FR: Add ability to set the auth scheme for targets

akarneliuk / pygnmi

The pure Python implementation of the gNMI client.

https://training.karneliuk.com

BSD 3-Clause "New" or "Revised" License

126 stars 44 forks source link

FR: Add ability to set the auth scheme for targets #127

Open vlahan opened 1 year ago

vlahan commented 1 year ago

The current implementation passes the user credentials via two predefined request headers "Username" and "Password".

The goal of this request is to add a new option to pygnmi to select among different authentication schemes. For example to be able to send the credentials in a format compatible with https://datatracker.ietf.org/doc/html/rfc7235#section-4.2 and https://datatracker.ietf.org/doc/html/rfc7617 i.e. by sending an "Authorization" header with the value "Basic base64enc(username:password)".

Note: this is a mirror request to the following newly introduced feature in gNMIc and insures compatibility between pygnmi and gNMIc.

https://github.com/openconfig/gnmic/issues/137 https://github.com/openconfig/gnmic/pull/160

akarneliuk commented 1 year ago

Hey @vlahan ,

Thanks for reaching out on this. In principle, this can be implemented. I'd need to test it somewhere, though. Do you have any advise, what that could be tested again?

Best, Anton

vlahan commented 1 year ago

Hi @akarneliuk,

apologies for the late reply.

One option is to test this using Caddy as a reverse proxy to an internal gnmi server on localhost that has authentication and tls disabled. In this scenario caddy takes over the basic authentication and the tls termination.

Here is a simple Caddyfile with basic auth for user "admin":

{
    servers :9339 {
        protocols h1 h2 h2c
    }

    log {
        level DEBUG
    }
}

:9339 {
    tls /etc/ssl/certs/public.pem /etc/ssl/private/key.pem
    route {
        basicauth * {
            # create hash using ./caddy hash-password
            admin /BCRYPT_HASH/
        }
        # point to internal gNMI server listening on localhost
        reverse_proxy h2c://localhost:19339
    }
}

vlahan commented 10 months ago

Hi @akarneliuk,

please let me know if you might benefit from more information on the FR. If you share some of your thinking on prefered design, we can also try to provide a patch proposal. After the corresponding change in gNMIc we are now forced to use a dedicated workaround for pygnmi in our test scripts, so we have strong interest in an upstream solution that achieves parity so we can simplify the handling.

--Vlado