Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP basic auth doesn't work with some commands #2773

Closed
pznamensky opened this issue Jul 4, 2017 · 6 comments
Closed

HTTP basic auth doesn't work with some commands #2773

pznamensky opened this issue Jul 4, 2017 · 6 comments
Labels
theme/cli type/bug

Comments

@pznamensky
Copy link

Nomad version

Nomad v0.6.0-dev (c7d670f)

Operating system and Environment details

CentOS Linux release 7.3.1611 (Core)
Linux 4.4.60-11.el7.x86_64

Issue

We're trying to setup nginx proxy with basic auth in the front of nomad in order to deny access to nomad cluster like it was done by @mlafeldt in #1431 (Mathias, thank you for this)
But some commands, like nomad logs or nomad fs don't support basic auth and fail with error:

~ $ nomad fs aafe9f25
Unexpected response code: 401 (<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
)

Reproduction steps

  1. set up nginx with basic auth and use nomad's HTTP address as upstream
  2. export variable with nomad's address and credentials: export NOMAD_ADDR=http://user:password@nomad-proxy
  3. try to view logs for an allocation: nomad logs ...

Didn't you plan to add support for basic auth for these commands?
I guess it's not possible to do it with NOMAD_ADDR variable, because nomad connects to another host.
Maybe it would be more universal to add variables like NOMAD_BASIC_AUTH_USER and NOMAD_BASIC_AUTH_PASSWORD and use them for authorization?
@pznamensky pznamensky mentioned this issue Jul 21, 2017
Closed
@schmichael
Copy link
Member

This sounds like a bug, but you may want to use Nomad 0.6's tls.verify_https_clients = true feature for preventing unauthorized access to Nomad clusters. A guide to setting up TLS should be up soon: #2923

Using mTLS for preventing unauthorized access is a much more secure method than HTTP basic auth. Nomad 0.7 will address access.

@pznamensky
Copy link
Author

Yes, TLS verification looks promising.
But HTTP basic auth is much easier to setup.
As @dadgar said in #860 (comment) nomad fs connects directly to node's advertise address.
But this address points to proxy with basic auth.
So it would be greate if connections to node's advertise address inherit HTTP user and HTTP password from NOMAD_ADDR variable.

@pznamensky
Copy link
Author

This also affects 3rd party projects which use nomad/api like hashi-ui or nomad-exporter.

@kassybas
Copy link

kassybas commented Jan 9, 2018

It is now working with version: Nomad v0.7.1

@schmichael
Copy link
Member

Thanks for the update @kassybas! Sorry we left this one open, I believe it has been working since 0.6.2.

@github-actions
Copy link

github-actions bot commented Dec 4, 2022

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
theme/cli type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schmichael @pznamensky @kassybas