roles to have permissions for /api/machines/discover

vyvy's Avatar

vyvy

20 Apr, 2017 02:21 PM

Hi team,

as per wiki:

GET /api/machines/discover HTTP/1.1
Interrogate a machine for communication details so that it may be added to the installation.

Notes:

Users must be authenticated with an API key to perform this action.
Access is restricted to users in teams with MachineView permission covering relevant resources.

So, I have created a New role with permissions below:

EnvironmentEdit
EnvironmentView
MachineCreate
MachineDelete
MachineEdit
MachineView

I have created a service user and api key for it. Assigned this user to octopus team, and this team has my new role only assigned. Meaning, my service user and team x has only permissions above.

Now i'm trying to invoke api for discover of machine to add it to environments page, using this service user i have created api key and i'm getting error, unauthorized.. Any clue what i''m doing wrong or likely there is a bug or i'm missing another permissions for role? I'm using 3.7.7 version of octopus

Invoke-RestMethod "$OctopusURL/api/machines/discover?host=$machineName&port=$machinePort&type=TentaclePassive" -Method Get -Headers $header
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:1 char:1
+ Invoke-RestMethod "$OctopusURL/api/machines/discover?host=$machineNam ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

  1. Support Staff 1 Posted by Dalmiro Grañas on 20 Apr, 2017 05:01 PM

    Dalmiro Grañas's Avatar

    Hi,

    Thanks for reaching out! Could you please send me an export of that user's permissions so I can take a look at them?

    https://octopus.com/docs/administration/managing-users-and-teams/us...

    Thanks,
    Dalmiro

  2. 2 Posted by vyvy on 21 Apr, 2017 06:49 AM

    vyvy's Avatar

    I have attached requested file and also few screen shots.

  3. Support Staff 3 Posted by Dalmiro Grañas on 24 Apr, 2017 10:37 PM

    Dalmiro Grañas's Avatar

    Hi,

    Thanks for sending over all that info! I tested this in Octopus 3.12.3 and in that version all the permissions you need are MachineView. Its highly possible that we changed the permissions for that since your version to make them a lot more accesible. Unfortunately I can't confirm this change right now, as most of the team is in Australia and today is holiday over there.

    Can I suggest you to upgrade to the latest Octopus and give this a try in that version? If that's not possible, I could spin up an Octopus instance of the same version as yours and let you know which were the permissions needed back then. But I strongly recommend you to go forward and upgrade if that's possible for you.

    Regards,
    Dalmiro

  4. 4 Posted by vyvy on 25 Apr, 2017 09:38 AM

    vyvy's Avatar

    I have also tried on 3.11.11 and 3.12.6 version and i get same error - unauthorized.

  5. Support Staff 5 Posted by Dalmiro Grañas on 25 Apr, 2017 01:16 PM

    Dalmiro Grañas's Avatar

    Few things to try:

    • Could you try creating a brand new API key (making sure you are logged in with the right user)?

    • Could you add -verbose to the invoke-webrequest call so it prints the exact URL its trying to hit, and then make sure its properly formatted?

    If that doesn't do it, please send me the code snippet you are using so I can give it a try on my end.

  6. Support Staff 6 Posted by Dalmiro Grañas on 25 Apr, 2017 01:17 PM

    Dalmiro Grañas's Avatar

    In case it helps, this is the code snippet I used for testing

    #DISCOVERER
    $APIKey = "API-FUPXEIEFLTIZYUFOWFGMZ1UUYVY"
    
    $OctopusURL = "Http://devbox:82"
    
    $header = @{ "X-Octopus-ApiKey" = $APIKey }
    
    Invoke-WebRequest "$OctopusURL/api/machines/discover?host=localhost&port=10933&type=TentaclePassive" -Headers $header
    
  7. 7 Posted by vyvy on 26 Apr, 2017 11:35 AM

    vyvy's Avatar

    Ok, i'had scoped that team with viewmachines role for systemtest env only, so that's why it didn't work on 3.12.6. So all good, with latest version it works.

    Cheers Dalmiro for help and assistance!

  8. Support Staff 8 Posted by Dalmiro Grañas on 26 Apr, 2017 03:31 PM

    Dalmiro Grañas's Avatar

    Cheers!

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

25 May, 2017 02:43 AM
25 May, 2017 02:39 AM
25 May, 2017 02:36 AM
25 May, 2017 02:34 AM
25 May, 2017 02:22 AM

 

25 May, 2017 02:08 AM
25 May, 2017 01:10 AM
25 May, 2017 01:04 AM
24 May, 2017 11:59 PM
24 May, 2017 08:55 PM
24 May, 2017 08:14 PM