Problems with Spinnaker LDAP authentication about foremast HOT 12 CLOSED

I think that’s enough info for me to figure it out, thanks very much!

from foremast.

As FYI, we were able to get foremast working via LDAP, simply by adding a username, password var in the python http requests (all of them). Low on time at the moment, but will try and submit a pull request next week.

from foremast.

Hey thanks for the issue!

We will take a quick peek at this to see if we can get better output, but today foremast only supports x509 auth (or anonymous). We run gate on two ports; the standard port and an additional apiPort. Are you doing the same?

We would be open to adding LDAP auth support if you wish to submit a Pull Request though! We unfortunately don't have an LDAP server to test with today hence why you are probably seeing the error above.

I am not sure if you have the ability to test this, but if you try reaching gate anonymously does the validation call work? I suspect it will, and if you enable x509 it should work too.

from foremast.

Hmm, that's interesting. Running a second, internal-facing gate with no auth would be fine for my purposes. A quick Google didn't provide much info, is this a common configuration? I've been using Halyard to install Spinnaker and it's not immediately obvious how to do it...

from foremast.

@philchristensen I think it is a fairly common configuration, we got the advice from Netflix. We do not run it with no auth, just with x509 auth instead of SAML (or LDAP). Our Gate configuration has:

default:
  apiPort: 7777

x509:
  enabled: true

which makes gate run on a second api port, bypassing some of the authentication methods. If you then have x509.enabled: true, it will make the api port use x509, if that is false, I think the api port is authentication-less.

This is not a separate instance of gate for us (it could be though), just small additions to the gate config that cause the app to run on two ports with different auth methods.

Unfortunately we do not use Halyard, so I don't know how to configure it from there.

from foremast.

Incidentally, if anyone stumbles on this thread, details about the feature and directions for doing this with Halyard can be found here: https://www.spinnaker.io/setup/security/authentication/x509/

from foremast.

@jfcarp Good to know you found a solution; Pull Requests are always welcome! We will be on the lookup for it! 👍

from foremast.

Question for you guys here (as I am not exactly a programmer) but, I was able to get it to work (test app / pipeline) simply by editing the models.py and adding an Authorization Basic [token] to headers. The token being the base64 encoded username/password for LDAP. My question is, how is models.py generated? Without adding this header, I was getting the same error as initially posted in this forum. So, I wasn't sure if creating tests, etc would be necessary, as maybe you guys know of a mechanism to add a header to the project easier or how that file is generated to include an env var perhaps. Also keep in mind this is simply the initial LDAP auth with the gate server, separate from the boto auth for aws items (we simply used its arn from a kubernetes pod). Can provide the output if you would like too. Thanks in advance.

Also, I was able to edit the files below by adding 'headers = {'Authorization': 'Basic [token]', 'Content-Type': 'application/json'} to the requests manually. This got the foremast-pipeline to work and may be other headers elsewhere, so the models.py seemed to be the one file to change, but still havent figured how to pipe the header from a single place, then eventually replace that with an env var.

vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/consts.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/app/create_app.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/runner.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/pipeline/create_pipeline.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/utils/apps.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/utils/pipelines.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/utils/subnets.py

OR

vi /opt/foremast/venv/lib/python3.5/site-packages/requests/models.py

from foremast.

Alright, sorry all, I got a docker container running for my purposes, but can't seem to figure out how to get the headers into the project without breaking other functionalities, as it is quite fragmented. With a little direction I might spend more time later, but seems the consts.py HEADERS isn't propagated throughout the project and I am not an expert here by any means, but perhaps most files need refactored to add the headers field after url, but I am uncertain and it is too time consuming to do it and not know if it is proper. Anyhow, I am attaching the example header, dockerfile, output, etc for others to pick up hopefully. Cheers.

foremast.txt

from foremast.

Hey @jfcarp sorry for the delay! Holiday season means a lot of us either out sick or vacationing. Let me review what you mentioned and see if we can work through this together. Do you happen to have a fork with the proposed changes that worked for you?

from foremast.

No, sorry, no fork. I literally just hacked the models.py, which I believe is the general python http_request model for each of the requests after installing foremast.

1. The line in the models.py, just added the authorization from ENV VAR before Content-Type
   → cat /opt/foremast/venv/lib/python3.5/site-packages/requests/models.py | grep "headers = {"
   headers = {'Authorization': os.getenv('LDAP_AUTH'), 'Content-Type': 'application/json'}

2. Exported the ENV VAR
   export LDAP_AUTH="Basic [redacted]"

then it worked...

Also,
Foremast was installed in venv under /opt/foremast and there is far more info in the foremast.txt above (script to install foremast the way i did, etc...). Hope it helps and Happy Near Year!

from foremast.

We are centralizing the way we do Gate Auth. At the moment, we don't have a need for Basic-Auth, but we have a common entry point now at least so you can add it! :)

from foremast.