r-lib / keyring

:closed_lock_with_key: Access the system credential store from R
https://keyring.r-lib.org/
Other
196 stars 28 forks source link

keyring usage with shiny server on linux #127

Open baderstine opened 2 years ago

baderstine commented 2 years ago

I'm running shiny-server on CentOS and want to use the keyring package to store and access passwords.

Given that shiny apps run as shiny user, what is the process for initializing the keyring for shiny apps to utilize?

Here's what I've tried so far:

  1. Login to shiny user,
  2. run R,
  3. keyring::key_set(service = 'svcname', username = 'username', keyring = 'system') Now when I do this, it returns a message stating The 'system' keyring does not exist, enter a keyring password to create it: So I enter a password.
  4. go to my shiny server url and run my app

The shiny app wants the password so the code for that in the app is: keyring::key_get(service = 'svcname', username = 'username') but this doesn't work. I get an error in the shiny app's log file which doesn't make any sense. I'm running key_get() and for some reason the error is about setting a password:

Warning: Error in b__file_set_keyring_pass: Aborted setting keyring password
  112: stop
  111: b__file_set_keyring_pass
  110: private$set_keyring_pass
  109: b_file_keyring_unlock
  108: self$keyring_unlock
  107: b_file_get
  106: default_backend()$get
  105: keyring::key_get
...

When I attempt to just run keyring::key_get('svcname', 'username') as the shiny user in an interactive session, I can see that I'm getting a prompt to unlock the 'system' keyring by entering a password. Am I doing something wrong? Running the shiny apps my Mac this 'just works', but from within shiny-server on Linux not so much.

baderstine commented 2 years ago

Additionally, I followed the file backend methodology and it seems to have a bug:

## Create a keyring and add an entry using the variables above
kb <- keyring::backend_file$new()
## Prompt for the keyring password, used to unlock keyring
kb$keyring_create("somename")
## Prompt for the secret/password to be stored in the keyring
kb$set("servicename", username="user", keyring="somename")

will accept your password and the print the following message: The 'system' keyring does not exist, enter a keyring password to create it: so you enter another password for that, but now checking ~/.config/r-keyring/ I now have two keyrings, "somename" which has the "user" password in it, and "system" which has nothing in it and was created for no apparent reason, other than the package seems to think it should exist.

gaborcsardi commented 1 year ago

Thanks! The second issue seems like a bug indeed.

Wrt. to the first, that unfortunately won't work, because you cannot unlock the keyring from the app. Shiny server would need to be able to hold the unlock password.