Not sure if this is a bug in Fangtooth BETA, a change to the way it handles permissions for API keys, or something else, but I’m having trouble figuring it out. As in my last few topics, I’m working on getting my deploy-freenas script updated to use the new Websocket API, since I understand the REST API will be deprecated in 25.04. I have, I think, gotten the code to a decently-working state, and it works with 24.10 and 24.04. But when I test it against 25.04-BETA1, it seems to fail to authenticate. The code in question:
with Client(CONNECT_URI) as c:
try:
c.call("auth.login_with_api_key", API_KEY)
except Exception as e:
print(f"Failed to authenticate: {e}")
exit(1)
# Import the certificate
args = {"name": cert_name, "certificate": full_chain, "privatekey": priv_key, "create_type": "CERTIFICATE_CREATE_IMPORTED"}
cert = c.call("certificate.create", args, job=True)
print("Certificate " + cert_name + " imported.\n")
The output under 24.10:
dan@tn-client:~$ .local/share/pipx/venvs/truenas-api-client/bin/python ./deploy_freenas.py
Certificate letsencrypt-2025-03-08-155147 imported.
The output under 25.04:
dan@tn-client:~$ .local/share/pipx/venvs/truenas-api-client/bin/python ./deploy_freenas.py -c deploy_config_2504
Traceback (most recent call last):
File "/home/dan/./deploy_freenas.py", line 102, in <module>
with Client(CONNECT_URI) as c:
File "/home/dan/.local/share/pipx/venvs/truenas-api-client/lib/python3.12/site-packages/truenas_api_client/__init__.py", line 118, in __exit__
return self.__client.__exit__(exc_type, exc_val, exc_tb)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/dan/./deploy_freenas.py", line 110, in <module>
cert = c.call("certificate.create", args, job=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/dan/.local/share/pipx/venvs/truenas-api-client/lib/python3.12/site-packages/truenas_api_client/legacy.py", line 386, in call
self._jobs_subscribe()
File "/home/dan/.local/share/pipx/venvs/truenas-api-client/lib/python3.12/site-packages/truenas_api_client/legacy.py", line 378, in _jobs_subscribe
self.subscribe('core.get_jobs', self._jobs_callback, sync=True)
File "/home/dan/.local/share/pipx/venvs/truenas-api-client/lib/python3.12/site-packages/truenas_api_client/legacy.py", line 459, in subscribe
raise ValueError(payload['error'])
ValueError: {'error': 13, 'errname': 'EACCES', 'type': None, 'reason': 'Not authorized', 'trace': None, 'extra': None}
I get the same output under 25.04 using an API key for root
or for truenas_admin
. The system Audit gives the following information:
Credentials:
Credentials: API_KEY
Credentials Data:
Username: root
API Key:
ID: 2
Name: deploy_freenas2
Error: User not known to the underlying authentication module
I’m a little stumped here–do I need to do something to enable the API key once I create it?
Edit: under 24.10, if I give it a bogus API key, I get the same output. Which tells me two things:
- The
auth.login_with_api_key
method doesn’t raise an error for an invalid API key - seems like a bug. It does returnFalse
, though, so still easy enough to test for it. - …and having determined that, it’s definitely the case that authentication using the API key is failing in Fangtooth.