search

brocade / ansible

56 stars 33 forks source link

Support for Encrypted Authorization Token #107

Open xsYf6tdq8 opened 2 years ago

xsYf6tdq8 commented 2 years ago

Hello

I would like to use the encrypted authorization tokens for our environment. I see in the file below that Basic authorization is used and that there is no possibility for 'Custom_Auth'.

Is this on the roadmap?

utils/brocade_connection.py credential = {"Authorization": "Basic " + login_encoded.decode(), "User-Agent": "Rest-Conf"}

prasad-valmeti-broadcom commented 2 years ago

Hi, During login time, Ansible scripts use basic authentication with the user credentials to log in to the switch. After the login request is successful, retrieve a custom authorization code from the switch's login response. From that time onwards, all the requests sent by the Ansible scripts use the custom authorization. Observe the API url_helper from the utils/brocade_url.py url_helper(URL, body, method, auth, result, validate_certs, timeout, credential=None):

Here 'auth' is a Custom authorization, not the Basic as shown below:
 Authorization      Custom_Basic YWRtaW46eHh4OmFiMmRiZWM5YTkxYjQyNmZlZTQ1NzExZWJlOWQzZjY2YWJkNWNmM2FiMTdlNzk2MDAwMDAwMDAwMDAwMDAwMDA=

 Please let us know if it solves your purpose. If not, could you please give us more details of your requirement?

Regards, Prasad

xsYf6tdq8 commented 2 years ago

Hello Prasad

Thanks for your reply.

On our environment we enforce the use of named users for auditing purposes. We need the traceability. We currently manage our systems via SSH and passphrase protected keys. This way we can decrypt the key and easily run scripts safely. Often these scripts are looped and thus authentication is needed multiple times. It is by no means an option to enter passwords manually. Currently the decrypted SSH keys solves this.

I don't think that storing the switch password on our servers is not safe. We can put it in the Ansible Vault but in that case we have to decrypt the vault when running a playbook. The password for the vault can also be stored in a file but this is also not very secure. The token is in essence is also just a password but it feels more secure :-)

Kind regards Bert

prasad-valmeti-broadcom commented 2 years ago

Hi Bert, FOS switch support auth-token feature. Token can be created and is used for next REST queries. Same can be extended Ansible, will explore options and address this in next release. Regards, Prasad

prasad-valmeti-broadcom commented 1 year ago

Hi Bert, Discussions are in progress with the auth token support based on the SSO. This security feature is being developed in FOS. Once that is available, it will be integrated into ansible. Will post the status on the next steps. Regards, Prasad