search

eclipse-ditto / ditto

Eclipse Ditto™: Digital Twin framework of Eclipse IoT - main repository
https://eclipse.dev/ditto/
Eclipse Public License 2.0
692 stars 225 forks source link

401 not authorized when using Nginx and helm deployment #1947

Closed raptus84 closed 4 months ago

raptus84 commented 5 months ago

Hi,

using the helm deployment on EKS I'm facing an issue: it seems I can't use the Nginx service in order to make api calls. I'm installing Ditto with this command since I want to create a default "ditto" user and using the Nginx service to perform first api calls.

helm install -n ditto my-ditto oci://registry-1.docker.io/eclipse/ditto --version 3.5.6 --set global.cluster.basicAuthUsers[0].user=ditto --set global.cluster.basicAuthUsers[0].password=ditto --set gateway.config.authentication.enablePreAuthentication=true

After the installation, when I try to point to the Nginx and set basic authentication with ditto:ditto and perform an api call, I always get a "401 not authenticated" error. However, I can use the gateway microservice (adding the nginx:ditto user to x-ditto-pre-authenticated header) but this is not the preferred way we'd like to use. Can you please tell me what's wrong with this situation? what am I missing?

Thank you for support

carozo commented 5 months ago

+1 same issue. I also tried adding the hashedBasicAuthUsers in values.yaml:

  hashedBasicAuthUsers:
    - "ditto:$..."

but it didn't work 😕

thjaeckle commented 5 months ago

Hi @raptus84

helm install -n ditto my-ditto oci://registry-1.docker.io/eclipse/ditto --version 3.5.6 --set global.cluster.basicAuthUsers[0].user=ditto --set global.cluster.basicAuthUsers[0].password=ditto --set gateway.config.authentication.enablePreAuthentication=true

You seem to use the wrong config key .. basicAuthUsers is not nested in cluster, but directly exposed under global. This should work:

helm install -n ditto my-ditto oci://registry-1.docker.io/eclipse/ditto --version 3.5.6 --set "global.basicAuthUsers[0].user=alice" --set "global.basicAuthUsers[0].password=who" --set "gateway.config.authentication.enablePreAuthentication=true"

Note that I also added " around the array syntax - my shell otherwise tried to interpret the special characters [].

kubectl --namespace ditto port-forward svc/my-ditto-nginx 8080:8080
curl -u alice:who -v http://localhost:8080/api/2/things