-
Documentation task
-
Resolution: Fixed
-
Trivial
-
None
-
4.0.3
-
None
-
OS: Ubuntu 18.04.1 LTS
Frontend: zabbix-frontend-php 4.0.3
Server: zabbix-server-mysql 4.0.3
Web server: apache2 2.4.29
Steps to reproduce:
- Install the environment
- Enable basic auth in Apache (for "/zabbix" in the example bellow)
- Enable HTTP auth in Zabbix
- Try to perform "user.login" in the API
Result:
You can't perform a successful "user.login" with just HTTP/basic auth. You need to provide both HTTP/basic auth and internal Zabbix auth (these credentials could be set to the same thing. This is done in the following example).
$ curl -H "Content-Type: application/json-rpc" http://localhost/zabbix/api_jsonrpc.php --user Admin:zabbix -d '{"jsonrpc":"2.0","method":"user.login","params":{"user":"Admin","password":""},"id":1}'
{"jsonrpc":"2.0","error":{"code":-32602,"message":"Invalid params.","data":"Login name or password is incorrect."},"id":1}
$ curl -H "Content-Type: application/json-rpc" http://localhost/zabbix/api_jsonrpc.php -d '{"jsonrpc":"2.0","method":"user.login","params":{"user":"Admin","password":""},"id":1}'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at localhost Port 80</address>
</body></html>
$ curl -H "Content-Type: application/json-rpc" http://localhost/zabbix/api_jsonrpc.php --user Admin:zabbix -d '{"jsonrpc":"2.0","method":"user.login","params":{"user":"Admin","password":"zabbix"},"id":1}'
{"jsonrpc":"2.0","result":"c89678ba0ebf5f757c3bb2503dc7b969","id":1}
Expected:
You should be able to authenticate with only HTTP/basic auth and receive a token (the first curl command should give you the result of the third).
Additional comments:
- This works fine in 3.4
- If you follow this guidance in the doc:
It is recommended to enable web-server based authentication for the index_http.php page only. If Default login form is set to 'HTTP login page' the user will be logged in automatically if web server authentication module will set valid user login in the $_SERVER variable.
Then you will be able to authenticate with only the internal auth since the API won't need basic auth.
- If you follow this guidance in the doc:
When default system authentication was previously set to 'HTTP authentication' during the upgrade it will be changed to 'Internal' with 'HTTP Authentication' enabled by default. For such configuration it is required to clear existing user default password values in the database executing the following query:
UPDATE users SET passwd="" WHERE passwd=md5('zabbix')
Then you will not be able to use the API at all since you need an internal password set.
- I'm not familiar with the source code, but this part is executed when you do "user.login" and it seems to only check the internal/database password:
case ZBX_AUTH_INTERNAL:
if (md5($user['password']) !== $db_user['passwd']) {
self::exception(ZBX_API_ERROR_PARAMETERS, _('Login name or password is incorrect.'));
}
break;