topic Re: web api locks the section after using "add-access-rule" in API / CLI Discussion

web api locks the section after using "add-access-rule"

Ahmadhr — Sun, 06 Dec 2020 20:03:52 GMT

Hi everyone,

i am trying to use the add-access-rule API to create a rule on top, it pushes the change, and publish with 200 status code for the first time, but it doesn't show the change on the smart-console. also after that, it locks that particular section.

below is the body:

body_add_new_rule = {
"layer": layer,
"position": 2,
"name": name,
"action": "Accept",
"service": "any",
"destination": dst_node,
"source": src_node,
"track": {
"type": "Log"
}
}

this is the response API returns:

{'code': 'generic_error', 'message': "Runtime error: Object 'SHC Space at SOM' is locked by another session."}

FYI - i use the "logout" command to logout after each API to make sure the session doesnt get stuck, i have verified it in smart-console and session disconnects with no issue.

i appreciate if you can help me with this. pretty much stopping me from developing my app

Re: web api locks the section after using "add-access-rule"

PhoneBoy — Sun, 06 Dec 2020 21:10:39 GMT

Any (set of) changes made via the API are done as part of a session.
This also applies to changes made via SmartConsole.
That session must either be published or discarded with an explicit API call.
If you do neither, some objects/changes made via that session will remain locked.
Once the relevant session is published/discarded, the lock should be removed.
This is done to prevent conflicting changes from being made.

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Sun, 06 Dec 2020 21:29:25 GMT

do i have to use the same uid that was generated initially when i created the session by "login"?

i am doing show-sessions to find it, but i cant tell which one is what,

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Sun, 06 Dec 2020 21:37:22 GMT

Thank you so much, i actually was able to find all the web-api sessions by "show-sessions" and discard them, i am unlocked now. pphhewwww

thanks so much for your prompt response.

Re: web api locks the section after using "add-access-rule"

PhoneBoy — Mon, 07 Dec 2020 01:53:43 GMT

The publish/discard action applies to the specified session uid.

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Mon, 07 Dec 2020 02:25:58 GMT

i use the below uid to publish the change, but i get 501 error not sure what i am doing wrong

{'uid': '<the uid>', ------->>>>> THIS UID

'sid': 'WW0Z9DDxScwEYwMtbdLtRwK9IGOrLawwN0_FKWmgAEU',

'url': 'https://<myFW>:443/web_api', 'session-timeout': 600,

'last-login-was-at': {'posix': 1607307607855, 'iso-8601': '2020-12-06T18:20-0800'}, '

api-server-version': '1.5'}

Re: web api locks the section after using "add-access-rule"

PhoneBoy — Mon, 07 Dec 2020 02:31:10 GMT

You sure that uid is active? (i.e. does it show in show-sessions)

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Mon, 07 Dec 2020 16:56:42 GMT

when login happens i instantly use the sid to api call other commands, but when i use the uid to publish the change, it throws error. FYI- i doing this in python as well as Postman,

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Mon, 07 Dec 2020 17:14:35 GMT

yes i just checked during the runtime of the code, the session is active and shows on the show-session

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Mon, 07 Dec 2020 18:51:53 GMT

below is the log of my app, during the runtime.

FYI - i only kept the last 4 digits of the uid.

************ api_call for login and is being implemented ************

this is the sid generated in login time {'uid': '....... de04', 'sid': 'FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E', 'url': 'https://<FW_IP>:443/web_api', 'session-timeout': 600, 'last-login-was-at': {'posix': 1607366481903, 'iso-8601': '2020-12-07T10:41-0800'}, 'api-server-version': '1.5'}

-------- This is the UID of the Login Session: ....... de04 ---------

************ api_call for show-session and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

################ this is the show session {'uid': '....... de04', 'type': 'session', 'domain': {'uid': '<domain uid>', 'name': 'MC-Core-DMS', 'domain-type': 'domain'}, ... omitted ....

************ api_call for add-access-rule and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

************ Publish function is being implemented for ....... de04 ************

************ api_call for publish and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

############## add rule base function {'code': 'not_implemented', 'message': 'Publishing other than current session is not implemented'}

Re: web api locks the section after using "add-access-rule"

FraP — Mon, 07 Dec 2020 19:30:23 GMT

For reference http 5xx is a server side error...

Run this cmd on the SMS in expert mode tailf $FWDIR/log/api.elg and run your script again...at some point you should be able to see what's wrong

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Mon, 07 Dec 2020 19:10:25 GMT

Francesco,

thanks for the reply, i get the same error even when i run it from postman. although when i discard the session with the same uid it works fine.

so you are suggesting i check the log in the checkpoint fw itself to see whats going on?

Re: web api locks the section after using "add-access-rule"

FraP — Mon, 07 Dec 2020 19:30:03 GMT

On the manager...not the firewall!

1. connect on SMS and run in expert : tailf $FWDIR/log/api.elg
2. Make your api calls to the SMS
3. Grap the output, and share with us

From your output it seems that your are publish a different session...

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Mon, 07 Dec 2020 19:24:25 GMT

Understood, I will share that here shortly

Thanks

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Mon, 07 Dec 2020 20:29:03 GMT

2020-12-07 12:13:14,635 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp1742603008-28] - Cache created and initialized
2020-12-07 12:13:14,636 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:19 [qtp1742603008-28] - Executing [publish] of version 1.5 (references 1)
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException.log:42 [qtp1742603008-28] - Error code: [NOT_IMPLEMENTED]
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException.log:43 [qtp1742603008-28] - Error message: [Publishing other than current session is not implemented]
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api.utils.WebApiCommandExceptionUtils.getErrorReply:94 [qtp1742603008-28] -
com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException
at com.checkpoint.management.web_api.core.handler.commands.session.publish.PublishRequest.normalize(PublishRequest.java:11)
at com.checkpoint.management.web_api_is.core.handler.base.request.ApiRequest.prepare(ApiRequest.java:3)
at com.checkpoint.management.web_api.core.handler.commands.session.publish.PublishRequestHandler.publish(PublishRequestHandler.java:6)
at sun.reflect.GeneratedMethodAccessor254.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.checkpoint.management.web_api_is.utils.WebApiReflectionUtils.invoke(WebApiReflectionUtils.java:7)
at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.postEntryPoint(WebApiEntryPoint.java:102)
at sun.reflect.GeneratedMethodAccessor211.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at com.checkpoint.management.web_api.core.filter.LogCustomDebugFieldFilter.doFilter(LogCustomDebugFieldFilter.java:19)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at org.eclipse.jetty.server.handler.IPAccessHandler.handle(IPAccessHandler.java:203)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:812)
2020-12-07 12:13:14,637 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:7 [qtp1742603008-28] - 2020-12-07,12:13:14 -0800,publish,FAILED,2
2020-12-07 12:13:14,638 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp1742603008-28] - Outbound Message
---------------------------
ID: 1585
Response-Code: 501
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Mon, 07 Dec 2020 20:13:14 GMT]}
Payload: {
"code" : "not_implemented",
"message" : "Publishing other than current session is not implemented"
}
--------------------------------------

Re: web api locks the section after using "add-access-rule"

Ahmadhr — Fri, 11 Dec 2020 19:43:21 GMT

guys,

i got it working, our firewall admin has enabled the "session description" at publish/install time, but i was not aware of it, when i added session-name and session-description it fixed the issue

thank you so much for your suggestions and help.

Re: web api locks the section after using "add-access-rule"

Daniel_Kavan — Tue, 28 Jun 2022 17:10:00 GMT

Recently, a session didn't get logged out of (my bad) and I was getting object was locked, the user group actually had a lock on it in dashboard. I was able to use this command to find a session id, that wasn't showing up with show-session, then I was able to discard it.

psql_client cpm postgres -c "select username,objid, applicationname from worksession where state='OPEN';"

topic Re: web api locks the section after using &quot;add-access-rule&quot; in API / CLI Discussion

web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

Re: web api locks the section after using "add-access-rule"

topic Re: web api locks the section after using "add-access-rule" in API / CLI Discussion