Allow to disable internal authentication

[bfritscher]

Using a reverse proxy to handle the authentication, there should be a way to use portainer without the new authentication.

[ncresswell]

We are implementing a full role based access control (RBAC) model, so authentication is now a core function/feature of Portainer.

Rgds,

Neil Cresswell

On 28/12/2016, at 6:04 AM, Boris Fritscher notifications@github.com<mailto:notifications@github.com> wrote:

Using a reverse proxy to handle the authentication, there should be a way to use portainer without the new authentication.

- You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_419&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=4YwwY35spVrOXOU2HjEiZAxEXjltiJZUip_5zIAjTQA&s=zSZbA0Lh5B1__zg1gkZjMGnxKgkOcCmIAHHEmQWCLgU&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlUYlBIJdrhwKwIa5Cv2nEpsW-2Dibzks5rMUT8gaJpZM4LWZKw&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=4YwwY35spVrOXOU2HjEiZAxEXjltiJZUip_5zIAjTQA&s=xDhH9c-W28hO5ydks-Hvsa33ql37afDIbOgU1rOOxFk&e=.

[bfritscher]

I get that, but why can't it also support a mode where default anonymous user is admin and has all rights? This way we could still use basic auth, or any other authentication system like mod_shibboleth, ...

[ncresswell]

Because we feel that authentication is critical to long term viability, and as we expand the product with support for active directory authentication, and multi-tenancy, authentication within the product is mandatory.

I will, however, speak with Anthony to see if we can have a flag on the CLI that disables authentication (and every feature that relies upon it), but regardless, you can continue to run v1.10 without authentication.

Neil

Rgds,

Neil Cresswell

On 28/12/2016, at 8:33 AM, Boris Fritscher notifications@github.com<mailto:notifications@github.com> wrote:

I get that, but why can't it also support a mode where default anonymous user is admin and has all rights? This way we could still use basic auth, or any other authentication system like mod_shibboleth, ...

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_419-23issuecomment-2D269372058&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=Wd517j6h9fhB3n1XHlEkfzNdt0g04oKnm_FGxq2sfgw&s=gUSq5GXsuxSuMeJD7b1ku3SvQQkVCgao6gjuub4LjMU&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlewbN7xdlmoeIb5IJ-2DagHe0seK6hks5rMWgEgaJpZM4LWZKw&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=Wd517j6h9fhB3n1XHlEkfzNdt0g04oKnm_FGxq2sfgw&s=stsYfVBL9DUY1_QmBQlspHovEKLwr3OZAScfBxtHM1c&e=.

[bfritscher]

Thanks, I get that you have a vision for a large product, with swarm support and more advanced use cases. My use case coming from ui-for-docker, is to have a simple gui for a single instance local docker. ui-for-docker and portainer solved this very nicely up to now. I can understand that this use case does not fit your product roadmap, but it would be a shame to lose the initial no-setup gui feature for a local instance. Thanks for the great work!

Best regards, Boris

[ncresswell]

Yes, got that. And Anthony has already confirmed that he could implement a --noauth flag on the CLI to disable authentication. We will look to offer this in a 1.11.1 or 1.11.2 release soon.

N

Rgds,

Neil Cresswell

On 28/12/2016, at 9:11 AM, Boris Fritscher notifications@github.com<mailto:notifications@github.com> wrote:

Thanks, I get that you have a vision for a large product, with swarm support and more advanced use cases. My use case coming from ui-for-docker, is to have a simple gui for a single instance local docker. ui-for-docker and portainer solved this very nicely up to now. I can understand that this use case does not fit your product roadmap, but it would be a shame to lose the initial no-setup gui feature for a local instance. Thanks for the great work!

Best regards, Boris

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_419-23issuecomment-2D269376491&d=DQMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=XtVnt9DuZXih5rqiS1tkotd-a_0N2zRRITwjn-1tjz4&s=aaH3ysgEpFcekoGo1A76VNTQrhQbXmebNGje4lE8ATs&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlb2jnYJ0ZFhMFu4Z-2D-5F9YSWoRKI8uks5rMXDPgaJpZM4LWZKw&d=DQMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=XtVnt9DuZXih5rqiS1tkotd-a_0N2zRRITwjn-1tjz4&s=AzmXhPlQ-GviYbExms9bjoAvviC3-UIcvrJLiNarA6g&e=.

[t3chn0m4g3]

+1 -- please :o)

I have the same problem regarding reverse proxy using NGINX. While I like the feature it would be great to see the "--noauth" option.

Thank you!

[geggo98]

Just an idea: instead of completely disable authentication for reverse proxies, it might be more useful to integrate with the external authentication.

I see two simple possibilities:

1. Portainer just believes the user handle given in a configurable HTTP header element (e.g. Multipass-Handle: USERNAME) with fallback to a default guest role when the element is missing.
2. Portainer trusts the contents of a JSON Web Token (optinally with a configurable key for validating the token).

Very likely there are some more possibilities.

Both approaches would be compatible the new role based access control (authorisation) and would just make it compatible with other authentication mechanisms.

The first point might be a nice alternative to the "--no-auth" with basically the same effort. The second one might be a nice pull request.

@ncresswell @t3chn0m4g3 @bfritscher What do you think?

[abrander]

1. Portainer just believes the user handle given in a configurable HTTP header element (e.g. Multipass-Handle: USERNAME) with fallback to a default guest role when the element is missing.

That would reflect how Grafana solve this problem. We use

    proxy_set_header X-WEBAUTH-USER $remote_user;

in our nginx proxy config for Grafana. It works very well.

2. Portainer trusts the contents of a JSON Web Token (optinally with a configurable key for validating the token).

We actually tried working around the new authentication by setting a precomputed JWT-token in the Authorization header ;) We never got it working thou.

For the record, our preferred solution would be something like --noauth.

[t3chn0m4g3]

Prefer "--no-auth" as well.

Thank you :bowtie:

[mapio]

Same here… I'd like to use it behind nginx!

[johanfrick-mobenga]

+1

[ncresswell]

Yes, its in 1.12, which is scheduled for Feb/March

Rgds,

Neil Cresswell

On 16/01/2017, at 3:55 PM, nasskach notifications@github.com<mailto:notifications@github.com> wrote:

@ncresswellhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ncresswell&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=H7xFfiUsNWVRjWSgWVThflncFSJqq9cHxXNAX-D0wIg&s=pZSIXgWZpnVW91QHj55wSlOuCII8MXl52F5qQ3tWLJw&e= Any milestone for the RBAC implementation ?

- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_419-23issuecomment-2D272804935&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=H7xFfiUsNWVRjWSgWVThflncFSJqq9cHxXNAX-D0wIg&s=Fxt-J0tJmXzi9SalqUVVUFSs3ddKVpnrXSIXoX7_wvc&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlU8VegjKUGxx9gPNJSGkB-5FrtVgOMks5rSzBngaJpZM4LWZKw&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=H7xFfiUsNWVRjWSgWVThflncFSJqq9cHxXNAX-D0wIg&s=_u9tazCYi6K0jjUGyu7T2RWY9yeV5YqHPJK850fkyI8&e=.

[deviantony]

Implemented in #553

[dimitrovs]

Please consider adding an environment variable in addition to the flag.

[deviantony]

@dimitrovs what would be the point of adding an environment variable as it's already available via a flag?

[dimitrovs]

@deviantony so we can put it in a docker-compose file.

[deviantony]

@dimitrovs you can do it using the command field.

Here is an example of a portainer service in a Compose file:

  portainer:
    image: portainer/portainer
    container_name: "portainer-app"
    command: --no-auth
    networks:
      - local
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/portainer/data:/data

Inspired from: https://github.com/portainer/portainer-compose

[dimitrovs]

@deviantony thanks.

[deviantony]

You're welcome.

Note that the --no-auth flag is not available yet. It has been merged in develop and will be available in 1.12.

[t3chn0m4g3]

@deviantony Thank you!

[t3chn0m4g3]

Can you please describe how to activate? I am assuming ...

ENTRYPOINT ["/portainer","--no-auth"]

Correct?

[ncresswell]

--no-auth flag will exist in v1.12, which is not yet on dockerhub..

Sent from my iPad

On 23/02/2017, at 10:52 AM, Marco Ochse notifications@github.com<mailto:notifications@github.com> wrote:

Can you please describe how to activate? I am assuming ...

ENTRYPOINT ["/portainer","--no-auth"]

Correct?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_419-23issuecomment-2D281816273&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=z_27AJ2WCrKxVFsOYT2ptkLX8ucrAgx-eC0v2IIXa48&s=IHSVj0ZQvy2g5OwIYl7hN-qzAVXyeJ7wwGBStz_Sk9I&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlchhHtx51l3o1V7FgjjoE7cuzflxks5rfK4ngaJpZM4LWZKw&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=z_27AJ2WCrKxVFsOYT2ptkLX8ucrAgx-eC0v2IIXa48&s=EO1d2EoULJHcw19tlFi7ye65fibq7xbnXUPeWNwHh0s&e=.

[t3chn0m4g3]

@ncresswell Thanks for the quick response! As soon as available would that be the correct way to set the flag?

[ncresswell]

Yes indeed. We will be updating the documentation with the new flags for release time

Rgds,

Neil Cresswell

On 23/02/2017, at 10:58 AM, Marco Ochse notifications@github.com<mailto:notifications@github.com> wrote:

@ncresswellhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ncresswell&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=eoKV23s0YY7h7ENY3BLJ5ni4gZvg3ZC2IakUr-oEDek&s=6Z_KkItIPJpc1hja4oklZFi8CYiArVTUWxGXPsokWLI&e= Thanks for the quick response! As soon as available would that be the correct way to set the flag?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_419-23issuecomment-2D281817744&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=eoKV23s0YY7h7ENY3BLJ5ni4gZvg3ZC2IakUr-oEDek&s=oYql67xCX0S7UPyMdBMRDg5lt9AjhyzhN-3YeuX87Sw&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlaeFDEukO6X2D8jc5m3heDRpVYhsks5rfK-2DLgaJpZM4LWZKw&d=DQMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=eoKV23s0YY7h7ENY3BLJ5ni4gZvg3ZC2IakUr-oEDek&s=UbRSU8YpKGj88SjQCFUK1DY7CZNSiL9qdvIHvUgcI88&e=.

[deviantony]

Documentation added via https://github.com/portainer/portainer-docs/pull/16

[Dids]

It should be noted that it's apparently -no-auth, not --no-auth.

[deviantony]

@Dids it's not. Where did you see that?

Correct way to start Portainer without authentication is using --no-auth.

[Dids]

@deviantony Just tried running the latest version on Docker Hub with --no-auth and authentication was still enabled. Switched to -no-auth and it worked.

Also, it's -no-auth here as well: https://github.com/portainer/portainer-docs/blob/404a43bbe43b481941e87ece970bb291b1fd7424/docs/source/configuration.rst

[Dids]

@deviantony Actually no, never mind. Obviously that doc commit was just a typo, and in my case I'm running it as a systemd service, which seems to be caching my previous config, so in reality --no-auth should indeed be working.

[deviantony]

@Dids I know, it was a typo in the docs.

This can't work with -no-auth:

$ docker run --rm -p 9001:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer:latest -no-auth
portainer: error: unknown short flag '-n', try --help

$ docker run --rm -p 9001:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer:1.11.4 -no-auth
portainer: error: unknown short flag '-n', try --help

$ docker run --rm -p 9001:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer:latest --no-auth
2017/03/12 21:07:37 Starting Portainer on :9000

On what platform are you running Portainer?

[dimitrovs]

--no-auth works now with latest image, thank you.

[t3chn0m4g3]

Works great! Thank you very much 😄

[Mohammadtrabelsi]

Disable internal authentication

version: '2'

services:
  portainer:
    image: portainer/portainer
    container_name: "portainer-app"
    ports:
      - "9000:9000"
    command: -H unix:///var/run/docker.sock --no-auth
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    restart: always

volumes:
  portainer_data:

start_portainer.sh

docker-compose -f docker-compose.yml down -v
docker-compose -f docker-compose.yml up --build