[Freeipa-users] Re: API logout

On ma, 25 touko 2020, Peter Tselios via FreeIPA-users wrote: You did not have arguments in the list of parameters, only dict of options. [root@master ~]# ipa -vvv console (Custom IPA interactive Python console) api: IPA API object pp: pretty printer ipa: INFO: Request: { "id": 0, "method": "session_logout/1", "params": [ [], { "version": "2.237" } ] } send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://master.ipa.test/ipa/xml\r\nCookie: ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding: gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length: 135\r\n\r\n' send: b'{\n "id": 0,\n "method": "session_logout/1",\n "params": [\n [],\n {\n "version": "2.237"\n }\n ]\n}' reply: 'HTTP/1.1 200 Success\r\n' header: Date: Mon, 25 May 2020 14:50:58 GMT header: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/3.8 mod_auth_gssapi/1.6.1 header: Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure; header: X-Frame-Options: DENY header: Content-Security-Policy: frame-ancestors 'none' header: Cache-Control: no-cache, private header: Vary: Accept-Encoding header: Content-Encoding: gzip header: Transfer-Encoding: chunked header: Content-Type: application/json; charset=utf-8 body: b'{"result": {"result": null}, "error": null, "id": 0, "principal": &quot;admin(a)IPA.TEST&quot;, "version": "4.9.0.dev202005250900+git"}' ipa: INFO: Response: { "error": null, "id": 0, "principal": &quot;admin(a)IPA.TEST&quot;, "result": { "result": null }, "version": "4.9.0.dev202005250900+git" } {'result': None} However, this is not really logging out because it only removes a credentials cache stored at a server side, if any. The client still needs to remove its own cookies. If it will be re-sending the cookies back, mod_auth_gssapi will reinstall the same session as if that wasn't removed: ipa: INFO: Request: { "id": 0, "method": "ping/1", "params": [ [], { "version": "2.237" } ] } send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://master.ipa.test/ipa/xml\r\nCookie: ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding: gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length: 125\r\n\r\n' send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://master.ipa.test/ipa/xml\r\nCookie: ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding: gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length: 125\r\n\r\n' send: b'{\n "id": 0,\n "method": "ping/1",\n "params": [\n [],\n {\n "version": "2.237"\n }\n ]\n}' reply: 'HTTP/1.1 200 Success\r\n' header: Date: Mon, 25 May 2020 14:52:17 GMT header: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/3.8 mod_auth_gssapi/1.6.1 header: X-Frame-Options: DENY header: Content-Security-Policy: frame-ancestors 'none' header: Cache-Control: no-cache, private header: Vary: Accept-Encoding header: Content-Encoding: gzip header: Transfer-Encoding: chunked header: Content-Type: application/json; charset=utf-8 body: b'{"result": {"summary": "IPA server version 4.9.0.dev202005250900+git. API version 2.237"}, "error": null, "id": 0, "principal": &quot;admin(a)IPA.TEST&quot;, "version": "4.9.0.dev202005250900+git"}' ipa: INFO: Response: { "error": null, "id": 0, "principal": &quot;admin(a)IPA.TEST&quot;, "result": { "summary": "IPA server version 4.9.0.dev202005250900+git. API version 2.237" }, "version": "4.9.0.dev202005250900+git" } {'summary': 'IPA server version 4.9.0.dev202005250900+git. API version 2.237'} Only if you would do explicit disconnect from the client side, the cookie will be thrown away: >>> api.Backend.rpcclient.disconnect() Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 478, in __do_call ret = self.run(*args, **options) File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 801, in run return self.forward(*args, **options) File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 823, in forward return self.Backend.rpcclient.forward(self.forwarded_name, File "/usr/lib/python3.8/site-packages/ipalib/rpc.py", line 1139, in forward command = getattr(self.conn, name) File "/usr/lib/python3.8/site-packages/ipalib/backend.py", line 104, in __get_conn raise AttributeError( AttributeError: rpcclient is not connected (rpcclient_140385907720256 in MainThread) So for your own 'client' in Ansible just forget the cookie. If you are using normal 'ipa' CLI tool or Python bindings we provide, 'kdestroy' is enough to remove the credential cache where a ticket and a cookie is stored. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland