Hammer username password not working after upgrading to Katello 3.5

Louis_Bohm · January 9, 2018, 6:51pm

I ran a simple hammer command that required a username/password. Here are the results of passing hammer a -v:

[DEBUG 2018-01-09 13:41:04 API] Using authenticator: HammerCLIForeman::Api::InteractiveBasicAuth
[ERROR 2018-01-09 13:41:04 API] 401 Unauthorized
[DEBUG 2018-01-09 13:41:04 API] {
    "error" => {
        "message" => "Unable to authenticate user admin"
    }
}
[ERROR 2018-01-09 13:41:04 Exception] Invalid username or password
Invalid username or password
[ERROR 2018-01-09 13:41:04 Exception]

HammerCLIForeman::Api::UnauthorizedError (Invalid username or password):
    /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-bindings-0.2.0/lib/apipie_bindings/api.rb:246:in `rescue in http_call'
    /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-bindings-0.2.0/lib/apipie_bindings/api.rb:238:in `http_call'
    /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-bindings-0.2.0/lib/apipie_bindings/api.rb:190:in `call_action'
    /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-bindings-0.2.0/lib/apipie_bindings/api.rb:185:in `call'
    /opt/theforeman/tfm/root/usr/share/gems/gems/apipie-bindings-0.2.0/lib/apipie_bindings/resource.rb:21:in `call'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/id_resolver.rb:186:in `resolved_call'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/id_resolver.rb:172:in `find_resource_raw'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/id_resolver.rb:166:in `find_resource'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/id_resolver.rb:143:in `get_id'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/id_resolver.rb:133:in `block (2 levels) in define_id_finders'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:130:in `get_resource_id'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:199:in `block in customized_options'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:196:in `each'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:196:in `customized_options'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:220:in `request_params'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli-0.10.2/lib/hammer_cli/apipie/command.rb:43:in `send_request'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:166:in `send_request'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:256:in `send_request'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:291:in `retrieve_all'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli_foreman-0.10.2/lib/hammer_cli_foreman/commands.rb:275:in `execute'
    /opt/theforeman/tfm/root/usr/share/gems/gems/clamp-1.0.0/lib/clamp/command.rb:68:in `run'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli-0.10.2/lib/hammer_cli/abstract.rb:29:in `run'
    /opt/theforeman/tfm/root/usr/share/gems/gems/clamp-1.0.0/lib/clamp/subcommand/execution.rb:11:in `execute'
    /opt/theforeman/tfm/root/usr/share/gems/gems/clamp-1.0.0/lib/clamp/command.rb:68:in `run'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli-0.10.2/lib/hammer_cli/abstract.rb:29:in `run'
    /opt/theforeman/tfm/root/usr/share/gems/gems/clamp-1.0.0/lib/clamp/subcommand/execution.rb:11:in `execute'
    /opt/theforeman/tfm/root/usr/share/gems/gems/clamp-1.0.0/lib/clamp/command.rb:68:in `run'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli-0.10.2/lib/hammer_cli/abstract.rb:29:in `run'
    /opt/theforeman/tfm/root/usr/share/gems/gems/clamp-1.0.0/lib/clamp/command.rb:133:in `run'
    /opt/theforeman/tfm/root/usr/share/gems/gems/hammer_cli-0.10.2/bin/hammer:147:in `<top (required)>'
    /bin/hammer:23:in `load'
    /bin/hammer:23:in `<main>'

I have had this working from Katello 3.0. I have tried to pass --username --password and I have a working /root/.hammer/cli_config.yml. Has something changed in Katello 3.5 to block this?

Thanks,
Louis

tbrisker · January 9, 2018, 7:20pm

Hi Louis,
The location of the username and password setting has changed, it should now be defined in ~/.hammer/cli.modules.d/foreman.yml. I couldn’t find exactly when this change was made, but perhaps someone in @cli team will know.

Louis_Bohm · January 9, 2018, 7:24pm

Had to be in 3.5 of Katello or foreman 1.16. Because in foreman 1.15/katello 3.4 it worked. Anyway, do you know if the format is the same. I.E.

:foreman:
   :host:  URL
   :username: name
   :password:  pass

Louis

tbrisker · January 9, 2018, 7:29pm

yes, that is correct.

Louis_Bohm · January 9, 2018, 7:34pm

Its working now but I am now getting this:

Warning: Couldn’t load configuration file /root/.hammer/cli.modules.d/foreman.yml: (): did not find expected key while parsing a block mapping at line 2 column 2

Louis

tbrisker · January 9, 2018, 7:37pm

Perhaps the spacing is off, you need 2 spaces before :host: and all other options for the yaml to be valid.

mbacovsky · January 10, 2018, 9:15am

Hi Louis,

I’m not aware of any recent changes in configuration. ~/.hammer/cli.modules.d/foreman.yml is used since 2014 and the format didn’t changed. For next version of hammer we are going to drop support for configs in /etc/foreman/hammer.modules.d wich has been deprecated since 2014, but the change was not released yet and is probably not your case.

You can get some useful output in debug mode (-d instead of -v). I see the following config paths in my hammer in a fresh Katello 3.5.0

> [ INFO 2018-01-10 08:56:17 Init] Configuration from the file /etc/hammer/cli_config.yml has been loaded
> [ INFO 2018-01-10 08:56:17 Init] Configuration from the file /etc/hammer/cli.modules.d/foreman.yml has been loaded
> [ INFO 2018-01-10 08:56:17 Init] Configuration from the file /etc/hammer/cli.modules.d/foreman_bootdisk.yml has been loaded
> [ INFO 2018-01-10 08:56:17 Init] Configuration from the file /etc/hammer/cli.modules.d/foreman_docker.yml has been loaded
> [ INFO 2018-01-10 08:56:17 Init] Configuration from the file /etc/hammer/cli.modules.d/foreman_tasks.yml has been loaded
> [ INFO 2018-01-10 08:56:17 Init] Configuration from the file /etc/hammer/cli.modules.d/katello.yml has been loaded
> [ INFO 2018-01-10 08:56:17 Init] Configuration from the file /root/.hammer/cli.modules.d/foreman.yml has been loaded

I believe we started to require SSL auth with cert by default in 1.16 but if this is the case Hammer should provide detailed instructions how to obtain it.

The last error you’ve shared seem to be syntax error in your YAML config file as Tomer suggested.

Full output of hammer in debug mode should tell us more.

Regards,
Martin

ekohl · January 10, 2018, 9:27am

There is an open PR to set the CA in katello-installer directly (https://github.com/Katello/katello-installer/pull/574) so possibly that’s where the connection is failing?

mbacovsky · January 10, 2018, 10:53am

@ekohl, it seems it is handled by this patch properly https://github.com/theforeman/puppet-foreman/commit/58f191122b07a4684f4200eea6a9ea7bd6af8f79

My hammer reports:

 [DEBUG 2018-01-10 10:40:26 SSLoptions] SSL options: {
    :ssl_ca_file => "/etc/pki/katello/certs/katello-default-ca.crt",
     :verify_ssl => true
}

which seems correct. It is clean Katelo 3.5.0.

The config is here:

# cat /etc/hammer/cli.modules.d/foreman.yml 
:foreman:
  # Enable/disable foreman commands
  :enable_module: true

  # Your foreman server address
  :host: 'https://centos7-katello-3-5.pichi.example.com'

:ssl:
  :ssl_ca_file: '/etc/pki/katello/certs/katello-default-ca.crt'

ekohl · January 10, 2018, 11:02am

Of course I only read that after merging the PR.

ekohl · January 10, 2018, 3:17pm

@stbenjam has opened a PR to prefer the server CA rather than the default CA. It’d be great some one could verify this since it should also handle custom certificates.

Louis_Bohm · January 11, 2018, 1:05pm

I checked the spacing and that was the issue. Changed to 2 spaces and now all is good.

Thank you.
Louis

mbacovsky · January 11, 2018, 2:24pm

I was able to reproduce the original issue.
It is now tracked here Bug #22250: After upgrading hammer credentials are not migrated to new location - Invalid username or password - Foreman.

It can happen only during upgrade and only if the admin password was changed after the initial installation. The issue can occur only once.

To fix after the error happened just update /root/.hammer/cli.modules.d/foreman.yml with correct password