search

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.68k stars 153 forks source link

ziti edge login with Ziti-standard identity file #1730

Open qrkourier opened 7 months ago

qrkourier commented 7 months ago

The easiest way to obtain an admin client cert is to enroll the JWT with the CLI. This produces a Ziti-standard JSON file with the identity's context, including the cert, key, and trust bundle.

Before using that identity with ziti edge login --client-cert, it's currently necessary to first unpack the enrolled context file into its component parts: cert, key, and bundle, e.g. ziti ops unwrap ./ziti-id.json produces ./cert, ./key, and ./ca PEM files.

This unwrap step would be superfluous if the ziti CLI could use its own Ziti-standard JSON file like this ziti edge login --identity ./ziti-id.json.

This issue is peeled off from a comment in a related issue https://github.com/openziti/ziti/issues/127#issuecomment-1675180719

qrkourier commented 7 months ago

This will make it significantly easier to follow the best practice of using certificate authenticators with the mgmt API instead of an admin password.

qrkourier commented 7 months ago

The --cli-identity option will be too confusing after we add an --identity option to log in with a Ziti-standard identity JSON file. Instead, --cli-identity could become --profile or --cli-profile because the value is an arbitrary profile name on the local system, not the name of a Ziti identity entity nor the path to a Ziti identity file.

❯ ziti edge login --help
login allows the ziti command to establish a session with a Ziti Edge Controller, allowing more commands to be run against the controller.

Usage:
  ziti edge login my.controller.hostname[:port]/path [flags]

Flags:
      --ca string             additional root certificates used by the Ziti Edge Controller
  -i, --cli-identity string   Specify the saved identity you want the CLI to use when connect to the controller with
  -c, --client-cert string    A certificate used to authenticate
  -k, --client-key string     The key to use with certificate authentication
  -e, --ext-jwt string        A file containing a JWT from an external provider to be used for authentication
  -h, --help                  help for login
      --ignore-config         If set, does not use value from the config file for hostname or username. Values must be entered or will be prompted for.
  -j, --output-json           Output the full JSON response from the Ziti Edge Controller
      --output-request-json   Output the full JSON request to the Ziti Edge Controller
  -p, --password string       password to use for authenticating to the Ziti Edge Controller, if -u is supplied and -p is not, a value will be prompted for
      --read-only             marks this login as read-only. Note: this is not a guarantee that nothing can be changed on the server. Care should still be taken!
      --timeout int           Timeout for REST operations (specified in seconds) (default 5)
  -t, --token string          if an api token has already been acquired, it can be set in the config with this option. This will set the session to read only by default
  -u, --username string       username to use for authenticating to the Ziti Edge Controller 
      --verbose               Enable verbose logging
  -y, --yes                   If set, responds to prompts with yes. This will result in untrusted certs being accepted or updated.
mjtrangoni commented 7 months ago

@qrkourier I would love to have an alternative to the current password-only login method! Another point, not 100% directly related would be to have special non-expiring API tokens, which is the problem I was facing with the openziti_exporter.

qrkourier commented 7 months ago

@mjtrangoni While this issue is being worked you can use this approach to log in as an administrator without a password. You must create the identity with the --admin flag.

The ziti CLI has a built-in facility for separating that standard Identity file format into its components.

ziti ops unwrap \
    --cert /tmp/admin-with-cert-auth.cert \
    --key /tmp/admin-with-cert-auth.key \
    --ca /tmp/admin-with-cert-auth.ca

then

ziti edge login miniziti-controller.192.168.49.2.sslip.io:443 \
    --username admin-with-cert-auth \
    --client-cert /tmp/admin-with-cert-auth.cert \
    --client-key /tmp/admin-with-cert-auth.key \
    --ca /tmp/admin-with-cert-auth.ca
smilindave26 commented 3 weeks ago

and external JWT signers