Python callback access denied with PAM auth

rslaski · ‎11-11-2019

Guys,

I've tried running sample Github external-id-allocation module, however its Python code throws an exception when the user has been authenticated with PAM. With local NSO user it works just fine. Both users have been assigned the ncsadmin group.

Here's the PAM user (fails):

rslaski@ncs# external-id-allocation request SRV1 allocate
Error: Python cb_action error. access denied (3): access denied

[rslaski@nso1 ~]$ groups
rslaski wheel ncsadmin

<ERROR> 05-Nov-2019::12:14:43.88 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24987-external-id-release-action: - access denied (3): access denied
<ERROR> 05-Nov-2019::12:14:43.89 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24987-external-id-release-action: - Traceback (most recent call last):
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/dp.py", line 637, in wrapper
    ret = fn(self, uinfo, str(name), kp, input, output, trans)
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/dp.py", line 616, in fn2
    return ofn(self, uinfo, name, kp, input, output)
  File "/var/opt/ncs/state/packages-in-use/1/external-id-allocation/python/external_id_allocation/external_id_release.py", line 46, in cb_action
    response = ncs.maagic.get_node(trans, kp)
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 1873, in get_node
    return cd(root, path)
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 1773, in cd
    node = node[child]
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 1088, in __getitem__
    self._backend._exists(self._path + keystr))):
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 127, in _exists
    return self.exists(path)
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maapi.py", line 1198, in proxy
    return real(self2.maapi, self2.th, *args, **kwargs)
  File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maapi.py", line 406, in exists
    return True if _tm.maapi.exists(self.msock, th, path) else False
Error: access denied (3): access denied

And here's the local user (succeeds)

ncs_local@ncs# external-id-allocation request SRV1 allocate
ncs_local@ncs#
System message at 2019-11-05 12:33:53...
Commit performed by ncs_local via tcp using cli.

nacm groups group ncsadmin
 user-name [ ncs_local private ]
!

<INFO> 05-Nov-2019::12:14:50.710 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24984-external-id-release-action: - action name: release
<INFO> 05-Nov-2019::12:14:50.783 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24984-external-id-release-action: - action release id: SRV1

Any ideas why?

vleijon · ‎11-11-2019

Yeah, I know why: The problem is the group assignments. If you look in audit.log you will see that there is a user that does not get assigned to the right groups. The call “with ncs.maapi.single_write_trans(uinfo.username, uinfo.context) as trans:” specifies only a user and no groups. In external authentication that is not enough, you need to explicitly give the groups argument for the user, unless you have explicit group mappings in the aaa subtree.

You can use a helper function like this to find the group:

def get_users_groups(trans, uinfo):
    # Get the maapi socket
    s = trans.maapi.msock
    auth = _maapi.get_authorization_info(s, uinfo.usid)
    return list(auth.groups)

Let me know if that makes sense or if you need a more explicit example.

Edit: I am actually not sure if this is enough for all the cases you need to cover, but it might be a start at least.

hniska · ‎11-12-2019

As the code in question is mine mabye I should give it a try too :).

Give this a try

with ncs.maapi.Maapi() as m:
with m.start_read_trans(usid=uinfo.usid) as trans: