It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×10,916
×4,712
×477
×18

question asked: Mar 01 '17, 11:24 p.m.
question was seen: 1,817 times
last updated: Mar 08 '17, 12:51 a.m.

Related questions

Can't save the project area when trying to add a user as project admin using cURL

0
Ryan McBryde (5911233) | asked Mar 01 '17, 11:24 p.m.

I am trying to add a user to a project area using a Perl script that executes a cURL command.  I am a member of the JazzAdmins group but I am not defined in the project area in question as a project administrator and I am trying to add myself as a project administrator.  When I do I get an error that tells me that I do not have permission to do so.

HTTP/1.1 403 Forbidden
X-Powered-By: Servlet/3.0
Content-Type: text/plain;charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000yNCEJ1Idzr3thp0Kasab0wb:-1; Path=/; HttpOnly
Transfer-Encoding: chunked
Connection: Close
Date: Thu, 02 Mar 2017 03:46:11 GMT
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"

Error 403

com.ibm.team.process.common.advice.TeamOperationCanceledException: CRJAZ6053E The 'Save Project Area' operation cannot be completed. Permission is required to complete the operation.

It would appear that the only way that I can add myself, or any other user, to a project area as an administrator is to be one first, which is no help.

I am trying to write a series of scripts, leveraging cURL, so that I can add and remove users and project admins programmatically to avoid having to use the GUI but if I have to add myself manually to each project area that I want to manage before I can use the scripts, then I might as well add/remove the users and project admins while I am there.

I saw the note in https://jazz.net/forum/questions/222872/adding-user-as-project-area-administrator-with-api
and it's reference to the comment from Ruby on https://jazz.net/forum/questions/63757/programmatically-create-a-project-area-on-rtc-with-curl  and I have tried, unsuccessfully, to use that solution which says to pass in a header that tells Jazz (CLM) that the request is not a CSRF attack. The name of the header is "X-Jazz-CSRF-Prevent" and the value is the JSESSIONID for the current session.

I used the code snippet that was described and still cannot make changes to a project area unless I am already listed as a project admin in that project area.

Is there a way to do this using cURL?

CLM version 6.0.1 running on a WIndows Server using SQL Server

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Donald Nong (14.5k614) | answered Mar 02 '17, 12:45 a.m.

Using RESTClient with Firefox, I actually get a different error message.

Permission Denied

Your account does not have the group memberships required to access the requested resource.

And I can confirm that adding the header "X-Jazz-CSRF-Prevent" does resolve the issue. Maybe you need to check the error message in the ccm.log file as it is far more detailed than the one on the client.

Comments
Ryan McBryde commented Mar 02 '17, 10:11 a.m.

Thank you Donald,

I will get our engineering group to send me the ccm.log, as I do not have login access to our server.  Are there any other logs that might help debug this?  Also, when it says "group memberships" is it referring the the AD groups;  JazzUsers, JazzGuests, JazzAdmins?

Thanks again

Ryan McBryde commented Mar 02 '17, 10:28 a.m. | edited Mar 02 '17, 10:30 a.m.

Also,

I am running the cURL cmd from the DOS command line:

curl -D - -k -b ./cookies.txt -X DELETE https://<SERVER_NAME>:9443/qm/process/project-areas/_U57fcnyvEeWIMbjtL9CM6g/admins/<USER_ID>;


Name: Save Project Area
ID: com.ibm.team.process.server.saveProjectArea
Severity: ERROR
Summary: Permission Denied
Description: You don't have permission to perform the following actions:
Modify project area properties (modify/other)
Severity: ERROR

Thinking that this has to do with the Project Area permissions, I modified, as a test, the Everyone group perms to allow for Saving the Project Area which includes "Modify project area properties" and it failed with a "302 Found"

HTTP/1.1 302 Found
X-Powered-By: Servlet/3.0
X-com-ibm-team-repository-web-auth-msg: authrequired
Location: https://<SERVER_NAME>:9443/qm/secure/authenticated/identity?redirectPath=%2Fqm%2Fprocess%2Fproject-areas%2F_U57fcnyvEeWIMbjtL9CM6g%2Fadmins%
2<USER_ID>
Content-Language: en-US
Content-Length: 0
Date: Thu, 02 Mar 2017 15:23:24 GMT

Donald Nong commented Mar 03 '17, 3:29 a.m.

Ryan, I have to say, you lied a bit. :-)

You said that you could not "add" a user and it turned out that you could not "remove" a user.

I can reproduce the problem. If you believe it's a defect (you can add but cannot delete under the same condition), please contact Support or submit a WI straightaway.

But it's quite easy to work around, as you can definitely delete a project admin as long as yourself is also a project admin. So if you're not already a project admin of a project, do so, and make whatever the changes you like, and finally remove yourself as a project admin.

Ralph Schoon commented Mar 03 '17, 4:27 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 To access the server logs of an application you don't have to have access to the physical machine. As JazzAdmin use the applications Diagnostics Export Results. the log files are in a zip file in the downloaded zip file.



Ryan McBryde commented Mar 03 '17, 4:55 p.m.

  Ralph,


Thank you for the reminder of the export capability!


Ryan McBryde commented Mar 03 '17, 5:04 p.m.

 Donald,


You suggest that it is easy to add myself as the project admin, then make whatever changes I need to, including removing another project admin, and then remove myself. 

Do I need to execute the add of my id as project admin using the X-Jazz-CSRF-Prevent option?

Ryan McBryde commented Mar 03 '17, 5:27 p.m.

Here is my batch file, which doesn't work

echo off
set COOKIES=./cookies.txt
set TEMP_JSESSION=./temp_jsession.txt

set USER=<USERID>
set PASSWORD=<PASSWORD>
set HOST="https://<SERVER>:9443/jts"

curl -k -c %COOKIES% -ssl "%HOST%/authenticated/identity"
curl  -k -L -b %COOKIES% -c %COOKIES% -d j_username=%USER% -d j_password=%PASSWORD% -ssl "%HOST%/authenticated/j_security_check"
findstr "JSESSION" %COOKIES% > %TEMP_JSESSION%

for /F "tokens=7" %%G in (%TEMP_JSESSION%) do set JSESSIONID=%%G

set URL="https://<SERVER>:9443/rm/process/project-areas/_8Z6I4jc1EeOJtozBEukhqg/admins"

curl -k -b %COOKIES% -H "Content-Type: application/xml" -H "X-Jazz-CSRF-Prevent: %JSESSIONID%" -X POST --data-binary @admin-member-to-add.xml  -ssl %URL% 

1
Donald Nong commented Mar 03 '17, 11:19 p.m.

Ah...you're moving target again! This time is RM. I suggest you do a GET first to verify that you indeed log on to RM already (you log on to JTS in the script), then get the JSESSIONID.

BTW, is there a reason you findstr "JSESSION" instead of "JSESSIONID"? Have you verified that the string that you get from %%G is the correct value? As I said in the answer above, as long as the correct JSESSIONID is set for "X-Jazz-CSRF-Prevent", everything should work just fine.

Ryan McBryde commented Mar 07 '17, 2:07 p.m.

 Donald,


Thank you. It was not my intent to deceive but my goal is to have one script that I can use to add/delete users to any project area for any application (ccm, rm, qm).

THANK YOU also for the tip on logging into rm instead of jts, that helped.  
Am I correct in assuming that I will need to log into each application to manage it?

I am getting a "Error 404: Not Found" when I run this cURL command, 

curl  -k -L -b ./cookies.txt -c ./cookies.txt -d j_username=<ID> -d j_password=<PASSWD> -ssl "https://<SERVER>/rm/authenticated/j_security_check"

This is after running:

curl -k -c ./cookies.txt -ssl "https://<SERVER>/rm/authenticated/identity"

without any error.

Yet, the script still added my user as an admin successfully.

Donald Nong commented Mar 08 '17, 12:51 a.m.

The reason I suggest logging to each application is that they may be distributed and you will get a different JSESSIONID from each application server (WAS/Liberty/Tomcat), and we know that it's crucial for the "X-Jazz-CSRF-Prevent" header.

RM is a bit different from the other applications in the CLM family - it does not have its own user management and relies on JTS for this duty. If you check the network traffic (using Firebug or Chrome), you will see that when you first access RM, it redirects you to JTS for authentication. That's why you got HTTP 404 when trying to access /rm/authenticated/j_security_check (it does not exist).

I was joking in the previous posts, and did not blame you for anything at all. I know it's quite complicated and if you had worked on the applications one by one, it may have been easier. Well, you probably did not realize the difference to start with anyway.

showing 5 of 10 show 5 more comments

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.