InsightIQ: Sudden "Authorization Error" occurs after successfully monitoring a OneFS cluster


   Article Number:     519790                                   Article Version: 5     Article Type:    Break Fix 




Isilon InsightIQ,Isilon InsightIQ 4.1.1,Isilon InsightIQ 4.0.1,Isilon InsightIQ 4.0.0,Isilon InsightIQ 3.2.2,Isilon InsightIQ 3.2.1,Isilon InsightIQ 3.2.0






      While monitoring a OneFS cluster, InsightIQ encounters an Authorization Error, even though the configured password is correct.     
      When looking at the cluster in the InsightIQ Settings page, you see the cluster in an "Authorization Error" state like this:     
      (NOTE: The color next to the Authorization Error can be either yellow or red depending on how long the cluster has been in this error state)   


      Settings page   


      When looking at the Status page, you see the following message for the cluster:   


      Status Page   


      When looking at /var/log/insightiq.log, you'll see error message like these:     
      (NOTE: The specific API end point might be different. For example, you might see the 401 Unauthorized Request error for /platform/3/fsa or /platform/3/statistics)   


      2018-04-19 11:26:18,146 ERROR [insightiq.lib.api_connection.OnefsAPI_7_0] 401 Unauthorized Request:       
        2018-04-19 11:26:18,150 ERROR [insightiq.lib.api_connection.OnefsAPI_7_0] 401 Unauthorized Request:       
        2018-05-08 18:08:44,486 ERROR [insightiq.controllers] APIAuthorizationError: Authorization Required URI:







To address an issue with Cross Site Request Forgery(CSRF), the OneFS API updated how HTTP sessions need to be managed. As a result, older instances of InsightIQ will fall into an Authorization Error for OneFS clusters with this update.                                                           






Installation of a security patch or upgrade of OneFS                                                           






To confirm this issue, copy and run the following into the CLI of InsightIQ:   

      $ echo "Please enter cluster IP/FQDN" ; read cluster && echo "Please enter root password" ; read -s pw && OUTPUT=$(curl --fail -v -k -d "{\"username\": \"root\", \"services\": [\"platform\"], \"password\": \"${pw}\"}" -H "Content-Type: application/json" -XPOST https://${cluster}:8080/session/1/session 2>&1); CALL_OK=$(echo ${OUTPUT} | tail -c 72 | grep 'timeout_absolute' > /dev/null && echo 'ok'); CSRF=$(echo ${OUTPUT} | grep 'isicsrf' > /dev/null && echo 'True' || echo 'False'); if [ ${CALL_OK} = 'ok' ]; then echo ${CSRF} ; else echo ${OUTPUT} ; fi   
    This is a small shell script that will call the OneFS API and check the response for the CSRF token.   
    It will prompt you for the IP/FQDN of the cluster, then prompt you for the root password.   
    This approach avoids having the root password in clear text.   
    There are three possible outputs from the above command.   

      When the output is True   

    Here's an example of running the script, and seeing True as the output:   
      Please enter cluster IP/FQDN             
        Please enter root password       
    When the output is True, the solution is to upgrade InsightIQ to 4.1.2 or newer. That is the only resolution.   

      When the output is False   

    Here's an example of running the script, and seeing False as the output:   
      Please enter cluster IP/FQDN             
        Please enter root password       
    When the output is False, this KB does not apply. Do not waste anymore time on this KB, it does not cover the issue you are having.   

      When the curl command fails   

    If you input a bad password, or the wrong IP/FQDN, the curl command will fail, and the output of the entire command will be printed to the screen.   
    This KB cannot cover every example of the curl command failing. However, it's pretty easy to know if the command failed; you'll have output other than True or False.   
    If the curl command fails, you'll have to address that issue before this KB can be used again.