Hello, I've installed Apache Guacamole v.1.5.4 on Linux CentOS 8.5 - I'm able to login to GUI, create users, connection, etc. I installed database (MySQL) as well (to manage users, connection) with all needed *.jar files according to doc guacamole.apache.org https://guacamole.apache.org/doc/gug/jdbc-auth.html After that, I'm able to login as ""guacadmin" user to GUI and manage connections etc. Now, I want to create URL to direct connection to my VM, but I found errors like below: ------------------------------ SCRIPT ------------------------------------- #!/bin/bash TOKEN=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=guacadmin&password=guacadmin" localhost:8080 http://localhost:8080/guacamole/api/tokens | jq -r '.authToken') # Endpoint API Guacamole API_ENDPOINT=" localhost:8080 http://localhost:8080/guacamole/api/session/data/mysql/connections " CONNECTION_DATA='{ "name": "Connection name", "protocol": "rdp", "parameters": { "hostname": "10.194.53.45", "port": "3389", "username": "user", "password": "password" } }' RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d "$CONNECTION_DATA" $API_ENDPOINT) CONNECTION_ID=$(echo $RESPONSE | jq -r '.identifier') if [ "$CONNECTION_ID" != "null" ]; then URL=" localhost:8080 http://localhost:8080/guacamole/#/client/$CONNECTION_ID?token=$TOKEN " echo "Connection ID: $CONNECTION_ID" echo "URL: $URL" else echo "Error creating connection." fi ------------------------------ OUTPUT ------------------------------------ Response: {"message":"Permission Denied.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Permission Denied."}},"statusCode":null,"expected":null,"type":"PERMISSION_DENIED"} Error creating connection. ------------------------------ OUTPUT END ------------------------------- ---------------------------------- L O G S ---------------------------------- Apache Tomcat & system messages: 0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] "GET /guacamole/api/session/data/mysql/users/self HTTP/1.1" 403 192 0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] "GET /guacamole/api/session/data/mysql/users/self HTTP/1.1" 403 192 Feb 9 12:32:36 server[90877]: 12:32:36.207 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction - Committing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9 12:32:36 server[90877]: 12:32:36.212 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9 12:32:36 server[90877]: 12:32:36.213 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9 12:32:36 server[90877]: 12:32:36.213 [http-nio-8080-exec-7] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 2090722754 ... Feb 9 12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 2090722754 is GOOD! Feb 9 12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 2090722754 to pool. Feb 9 12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "guacadmin". Feb 9 12:32:36 server[90877]: 12:32:36.230 [http-nio-8080-exec-8] DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Permission Denied. ---------------------------------- L O G S END ---------------------------------- MESSAGE: DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Permission Denied. -------------- DATABASE INFO (Permission) ------------------------------------ mysql> SELECT * FROM guacamole_entity JOIN guacamole_user_permission ON guacamole_entity.entity_id = guacamole_user_permission.entity_id WHERE guacamole_entity.name = 'guacadmin'; +-----------+-----------+------+-----------+------------------+------------+ | entity_id | name | type | entity_id | affected_user_id | permission | +-----------+-----------+------+-----------+------------------+------------+ | 1 | guacadmin | USER | 1 | 1 | READ | | 1 | guacadmin | USER | 1 | 1 | UPDATE | | 1 | guacadmin | USER | 1 | 1 | ADMINISTER | | 1 | guacadmin | USER | 1 | 2 | READ | | 1 | guacadmin | USER | 1 | 2 | UPDATE | | 1 | guacadmin | USER | 1 | 2 | DELETE | | 1 | guacadmin | USER | 1 | 2 | ADMINISTER | +-----------+-----------+------+-----------+------------------+------------+ I want to be able to dynamically create a URL after clicking on it, which will open the VM window in browser (without having to enter parameters, username or password). -- THANK YOU FOR HELP! Best Regards, Marcin
Dnia 18 stycznia 2024 12:41 Nick Couchman <vn...@apache.org> napisał(a): On Thu, Jan 18, 2024 at 1:03 AM anoop yadav < anoop...@gmail.com > wrote: I am trying to build a Web app where users can create multiple Ubuntu instances and use them through my web app. The domain for my web app is example-app.com example-app.com which is written in reactjs. I have hosted guacamole clients on separate subdomains lab.example-app.com lab.example-app.com . In the reactjs app, I am using the Iframe (Not sure if there is any other way) to show lab.example-app.com lab.example-app.com (guacamole client app), since I don't want the user to do another login on the guacamole app. I am planning to use a token. My current logic is as follows: 1. When the user creates an account (the backend is in Django-python) I make a rest API request to create an account, get a token from guacamole and save it to the web app database. 2. When the user creates an Ubuntu instance, using the rest API I create a connection and associate the user with it. I save a URL like lab.example-app.com lab.example-app.com/guacamole/#/client/ <CONNECTION>?token=<TOKEN> Everything works fine, the user can access multiple connections but since the token has a lifetime, and after that time the URL is not working. To be clear, the token does not have a lifetime, it has an *idle lifetime* - that is, it times out after a certain period of inactivity. As long as the Guacamole instance is being used - for an active connection, for example - the token will remain valid. How do I manage the token so that it doesn't expire? You can set the api-session-timeout property in guacamole.properties to adjust the *idle lifetime* of the token - see guacamole.apache.org https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-properties . That said, I don't think you really want it to never expire - at least, from a security perspective, I would not recommend that, even if you're doing some other cleanup of the tokens from your web application. You may want to extend it such that it more closely fits in with your use case, but setting it to either never expire (which isn't really possible) or even a very long idle time just adds security risk to the application. -Nick