-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key Rotation Support #1165
Comments
FYI, when authenticating API requests using signed header auth, Supermarket fetches the key via oc-id, but then it verifies the request on its own, here: supermarket/app/controllers/api/v1/cookbook_uploads_controller.rb Lines 158 to 202 in 0f0ee70
I'm not sure exactly what process erchef follows when there are multiple keys, but it's likely that the code I referenced would need to be updated for multi-key. |
Good morning, I'm facing a similar issue here, when using a self-hosted chef-enterprise and Supermarket in the same scenario. Here is the output from knife command:
|
Hi @dfduarte, are you still seeing that error? Is that occurring only when you use a certain key, or all the time? |
The code I referenced didn't change, so I'm pretty sure the behavior will be the same (unless of course I'm wrong about that section of code being the important thing). What I found was that the 'default' key works like you would expect, and any other key will always fail. To replicate this, you can add a second key to your user with As far as I can tell, the Chef Server fetches all the users keys and then loops through them to authenticate a request. I think to emulate this for supermarket, you'd have to teach oc-id to give you all the public keys for a user, then update the API authentication part of supermarket to loop over them all. |
BTW, here's the erchef code for validating requests. When there are multiple keys, it takes the path that goes to |
@nellshamrell Hello Nell, Yep, I'm still having this problem. But for some reason, at least here, I've figured out that a logoff-logon (using the /id OAUTH URL) in Supermarket panel does the job and solves the problem. It happened all the time. Notice: I've updated for the latest 2.3 version of Supermarket, and I'm using the latest chef-server version (both stable, of course). I've not tested with all of chef-server users yet, but I'm pretty sure that this will solve for the rest. @danielsdeleo Good point. I'll try if I face problem again... |
@dfduarte Yep, in order to upload to Supermarket using your key, you need to log in to Supermarket first. This is what creates a connection between a Supermarket account and the Chef Server, and that connection is needed to use your Chef Server key to upload to Supermarket. |
I'm having issues myself (not sure if it's related to this or not). I went to https://id.chef.io/id/profile and clicked "Get a New Key" and then cleared all cookies, re-logged in and tried the following command and it keeps failing.
|
@jasonwbarnett Is your OAUTH correctly configured? The id.chef.io is the OAUTH for the chef-server from Chef, and not for the private. Yep, I did this same mistake when I configured Supermarket some months ago. Just configure your supermarket.rb properly, and everything will be ok =). |
@dfduarte I am stupid... :( I literally followed the supermarket instructions to the T and it still isn't working. Can you break down what you said, I didn't fully grasp it.
|
@jasonwbarnett Chill man, no problem =), Well, I think supermarket.rb is not well documented (at least, isn`t intuitive), and some novice users can have some problems when setting a new private instalation. In short, you need: A Chef-Server, configured using that oauth directives (setting the URL, and generating a key for chef-server.rb). For the second one, you have 2 options: Using the (buggy) omnibus Chef cookbook to configure Supermarket, or grab the latest deb/rpm directly from repository: https://packagecloud.io/chef/stable/. On this option, you will need to set up supermarket.rb manually. Head to /etc/opscode/supermarket.rb (I Remember that: When reaching the OAUTH section (with user id, token and OAUTH URL), put the configuration from YOUR private Chef server setup, and overwrite all default configurations there. So, just run a reconfigure and a restart and here you go. |
Btw: The credentials mentioned above, is for using your chef-server account with your (or public) Supermarket, I -guess-... You don't need generating a new user given that Supermarket uses the user database from chef-server throught oauth. |
I'm sorry... but this makes little sense to me. When I want to share a cookbook from my local dev machine to the public supermarket, why do I have to configure my private (or public) chef server? |
@jasonwbarnett Oh, I guess I got your problem now. You have to set at least a account on public chef-server, and login with it on Supermarket. Try this: https://www.chef.io/blog/2015/03/16/using-chef-supermarket-a-guided-tour/ I think this will anwser your questions. Read from "upload to supermarket" section. Remeber: When setting a new Starter kit, you need to logoff and logon again from your Supermarket account, because supermarket need to generate a new session key based on your new credentals. |
@dfduarte I followed that a couple of days ago and it did not work. I also tried stove without success either. TBC, I've shared a cookbook in the past to the supermarket with success, but it took some finagling last time too. The documentation for sharing cookbooks is below the bar in my opinion. |
@jasonwbarnett Which documentation are you using? The blog post @dfduarte mentioned? I would like to raise this documentation to at last at the bar if not above it. |
@robbkidd I leveraged multiple places for documentation.
|
@jasonwbarnett: what does your knife.rb file look like? |
current_dir = File.dirname(__FILE__)
log_level :info
log_location STDOUT
node_name "jasonwbarnett"
client_key "#{current_dir}/jasonwbarnett.pem"
validation_client_name "jasonwbarnett-validator"
validation_key "#{current_dir}/jasonwbarnett-validator.pem"
chef_server_url "https://api.chef.io/organizations/jasonwbarnett"
cookbook_path ["#{current_dir}/../cookbooks"] |
@nellshamrell it's working now... sigh |
Did anything change? |
I mean, did you make some sort of change and it started working, or did it seem to start working on its own? |
|
Hey @jasonwbarnett Take a look on this: https://github.com/chef/knife-supermarket This gem turns the things easier when working with knife and Supermarket. I forgot about this plugin before, sorry XD. Anyway, nice to hear from you that you already has solved the problem. |
Hi.. setting up a private chef-supermarket. ran into same issue. Exhausted on all steps. pl advise. ERROR: Authentication failed due to an invalid public/private key pair. If you have changed your keys recently try logging out and logging back in to Supermarket. |
fixed the issue. issue was due to time drift between the chef server and supermarket. configured ntp. |
@tonyvilliams Can't thank you enough for posting your solution here, saved me potential hours of pointless troubleshooting. Fracking ntp. |
I just want to note here that 2 years later I ran into the whole fiasco again and thank God I documented the solution here. I can't imagine I'm the only person who struggles with getting authentication to Supermarket up and running (thinking of one-off, not full time chefs). Is it really a requirement to have a chef manage account to work with Supermarket? |
Since its beginning and for the foreseeable future, public Supermarket authenticates users with Hosted Chef (the Chef-as-a-Service, what I think you mean by "chef manage account"). This requirement is unlikely to change given the engineering and community users' effort that would be required to alter public Supermarket's user identity provider. I'll take this as a task to review the current public Supermarket documentation and try to make the Hosted Chef requirement and knife configuration more clear. |
@robbkidd That makes sense. I hadn't even made the connection that kitchen was leveraging Hosted Chef for auth. I thought it was just some magical wiring in the backend :). Thank you for your commitment to Chef as a whole. Really grateful for the excellent engagement. |
@jasonwbarnett |
Chef Server now supports multiple keys for a user with optional expiration. However I am only able to authenticate to supermarket using the
default
key. When I try to use any other key, I get this error when usingknife-supermarket
:My use case is that I want to publish cookbooks using delivery to a supermarket that is attached to a different Chef Server and I want to use the same key pair and user name so I have one less credential to manage. I am able to do this by setting the default key. However, enterprise users with key rotation requirements will not be able to seamlessly rotate keys for use with supermarket the same way they can with chef-client.
This is likely an issue with oc-id, feel free to move the issue there if appropriate.
The text was updated successfully, but these errors were encountered: