Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ahmadhr
Contributor
Jump to solution

web api locks the section after using "add-access-rule"

Hi everyone, 

 

i am trying to use the add-access-rule API to create a rule on top, it pushes the change, and publish with 200 status code for the first time, but it doesn't show the change on the smart-console. also after that, it locks that particular section. locked_section.png

below is the body: 

body_add_new_rule = {
   
"layer": layer,
   
"position": 2,
   
"name": name,
   
"action": "Accept",
   
"service": "any",
   
"destination": dst_node,
   
"source": src_node,
   
"track": {
       
"type": "Log"
    }
}

 

this is the response API returns:

{'code': 'generic_error', 'message': "Runtime error: Object 'SHC Space at SOM' is locked by another session."}

 

FYI - i use the "logout" command to logout after each API to make sure the session doesnt get stuck, i have verified it in smart-console and session disconnects with no issue.

 

i appreciate if you can help me with this. pretty much stopping me from developing my app

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Any (set of) changes made via the API are done as part of a session.
This also applies to changes made via SmartConsole.
That session must either be published or discarded with an explicit API call.
If you do neither, some objects/changes made via that session will remain locked.
Once the relevant session is published/discarded, the lock should be removed.
This is done to prevent conflicting changes from being made.

View solution in original post

16 Replies
PhoneBoy
Admin
Admin

Any (set of) changes made via the API are done as part of a session.
This also applies to changes made via SmartConsole.
That session must either be published or discarded with an explicit API call.
If you do neither, some objects/changes made via that session will remain locked.
Once the relevant session is published/discarded, the lock should be removed.
This is done to prevent conflicting changes from being made.

Ahmadhr
Contributor

Thank you so much, i actually was able to find all the web-api sessions by "show-sessions" and discard them, i am unlocked now. pphhewwww 

 

thanks so much for your prompt response. 

Daniel_Kavan
Advisor
Advisor

Recently, a session didn't get logged out of (my bad) and I was getting object was locked, the user group actually had a lock on it in dashboard.  I was able to use this command to find a session id, that wasn't showing up with show-session, then I was able to discard it. 

psql_client cpm postgres -c "select username,objid, applicationname from worksession where state='OPEN';"

Ahmadhr
Contributor

do i have to use the same uid that was generated initially when i created the session by "login"? 

i am doing show-sessions to find it, but i cant tell which one is what, 

0 Kudos
PhoneBoy
Admin
Admin

The publish/discard action applies to the specified session uid.

Ahmadhr
Contributor

i use the below uid to publish the change, but i get 501 error not sure what i am doing wrong

 

{'uid': '<the uid>', ------->>>>> THIS UID 

'sid': 'WW0Z9DDxScwEYwMtbdLtRwK9IGOrLawwN0_FKWmgAEU',

'url': 'https://<myFW>:443/web_api', 'session-timeout': 600,

'last-login-was-at': {'posix': 1607307607855, 'iso-8601': '2020-12-06T18:20-0800'}, '

api-server-version': '1.5'}

PhoneBoy
Admin
Admin

You sure that uid is active? (i.e. does it show in show-sessions)

0 Kudos
Ahmadhr
Contributor

when login happens i instantly use the sid to api call other commands, but when i use the uid to publish the change, it throws error. FYI- i doing this in python as well as Postman, 

0 Kudos
Ahmadhr
Contributor

yes i just checked during the runtime of the code, the session is active and shows on the show-session

0 Kudos
Ahmadhr
Contributor

below is the log of my app, during the runtime. 

FYI - i only kept the last 4 digits of the uid. 

************ api_call for login and is being implemented ************

this is the sid generated in login time {'uid': '....... de04', 'sid': 'FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E', 'url': 'https://<FW_IP>:443/web_api', 'session-timeout': 600, 'last-login-was-at': {'posix': 1607366481903, 'iso-8601': '2020-12-07T10:41-0800'}, 'api-server-version': '1.5'}

-------- This is the UID of the Login Session: ....... de04 ---------

************ api_call for show-session and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

################ this is the show session {'uid': '....... de04', 'type': 'session', 'domain': {'uid': '<domain uid>', 'name': 'MC-Core-DMS', 'domain-type': 'domain'}, ... omitted ....

************ api_call for add-access-rule and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

************ Publish function is being implemented for ....... de04 ************

************ api_call for publish and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

############## add rule base function {'code': 'not_implemented', 'message': 'Publishing other than current session is not implemented'}

 

0 Kudos
FraP
Contributor

For reference http 5xx is a server side error...

Run this cmd on the SMS in expert mode tailf $FWDIR/log/api.elg and run your script again...at some point you should be able to see what's wrong

Ahmadhr
Contributor

Francesco, 

thanks for the reply, i get the same error even when i run it from postman. although when i discard the session with the same uid it works fine. 

so you are suggesting i check the log in the checkpoint fw itself to see whats going on? 

0 Kudos
FraP
Contributor

On the manager...not the firewall!

1. connect on SMS and run in expert : tailf $FWDIR/log/api.elg
2. Make your api calls to the SMS
3. Grap the output, and share with us

From your output it seems that your are publish a different session...

 

Ahmadhr
Contributor

Understood, I will share that here shortly

Thanks 

0 Kudos
Ahmadhr
Contributor
2020-12-07 12:13:14,635 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp1742603008-28] - Cache created and initialized
2020-12-07 12:13:14,636 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:19 [qtp1742603008-28] - Executing [publish] of version 1.5 (references 1)
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException.log:42 [qtp1742603008-28] - Error code: [NOT_IMPLEMENTED]
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException.log:43 [qtp1742603008-28] - Error message: [Publishing other than current session is not implemented]
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api.utils.WebApiCommandExceptionUtils.getErrorReply:94 [qtp1742603008-28] -
com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException
at com.checkpoint.management.web_api.core.handler.commands.session.publish.PublishRequest.normalize(PublishRequest.java:11)
at com.checkpoint.management.web_api_is.core.handler.base.request.ApiRequest.prepare(ApiRequest.java:3)
at com.checkpoint.management.web_api.core.handler.commands.session.publish.PublishRequestHandler.publish(PublishRequestHandler.java:6)
at sun.reflect.GeneratedMethodAccessor254.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.checkpoint.management.web_api_is.utils.WebApiReflectionUtils.invoke(WebApiReflectionUtils.java:7)
at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.postEntryPoint(WebApiEntryPoint.java:102)
at sun.reflect.GeneratedMethodAccessor211.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at com.checkpoint.management.web_api.core.filter.LogCustomDebugFieldFilter.doFilter(LogCustomDebugFieldFilter.java:19)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at org.eclipse.jetty.server.handler.IPAccessHandler.handle(IPAccessHandler.java:203)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:812)
2020-12-07 12:13:14,637 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:7 [qtp1742603008-28] - 2020-12-07,12:13:14 -0800,publish,FAILED,2
2020-12-07 12:13:14,638 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp1742603008-28] - Outbound Message
---------------------------
ID: 1585
Response-Code: 501
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Mon, 07 Dec 2020 20:13:14 GMT]}
Payload: {
"code" : "not_implemented",
"message" : "Publishing other than current session is not implemented"
}
--------------------------------------
0 Kudos
Ahmadhr
Contributor

guys, 

i got it working, our firewall admin has enabled the "session description" at publish/install time, but i was not aware of it, when i added session-name and session-description it fixed the issue

thank you so much for your suggestions and help. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events