- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 2k
Enable basic-auth by default #743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| When i test the change on docker playground deploy stack gives me | 
| That's good to know (probably because they use Alpine as a shell). Did the updated commit I pushed fix it? It seemed to fix it for me. | 
| Now it works as expected. | 
| Great 👍 I saw some issues on DO with it hanging when I typed "head -c 1 /dev/random" - wonder if this is an issue with using VMs? | 
| This works as expected. But one thing I noticed, when we deploy stack with  | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few comments, have also run locally and it "works for me" (tm).
| then | ||
| echo "" | ||
| echo "Enabling basic authentication for gateway.." | ||
| echo "" | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need to include the sed command here as well.
Say for example you deploy a stack with --no-auth this will alter the docker-compose.yml disabling auth, but if you then tear down the stack and run again without disabling auth, then you'd get the same altered compose file so auth would remain disabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about using envvars in the compose file instead (https://docs.docker.com/compose/environment-variables/) set enabled=true/false in these conditionals then run the final deploy with:
OPENFAAS_AUTH=$enabled docker stack deploy func --compose-file docker-compose.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer the env-var approach with a default set.
| sed -i -r.bak 's/basic_auth: \"true\"/basic_auth: \"false\"/' docker-compose.yml | ||
| fi | ||
|  | ||
| echo "Deploying OpenFaaS core services" | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency you'd want the ellipsis at the end of this output.
| then | ||
| echo "[Credentials]\n username: admin \n password: $secret\n echo -n "$secret" | faas-cli login --username=admin --password-stdin" | ||
| else | ||
| echo "[Credentials]\n already exist, not creating" | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be inclined to give the user the option to replace these secrets. Could be in a situation where they've been setup in the past but the user is no longer sure what they had been set to (cough me).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about docker secret create?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about something like this in the troubleshooting guide?
docker service create --image alpine:3.7 --secret secret-name cat /run/secrets/secret-name 
| echo "$secret" | docker secret create basic-auth-password - | ||
| if [ $? = 0 ]; | ||
| then | ||
| echo "[Credentials]\n username: admin \n password: $secret\n echo -n "$secret" | faas-cli login --username=admin --password-stdin" | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The echo -n... needs some context rather than just printing along with the username and password. Ie blank line spacer and some text telling the user to use this to log into the gateway with the client.
Or even better, offer to do so on behalf of the user (if faas-cli is found on the path).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should also make very clear that the user should record/store the generated user credentials as they'll not be made available again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What context should we give about -n?
| @viveksyngh could you try modifying locally with the env-var variation suggestion by John? If that looks good I'll add it too. | 
| @alexellis I will try that. | 
| I will have this one ready over the weekend. | 
| @alexellis I have added it here and It works as I have tested on my local. | 
| # Secrets should be created even if basic-auth is disabled. | ||
| echo "Attempting to create credentials for gateway.." | ||
| echo "admin" | docker secret create basic-auth-user - | ||
| secret=$(head -c 16 /dev/urandom| $sha_cmd | cut -d " " -f 1) | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be good if there is an easy way for the user to create own credentials or edit the password without the need to set-up secrets manually.
What about passing and argument to deploy_stack.sh?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly in a follow-up PR. I think it's out of scope for this change. The user really must run the faas-cli login command though.
| Derek set milestone: 0.8.6 | 
The deployment script will enable basic-auth by default to help avoid people deploying to a public IP with no protection from malicious actors. - In deploy_stash.sh /dev/random can hang on some systems, so using urandom will give a better experience, if less "random" data. For the purposes of creating an initial basic auth password this is sufficient. - Alpine Linux does not have the shasum command, but sha256sum. - Tested on MacOS with and without --no-auth flag. - Does not apply for armhf or powershell. BASIC_AUTH env-var added by Vivek Syngh @viveksyngh Signed-off-by: Alex Ellis (VMware) <[email protected]>
| Somehow the PR I merged from @viveksyngh brought in way too many commits and I couldn't resolve the issues. I've now rebased and force-pushed with a longer commit message and give credit to @viveksyngh for the part he added. This is a breaking change so please can: @ivanayov @MrTinD @johnmccabe take another look? Alex | 
| Docs PR: openfaas/docs#45 | 
| Ran new OpenFaas with auto-auth branch on a cloud deployed a function it seems that everything works. | 
| Thanks @MrTinD - did you do a "negative test" too? i.e. deploy with  | 
| Haven't got a great deal of time right now, but since the change 2 days ago I'm seeing deployment generate a password but not apply it - the UI is open. I'll have a closer look when I can. Logging here in case someone else can have a look in the meantime. | 
| @rgee0 can you check if your  | 
| @viveksyngh I'm working on the automation & pull clean on each run. It worked last week and it doesn't now. Has the mode of operation changed? | 
| Yes I merged a PR via Vivek into my commit, but don't expect functionality to change. | 
| we were using  | 
| I think I've found it.  In  | 
| Yes, that's what I was talking about. 👍 | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently this is broken. Needs docker-compose changes and retest before merge
|  | ||
| echo "Deploying stack" | ||
| docker stack deploy func --compose-file docker-compose.yml | ||
| export BASIC_AUTH="true" | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rgee0 this sets the value to true
- basic_auth is now set to true by default unless overriden in the env-var "BASIC_AUTH" Signed-off-by: Alex Ellis (VMware) <[email protected]>
Secrets for gateway needed to be bound to stack, but were commented-out. Tested on Swarm. Signed-off-by: Alex Ellis (VMware) <[email protected]>
| I've restored the changes but can't get the login to work via the  | 
Signed-off-by: Alex Ellis (VMware) <[email protected]>
| All fixed now and re-tested with Swarm. The issue was a local stack.yml in the faas folder with a gateway URL not found in the openfaas config file. Maybe we can bubble that up better as an error? | 
| Glad we caught that. Looks a lot better through my automation now. | 
Description
Enable basic-auth by default.
This changes ./deploy_stack.sh to generate and then apply secrets turning
on the built-in basic auth feature of the gateway.
Motivation and Context
#350 #74
The deployment script will enable basic-auth by default to help
avoid people deploying to a public IP with no protection from
malicious actors.
How Has This Been Tested?
Tested on MacOS with and without --no-auth flag.
Does not apply for armhf or powershell.
Example workflow for testing:
Test with positive and negative workflows: positive - password supplied and consumed, show that auth is working by using wrong password. Negative flow - disable auth and check auth is not required.
Types of changes
Checklist:
git commit -sWill need documentation change and change to integration tests to disable auth via
--no-authflag when deploying during testing.