[Keyring with ShinyApp] 'env' backend cannot find password

[saisomesh2594]

Hi,

I using keyring in conjunction with shinymanager R package. I have a credential database defined as a .sqlite file and I read in the file to authorize credentials. The code logic is as follows:

cwd <- getwd()
credentials <- paste(cwd,'/','<filename>.sqlite', sep='')

ui <- secure_app(fluidPage(
### UI Logic ###
 ))

server <- function(input, output, session){
result_auth <- secure_server(
      check_credentials = check_credentials(credentials, 
passphrase = key_get(service = "some_service_name", "some_user_name"))
    )

### SERVER Logic ###
}

I have deployed this app on my institute's server so that people across institute with access, can browse the app. However, I end up with the following error:

Warning in default_backend_auto() :
  Selecting ‘env’ backend. Secrets are stored in environment variables
Warning: Error in b_env_get: Cannot find password
  72: observeEventHandler
   1: runApp

Can someone guide me through setting up the proper backend so that I am able to deploy my shiny app ?

Thanks!

[cderv]

Hi,

I could try to help but I have a few questions:

• Is the app working locally using keyring with your credentials mechanisms ?
• what does your check_credentials() do ?

Keyring is made to work with credentials manager. Available backend are described in README. There is no sqlite backend.

What backend are you using locally ? if nothing is configured on your server, it will use the env backend by default. that is why your key_get call will look for your password in this backend, but I wonder how your credentials store for keryring is configured in your institute server. 🤔

[saisomesh2594]

Hi @cderv ,

Thanks for the reply. To answer your questions:

1. Yes, it is working locally, although it is on Windows. I will try to redploy the app on a local linux machine meanwhile.
2. The check_credentials() function takes the credential info in the .sqlite file and returns a function which checks for user inputs (username and passwords) and grants access accordingly.

From what I have read, I understand that when running the app from the server, the backend defaults to env and therefore keyring is unable to fetch passwords. I have asked libsecret library to be installed on our server and I can confirm that it is already installed. However, when I try to set my R_KEYRING_BACKEND environment variable to secret_service backend and try to setup a keyring as mentioned here, I get the following message:

** Message: 17:17:02.557: Remote error from secret service: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.secrets was not provided by any .service files
Error in b_ss_set_with_value(self, private, service, username, password,  :
  Secret service keyring error in 'get_keyring': 'The name org.freedesktop.secrets was not provided by any .service files'

[cderv]

Yes, it is working locally, although it is on Windows

on windows it will use the windows credential manager by default. So you'll have nother behavior on your server.

I have asked libsecret library to be installed on our server and I can confirm that it is already installed.

From #53 and #72, and my own experience for our RStudio servers cluster, keyring libsecret backend is for linux with a GUI. Without a GUI, i think you can't use that.

in our setup, we went with the file backend as defaut, but the env backend will work on all system too.

I am just wondering how it would work on your shiny app. Do you need to store some information from your users in a credential store ? Can't you just ask user for information in the apps, and check against the DB ? I may have missed something.

[saisomesh2594]

Would it be possible for you to recreate a toy example where I can use the file backend (as in your case) or even the env backend, so that I am able to use keyring ?

Well, my primary reason of using keyring + shinymanager is because it provides a nice interface for admin access (checking logs of the applications, asking users to update passwords, adding new users, etc. ). But, the admin mode is only possible when I use SQL db with keyring passphrase. I have tried looking for alternatives, but couldn't find any...

I can always revert back to the way you suggested and ask for user inputs and check against a DB.

[cderv]

Switching backend is pretty easy. You can configure an environment variable to change the default one use. In the shiny app scenario, I am just wondering how admin would initiate the password in the keyring on the deployment server.

I do not know about shinymanager. If they advice to use Keyring passphrase, maybe they have some advices about deployement. Do you asked their ? I’ll have a look into it Anyway.

[cderv]

Ok I understand now why keyring is mentioned : it is just as an example To manage the password to secure the database. You can use in fact any method you want. The method will depend on what you can configure on your deployment server. if you use keyring, How would you do the key_set.

# this is interactive
key_set("R-shinymanager-key", "obiwankenobi")

I don’t think this is a keyring issue or this type of example should be discussed here. I think you should open a question in their repo asking how they would deploy while using keyring.

Often for some deployment where I need to use secret, I use environment variable in my code and configure the deployment environment to know the value of the environment variable. Something like

create_db(
  credentials_data = credentials,
  sqlite_path = "path/to/database.sqlite", # will be created
  passphrase = Sys.getenv("R-shinymanager-key")
)

The config package is also something I use where a private config.yml file is put at deployment on the server.

I think the best option depends on what you can do with your server.

Hope it helps.