Python 3 Login to Foreman using AD / Kerberos Credentials

Hey All,

I’ll try to be as descriptive as possible without being able to post the full code snippet. Thank you for your patience in advance.

I’m trying to use the Python 3 requests-kerberos module to login to Foreman, to then scrape the content views. I managed to figure out the CSRF part including the authenticity_token by running requests.get() on the url and retrieving it from the resultant HTML. I can then pass the authenticity_token to the payload correctly. However, that’s where my success stops. It fails to login after that due to issues, I’m thinking, in the payload itself.

I’ve tried requets.post ( ...., data = payload, ... auth=HTTPKerberosAuth() ) where the payload is:

payload = {
"username":"sam",
"password":"passw0rd",
"authenticity_token": mytoken
}

But this gives me:

Action failed
NoMethodError: undefined method `[]' for nil:NilClass

Resulting in an HTML error 500. I’ve also tried the following payload:

payload = {
"login": { "login":"sam", "password":"passw0rd",
"authenticity_token": mytoken
}

with both requests.post (... json = payload, .... ) and requests.post ( ....., data = payload, ... ) but only get a Parameters string that includes either:

{ ... "login"=>{"login"=>"sam", "password"=>"[FILTERED]", ......, "user"=>{"login"=>{"login"=>"sam", "password"=>"[FILTERED]"}}}

resulting in an “Invalid user” being returned for the former. Or for the latter, the Parameters shown in the foreman logs shows:

{ ...., "login"=>"passwor", ..... }

again resulting in an ‘Invalid user’ being printed. HTML error 302.

What is the correct way to perform AD / Kerberos user authentication in Kerberos enabled Foreman though Python 3?

Thx,

Does Kerberos authentication to the UI work properly? Which version of Foreman are you using?

Also, there is apypie which provides native python bindings for using our api (which is defined using apipie) and is used by the Foreman Ansible modules as well.

The UI works properly via a standard browser such as Chrome or Firefox. The foreman version is 1.20.1.34-1.

Unfortunately, I’m not familiar with apypie yet. I’ve had a look at the python code. Not sure how I could use that to achieve what I’m looking for with requests and the configured Foreman LDAP / Kerberos authentication though.

First of all, 1.20 is a very old version and is no longer supported, the current version is 2.1 with 2.2 expected very soon- so I would recommend starting to plan your upgrade.
Second, perhaps we should take a step back and try to understand what exactly you are trying to achieve with this? why are you trying to scrape the content of UI pages (if I understand correctly) rather than get the information you need from the API directly?

That’s a very good idea to upgrade, unfortunately, it’s the version I have to work with right now.

Effectively, I’m trying to use API calls (via the API library) to pull details about content views, such as package lists, filters, erratas, etc. If I try a requests.get() directly, I’m denied, naturally, because I’m not logged in. Need to load that into a json dictionary then do some comparisons from the hosts themselves.

I was really only interested in a working example someone may have done showing how a Kerberized Foreman could be logged into via API calls and Python 3, ideally with the 1.X version.

Is the authorize_login_delegation_api setting set to true? it’s possible that only the UI has kerberos enabled.

Would like to see if a bit of python code was written by someone that successfully initiated a Kerberos login to Foreman via API calls. Was hoping to bounce off of that to see what I’m doing wrong.

Let me check that.

Just checked and authorize_login_delegation_api was not set. ( In other words, Authorize login delegation API was set to No )

I haven’t found any indication about this but do I need to restart foreman to have this change take effect?

Once this is set, would you have a working example I could test this with? I have a few dozen lines I tried in the past but wanted to start with a known good set of code to ensure that if things don’t work, it’s not the Python code, but rather the setting.

No, the change should be immediate.

Afraid I’m not aware of any such code. You could try accessing the API directly from your browser with Kerberos enabled, e.g. browse to https://foreman.example.com/api/hosts and see if you get a valid response.

It works from the browser. Both login and API requests work just fine.

Just can’t get it to work from the Python 3 code.