Authorization Credentials Stripped --- django, elastic beanstalk, oauth
A

4

83

I implemented a REST api in django with django-rest-framework and used oauth2 for authentication.

I tested with:

curl -X POST -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD" http://localhost:8000/oauth2/access_token/

and

curl -H "Authorization: Bearer <your-access-token>" http://localhost:8000/api/

on localhost with successful results consistent with the documentation.

When pushing this up to an existing AWS elastic beanstalk instance, I received:

{ "detail" : "Authentication credentials were not provided." }
Aerograph answered 9/3, 2014 at 6:52 Comment(5)
You are my hero. I have wasted many hours on this but I'm sure you saved me many more!Benedictus
You should answer your question yourself, so it doesn't appear on the unanswered list :)Akilahakili
I have no idea how much time of mine this would have eaten up, but I'm pretty sure it would have been a while. Life saver.Thereupon
Still saving hours and hours in 2020Chunk
You saved my time. I don't know how many days I really stayed up all night. Ha... thank you very much. Have a nice day, I really love you. Still saving hours and hours in 2020 July !!!!!!!!!! lolIrredeemable
Y
31

I use a slightly different approach now. sahutchi's solution worked as long as env variables were not changed as Tom dickin pointed out. I dug a bit deeper inside EB and found out where the wsgi.conf template is located and added the "WSGIPassAuthorization On" option there.

commands:
  WSGIPassAuthorization:
    command: sed -i.bak '/WSGIScriptAlias/ a WSGIPassAuthorization On' config.py
    cwd: /opt/elasticbeanstalk/hooks

That will always work, even when changing environment variables. I hope you find it useful.

Edit: Seems like lots of people are still hitting this response. I haven't used ElasticBeanstalk in a while, but I would look into using Manel Clos' solution below. I haven't tried it personally, but seems a much cleaner solution. This one is literally a hack on EBs scripts and could potentially break in the future if EB updates them, specially if they move them to a different location.

Yaelyager answered 13/3, 2015 at 11:58 Comment(7)
This is nice. Now that awsebcli has eb ssh I've found its easier to be lazy on dev-ops and do clean-up by hand.Aerograph
Still relevant answer. Wanted to add that (as a newbie aws user) you can just add the commands tag to your .ebextensions .config files, on top of your container_commands, and it will work. More on all the tags that are processed here: linkVertigo
Two issues with this: 1) only works on second and subsequent deploys, 2) sed keeps piling on that same line into the config file each time you deploy. The solution by Manel Clos (creating a new file in Apache's conf.d) does not suffer from these issues, and it also works when you change environment variables.Ethelynethene
I haven't used EB in a while, but I do agree that his solution is cleaner and more elegant. I would probably use that if it works properly, which it should.Evante
You saved my teams weekend. Thanks a lot!Acanthoid
Where is located this file that I have to put this code ?Telegraphy
@Telegraphy Please check manel-clos answer below for a better solutionEvante
N
69

I like the idea of just having some extra configuration on the standard place. In your .ebextensions directory create a wsgi_custom.config file with:

files:
  "/etc/httpd/conf.d/wsgihacks.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
      WSGIPassAuthorization On

As posted here: https://forums.aws.amazon.com/message.jspa?messageID=376244

Nicias answered 15/12, 2015 at 15:1 Comment(2)
this is a clean solution. it does work when you change environment variables and it doesn't keep adding the same line into a config file every time you deploy.Ethelynethene
Getting this error : not authorized to perform: rds:DescribeDBEngineVersionsBelfry
A
34

I thought the problem was with my configuration in django or some other error type instead of focusing on the differences between localhost and EB. The issue is with EB's Apache settings.

WSGIPassAuthorization is natively set to OFF, so it must be turned ON. This can be done in your *.config file in your .ebextensions folder with the following command added:

container_commands:
  01_wsgipass:
    command: 'echo "WSGIPassAuthorization On" >> ../wsgi.conf'

Please let me know if I missed something or if there is a better way I should be looking at the problem. I could not find anything specifically about this anywhere on the web and thought this might save somebody hours of troubleshooting then feeling foolish.

Aerograph answered 16/9, 2014 at 7:2 Comment(5)
Seems I spoke too soon in my above comment. Whilst this DOES work for an initial deployment, if you change something in your environment (e.g. add a new variable), this isn't ran when those changes are applied, and the wsgi.conf is still regenerated it seems. Don't suppose you know of any app config that is ran every time a change occurs?Thereupon
I include this in every git aws.push. But yes, I lose css sometimes when I change parameters. Would anything break in your app if after making a change to your environment you re-deployed the last push via the ui in the environment - application version menu?Aerograph
It looks like this fix is now out of date. The runner up answer from Rubén Durá Tarí works (if you fix the typo) and seems on the face of it to be more robust.Trevor
@Trevor what's the typo?Adoree
@Adoree there isn't one. When I tested it, I had an unrelated problem that I inadvertently fixed at the same time as "correcting" the typo. Rubén has edited his answer back to a working state since my buffoonery.Trevor
Y
31

I use a slightly different approach now. sahutchi's solution worked as long as env variables were not changed as Tom dickin pointed out. I dug a bit deeper inside EB and found out where the wsgi.conf template is located and added the "WSGIPassAuthorization On" option there.

commands:
  WSGIPassAuthorization:
    command: sed -i.bak '/WSGIScriptAlias/ a WSGIPassAuthorization On' config.py
    cwd: /opt/elasticbeanstalk/hooks

That will always work, even when changing environment variables. I hope you find it useful.

Edit: Seems like lots of people are still hitting this response. I haven't used ElasticBeanstalk in a while, but I would look into using Manel Clos' solution below. I haven't tried it personally, but seems a much cleaner solution. This one is literally a hack on EBs scripts and could potentially break in the future if EB updates them, specially if they move them to a different location.

Yaelyager answered 13/3, 2015 at 11:58 Comment(7)
This is nice. Now that awsebcli has eb ssh I've found its easier to be lazy on dev-ops and do clean-up by hand.Aerograph
Still relevant answer. Wanted to add that (as a newbie aws user) you can just add the commands tag to your .ebextensions .config files, on top of your container_commands, and it will work. More on all the tags that are processed here: linkVertigo
Two issues with this: 1) only works on second and subsequent deploys, 2) sed keeps piling on that same line into the config file each time you deploy. The solution by Manel Clos (creating a new file in Apache's conf.d) does not suffer from these issues, and it also works when you change environment variables.Ethelynethene
I haven't used EB in a while, but I do agree that his solution is cleaner and more elegant. I would probably use that if it works properly, which it should.Evante
You saved my teams weekend. Thanks a lot!Acanthoid
Where is located this file that I have to put this code ?Telegraphy
@Telegraphy Please check manel-clos answer below for a better solutionEvante
H
0

Though the above solution is interesting, there is another way. Keep the wsgi.conf VirtualHost configuration file you want to use in .ebextensions, and overwrite it in a post deploy hook (you can't do this pre-deploy because it will get re-generated (yes, I found this out the hard way). If you do this, to reboot, make sure to use the supervisorctl program to restart so as to get all your environment variables set properly. (I found this out the hard way as well.)

cp /tmp/wsgi.conf /etc/httpd/conf.d/wsgi.conf
 /usr/local/bin/supervisorctl -c /opt/python/etc/supervisord.conf restart httpd
exit 0

01_python.config:

05_fixwsgiauth:
    command: "cp .ebextensions/wsgi.conf /tmp"
Heteronomy answered 7/5, 2015 at 19:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.