Open vlahan opened 1 year ago
Hey @vlahan ,
Thanks for reaching out on this. In principle, this can be implemented. I'd need to test it somewhere, though. Do you have any advise, what that could be tested again?
Best, Anton
Hi @akarneliuk,
apologies for the late reply.
One option is to test this using Caddy as a reverse proxy to an internal gnmi server on localhost that has authentication and tls disabled. In this scenario caddy takes over the basic authentication and the tls termination.
Here is a simple Caddyfile with basic auth for user "admin":
{
servers :9339 {
protocols h1 h2 h2c
}
log {
level DEBUG
}
}
:9339 {
tls /etc/ssl/certs/public.pem /etc/ssl/private/key.pem
route {
basicauth * {
# create hash using ./caddy hash-password
admin /BCRYPT_HASH/
}
# point to internal gNMI server listening on localhost
reverse_proxy h2c://localhost:19339
}
}
Hi @akarneliuk,
please let me know if you might benefit from more information on the FR. If you share some of your thinking on prefered design, we can also try to provide a patch proposal. After the corresponding change in gNMIc we are now forced to use a dedicated workaround for pygnmi in our test scripts, so we have strong interest in an upstream solution that achieves parity so we can simplify the handling.
--Vlado
The current implementation passes the user credentials via two predefined request headers "Username" and "Password".
The goal of this request is to add a new option to pygnmi to select among different authentication schemes. For example to be able to send the credentials in a format compatible with https://datatracker.ietf.org/doc/html/rfc7235#section-4.2 and https://datatracker.ietf.org/doc/html/rfc7617 i.e. by sending an "Authorization" header with the value "Basic base64enc(username:password)".
Note: this is a mirror request to the following newly introduced feature in gNMIc and insures compatibility between pygnmi and gNMIc.
https://github.com/openconfig/gnmic/issues/137 https://github.com/openconfig/gnmic/pull/160