Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Error reading generated service principal #1423

Closed
przemyslavic opened this issue Jul 3, 2020 · 3 comments
Closed

[BUG] Error reading generated service principal #1423

przemyslavic opened this issue Jul 3, 2020 · 3 comments
Assignees
@seriva @przemyslavic
Labels
type/bug
Milestone
0.7.1

Comments

@przemyslavic
Copy link
Collaborator

Describe the bug
Epiphany cannot read generated service principal because of special characters in the password causing a syntax error.

To Reproduce
Steps to reproduce the behavior:

  1. execute epicli apply -f test.yml (configuration given below)

Expected behavior
The service principal has been generated correctly and the cluster has been deployed successfully.

Config files
Configuration that should be included in the yaml file:

---
kind: epiphany-cluster
name: test
provider: azure
specification:
  admin_user:
    key_path: /path/to/id_rsa
    name: operations
  cloud:
    region: xxx
    subscription_name: xxx
    use_public_ips: true
    use_service_principal: true

OS (please complete the following information):

  • OS: [all]

Cloud Environment (please complete the following information):

  • Cloud Provider [MS Azure]

Additional context
Log:

12:59:14 INFO cli.engine.providers.azure.APIProxy - To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXX to authenticate.
12:59:49 INFO cli.engine.providers.azure.APIProxy - Done running "az login"
12:59:49 INFO cli.engine.providers.azure.APIProxy - Running: "az account set --subscription xxx-xxx-xxx-xxx-xxx"
12:59:49 INFO cli.engine.providers.azure.APIProxy - Done running "az account set --subscription xxx-xxx-xxx-xxx-xxx"
12:59:49 INFO cli.engine.terraform.TerraformRunner - Creating service principal
12:59:49 INFO cli.engine.providers.azure.APIProxy - Running: "az ad sp create-for-rbac -n 'ci-xxx-rg' --role='Contributor' --scopes='/subscriptions/xxx-xxx-xxx-xxx-xxx'"
12:59:50 INFO cli.engine.providers.azure.APIProxy - Changing "ci-retryable-rg" to a valid URI of "http://ci-xxx-rg", which is the required format used for service principal names
12:59:52 INFO cli.engine.providers.azure.APIProxy - Creating a role assignment under the scope of "/subscriptions/xxx-xxx-xxx-xxx-xxx"
12:59:59 INFO cli.engine.providers.azure.APIProxy -   Retrying role assignment creation: 1/36
13:00:08 INFO cli.engine.providers.azure.APIProxy - Done running "az ad sp create-for-rbac -n 'ci-retryable-rg' --role='Contributor' --scopes='/subscriptions/xxx-xxx-xxx-xxx-xxx'"
13:00:08 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...0
13:00:09 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...1
13:00:10 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...2
13:00:11 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...3
13:00:12 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...4
13:00:13 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...5
13:00:14 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...6
13:00:15 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...7
13:00:16 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...8
13:00:17 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...9
13:00:18 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...10
13:00:19 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...11
13:00:20 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...12
13:00:21 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...13
13:00:22 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...14
13:00:23 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...15
13:00:24 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...16
13:00:25 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...17
13:00:26 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...18
13:00:27 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...19
13:00:28 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...20
13:00:29 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...21
13:00:30 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...22
13:00:31 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...23
13:00:32 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...24
13:00:33 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...25
13:00:34 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...26
13:00:35 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...27
13:00:36 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...28
13:00:37 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...29
13:00:38 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...30
13:00:39 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...31
13:00:40 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...32
13:00:41 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...33
13:00:42 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...34
13:00:43 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...35
13:00:44 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...36
13:00:45 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...37
13:00:46 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...38
13:00:47 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...39
13:00:48 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...40
13:00:49 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...41
13:00:50 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...42
13:00:51 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...43
13:00:52 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...44
13:00:53 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...45
13:00:54 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...46
13:00:55 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...47
13:00:56 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...48
13:00:57 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...49
13:00:58 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...50
13:00:59 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...51
13:01:00 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...52
13:01:01 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...53
13:01:02 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...54
13:01:03 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...55
13:01:04 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...56
13:01:05 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...57
13:01:06 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...58
13:01:07 INFO cli.engine.providers.azure.APIProxy - Waiting 60 seconds...59
13:01:08 INFO cli.engine.providers.azure.APIProxy - /bin/sh: 1: Syntax error: EOF in backquote substitution
13:01:08 ERROR epicli - Error running Azure APIProxy cmd
13:01:11 INFO dump_debug_info - Error dump has been written to: /shared/epicli_error_20200703-130108.dump
13:01:11 WARNING dump_debug_info - This dump might contain sensitive information. Check before sharing.

Possible cause:
special characters in the generated password, including: ?('`$-~"
@przemyslavic przemyslavic added this to the 0.7.1 milestone Jul 3, 2020
@seriva seriva self-assigned this Jul 7, 2020
@seriva
Copy link
Collaborator

seriva commented Jul 8, 2020

Yes the issue is with the cli/engine/providers/azure/APIProxy.py where some calls utilizing the SP pw and application string may fail because of escape characters in the string.

Should be easy fix.

@seriva
Copy link
Collaborator

seriva commented Jul 9, 2020

So the issue is fix in later version of AzureCLI. Easiest fix is to bump versions 2.8.0:

Azure/azure-cli#13625
Azure/azure-cli#13643
https://github.com/MicrosoftDocs/azure-docs-cli/blob/master/docs-ref-conceptual/release-notes-azure-cli.md#rbac

seriva added a commit that referenced this issue Jul 14, 2020
@seriva
Merge pull request #1432 from seriva/fix/1423
c032996 
Fix for Error reading generated service principal (#1423)
@przemyslavic przemyslavic self-assigned this Jul 15, 2020
@przemyslavic
Copy link
Collaborator Author

Special characters in the password were limited to the range -_. ~ , which don't cause problems with reading by epicli.
Test passwords contained letters (lower and uppercase), digits and safe punctuation marks -_. ~ .
No issues found.

@mkyc mkyc closed this as completed Jul 21, 2020
@seriva seriva mentioned this issue Aug 11, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seriva seriva

@przemyslavic przemyslavic

Labels
type/bug
Projects
None yet
Milestone
0.7.1
Development

No branches or pull requests
3 participants
@seriva @mkyc @przemyslavic