Software Development Kit (SDK) and API Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Software Development Kit (SDK) and API Discussions

Ask a Question

HOSTS authentication problem

shalondwood
‎2009-10-27 10:18 AM
11,774 Views

I'm trying to use host-based authentication (h

osts.equiv), but it's failing. I get the error:

"User  does not have capability to invoke API quota-report."

 

If it's not clear, there are two spaces after 'User', as if it were printing a null username. Sure enough, from the log:

Tue Oct 27 11:44:14 CDT [near19: useradmin.unauthorized.user:warning]: User '' denied access - missing required capability: 'api-quota-report'

 

Am I missing something?

0 Kudos
24 REPLIES 24

kcollins
‎2009-11-20 09:45 AM
In response to rkiran
3,285 Views

This most certainly IS a vulnerability!  ANY USER can claim to be root and run commands. That user clearly is NOT root, so it should not be authenticated!

The real user id should be passed through the SDK for this "fallback" authentication method and only allowed if the real user is allowed via hosts.equiv.

Thanks,

Kevin

0 Kudos

kvishal
NetApp Alumni
‎2009-11-20 10:21 AM
In response to kcollins
3,285 Views

A non root user cannot execute API with user input as root. The API will error out, if the user is not a root.

Something like this

Vishal Kulkarni

Member Technical Staff

SMAI

NetApp

080-41844244 Direct

9986500905 Mobile

vishal.kulkarni@netapp.com

www.netapp.com

0 Kudos

kcollins
‎2009-11-20 10:28 AM
In response to kvishal
3,285 Views

A non root user *IS* running this and there is no error. I am using it right now as my own user with no issues:

cpafisc8-> id
uid=14665(cokm) gid=508(techteam) groups=506(tape),507(usradm),513(taxdart),666(security)

cpafisc8-> cat hello_ontapi.pl
#!/usr/bin/perl

my $VERSION = '1.0';    # Controls the SDK release.

use strict;

use lib '/util/bin/netapp/manage-ontap-sdk-3.5.1/lib/perl/NetApp';
use NaServer;
use Pod::Usage;

die pod2usage(
        verbose => 1
) unless $ARGV[0];

our $filer = $ARGV[0];

our $s = NaServer->new($filer, 1, 1);
$s->set_style("LOGIN");
$s->set_admin_user("root", "");

our $output = $s->invoke( "system-get-version" );
if ($output->results_errno != 0) {
        our $r = $output->results_reason();
        print "Failed: $r\n";
}
else {
        our $r = $output->child_get_string( "version" );

        print "$r\n";
}

cpafisc8-> ./hello_ontapi.pl cpafisnas2
NetApp Release 7.2.5.1: Wed Jun 25 08:55:16 PDT 2008

Thanks,

Kevin

0 Kudos

craig_cowen
‎2012-04-20 11:03 AM
3,284 Views

I realize this might be old news to some but, testing on a SIM version 8.0.1, setting the options httpd.admin.hostsequiv.enable to on solved this for me.

0 Kudos
Announcements
All Community Forums
Public