Comments (12)
I think thatโs enough info for me to figure it out, thanks very much!
from foremast.
As FYI, we were able to get foremast working via LDAP, simply by adding a username, password var in the python http requests (all of them). Low on time at the moment, but will try and submit a pull request next week.
from foremast.
Hey thanks for the issue!
We will take a quick peek at this to see if we can get better output, but today foremast only supports x509 auth (or anonymous). We run gate on two ports; the standard port and an additional apiPort. Are you doing the same?
We would be open to adding LDAP auth support if you wish to submit a Pull Request though! We unfortunately don't have an LDAP server to test with today hence why you are probably seeing the error above.
I am not sure if you have the ability to test this, but if you try reaching gate anonymously does the validation call work? I suspect it will, and if you enable x509 it should work too.
from foremast.
Hmm, that's interesting. Running a second, internal-facing gate with no auth would be fine for my purposes. A quick Google didn't provide much info, is this a common configuration? I've been using Halyard to install Spinnaker and it's not immediately obvious how to do it...
from foremast.
@philchristensen I think it is a fairly common configuration, we got the advice from Netflix. We do not run it with no auth, just with x509 auth instead of SAML (or LDAP). Our Gate configuration has:
default:
apiPort: 7777
x509:
enabled: true
which makes gate run on a second api port, bypassing some of the authentication methods. If you then have x509.enabled: true
, it will make the api port use x509, if that is false
, I think the api port is authentication-less.
This is not a separate instance of gate for us (it could be though), just small additions to the gate config that cause the app to run on two ports with different auth methods.
Unfortunately we do not use Halyard, so I don't know how to configure it from there.
from foremast.
Incidentally, if anyone stumbles on this thread, details about the feature and directions for doing this with Halyard can be found here: https://www.spinnaker.io/setup/security/authentication/x509/
from foremast.
@jfcarp Good to know you found a solution; Pull Requests are always welcome! We will be on the lookup for it!
from foremast.
Question for you guys here (as I am not exactly a programmer) but, I was able to get it to work (test app / pipeline) simply by editing the models.py and adding an Authorization Basic [token] to headers. The token being the base64 encoded username/password for LDAP. My question is, how is models.py generated? Without adding this header, I was getting the same error as initially posted in this forum. So, I wasn't sure if creating tests, etc would be necessary, as maybe you guys know of a mechanism to add a header to the project easier or how that file is generated to include an env var perhaps. Also keep in mind this is simply the initial LDAP auth with the gate server, separate from the boto auth for aws items (we simply used its arn from a kubernetes pod). Can provide the output if you would like too. Thanks in advance.
Also, I was able to edit the files below by adding 'headers = {'Authorization': 'Basic [token]', 'Content-Type': 'application/json'} to the requests manually. This got the foremast-pipeline to work and may be other headers elsewhere, so the models.py seemed to be the one file to change, but still havent figured how to pipe the header from a single place, then eventually replace that with an env var.
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/consts.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/app/create_app.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/runner.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/pipeline/create_pipeline.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/utils/apps.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/utils/pipelines.py
vi /opt/foremast/venv/lib/python3.5/site-packages/foremast/utils/subnets.py
OR
vi /opt/foremast/venv/lib/python3.5/site-packages/requests/models.py
from foremast.
Alright, sorry all, I got a docker container running for my purposes, but can't seem to figure out how to get the headers into the project without breaking other functionalities, as it is quite fragmented. With a little direction I might spend more time later, but seems the consts.py HEADERS isn't propagated throughout the project and I am not an expert here by any means, but perhaps most files need refactored to add the headers field after url, but I am uncertain and it is too time consuming to do it and not know if it is proper. Anyhow, I am attaching the example header, dockerfile, output, etc for others to pick up hopefully. Cheers.
from foremast.
Hey @jfcarp sorry for the delay! Holiday season means a lot of us either out sick or vacationing. Let me review what you mentioned and see if we can work through this together. Do you happen to have a fork with the proposed changes that worked for you?
from foremast.
No, sorry, no fork. I literally just hacked the models.py, which I believe is the general python http_request model for each of the requests after installing foremast.
-
The line in the models.py, just added the authorization from ENV VAR before Content-Type
โ cat /opt/foremast/venv/lib/python3.5/site-packages/requests/models.py | grep "headers = {"
headers = {'Authorization': os.getenv('LDAP_AUTH'), 'Content-Type': 'application/json'} -
Exported the ENV VAR
export LDAP_AUTH="Basic [redacted]"
then it worked...
Also,
Foremast was installed in venv under /opt/foremast and there is far more info in the foremast.txt above (script to install foremast the way i did, etc...). Hope it helps and Happy Near Year!
from foremast.
We are centralizing the way we do Gate Auth. At the moment, we don't have a need for Basic-Auth, but we have a common entry point now at least so you can add it! :)
from foremast.
Related Issues (20)
- SQS Lambda Event Trigger getting 'BatchWindow' Key Error HOT 3
- The S3 promote_artifacts function is broken HOT 1
- feat: Support Lamda Destinations
- Feature: Support API Key on API-gateway trigger for lambda HOT 1
- Support efs in lambda
- Shared mastered bucket but no common prefix HOT 3
- AWS Print Env Improvements HOT 1
- Support multiple Spinnakers HOT 1
- Support Step Functions HOT 1
- Provisioned Throughput for Lambda Functions
- Support for Glue HOT 1
- Fix GCP Permissions by Group - Labels Delimiter/Character Limit HOT 1
- Media Convert Support
- Fix excessive S3 API Delete Calls HOT 1
- Step Function Triggers HOT 2
- Application Load Balancer EC2 HOT 2
- Support Cloud Scheduler for GCP Cloud Functions HOT 3
- Lambda pipeline fails if new lambda created with S3 bucket trigger HOT 1
- Supporting several domains during deployment of a resource HOT 4
- Foremast overwrites s3 event configuration when I use s3 lambda trigger HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from foremast.