after sending the credentials to the j_spring_security_check file.

Prime 3.1 is responding to the POST request with an HTTP 302 and location header to an absolute URL : https://myhost/webacs/pages/common/index.jsp?....

Prime 3.2 is responding to the POST request with an HTTP 302 and location header is set to a relative URL: "/webacs/pages/common/index.jsp?&selectedCategory=en"

I think that the Python REQUESTS module doesn't manage to deal with this relative URL.

I have to confirm this.

As a workaround or as a test, I would like to know if we can do something in the Prime configuration to change the behavior and have an absolute URL like before ?

Thank you in advance if someone could help.

Spencer Zier · ‎04-04-2018

A 503 response from the Prime Infrastructure API indicates your request was rate limited. This isn't an authentication issue, rather it indicates that too much API traffic has been sent recently. The suggested way to handle a rate limit response is to implement a backoff period (you could try around 100ms) and then retransmit the request.

If you are getting persistent 503 responses, or if none of your traffic is getting through, that indicates some other problem (potentially in the server, your client, or something in between).

As for the 302 responses, that indicates that you are not sending the basic authentication header with your request. All access to API resources requires authentication. Some HTTP clients/libraries are written to expect an HTTP 4xx response before they will send the credentials you've provided; you'll need to override this behavior and force the client to send the credentials in the initial request (this is sometimes called preemptive authentication). For most clients, preemptively authenticating can be accomplished by enabling an option, or by explicitly including the basic authentication header in the request.

If you still run into problems, please let me know. Including the full request (with headers) and the full response (with headers) will help us pinpoint your issue (just make sure to redact the content of the Authorization header, as it contains your username and password).

https://developer.cisco.com/site/prime-infrastructure/

david.mahe · ‎04-05-2018

Hi

Thank you for your answer.

I will check what you said but I don't see how I can have a rate limit with just one call

I used the same code as the one in this code (from the link I previously wrote):

https://github.com/aradford123/cisco-prime-infrastructure-examples/blob/master/auto_templates/get_devices.py

it works good with 3.1 not with 3.2

We have credentials settings, URL building with BASE variable and then the get request with Python requests module.

from pi_config import PI, USER, PASSWORD

BASE="https://%s:%s@%s/webacs/api/v1/" %(USER,PASSWORD,PI)

result = requests.get(BASE + "data/Devices.json?.full=true", verify=False)

For me this is really basic authentication.

I will check requests module option if I can find something.

david.mahe · ‎04-06-2018

I did some test.

Using curl from the same machine worked well so it is not an environment issue.

So I decided to use an another python module. I tried with httplib2.

And it worked with Prime 3.1 & 3.2

In conclusion it seems to be an issue with "requests" python module.

Something goes wrong with Prime 3.2, I don't know what.