Open reubenmiller opened 1 month ago
A proof of concept (PoC) has been created to check the general compatibility of thin-edge.io and SmartREST 1.0 when using a basic auth device user, and first signs seems that they are compatible.
The PoC used hacked together Rust code where it reads the device username/password (mostly) from environment variables in order to make work, it is by no means intended to be a good reference guide, however it still might be hopeful to see which parts of the code need to be adjusted. PR is provided here: https://github.com/thin-edge/thin-edge.io/pull/3039
How to test an MQTT connection as the JWT topics are not available - Should a very basic SmartREST 1.0 template be used instead?
In SmartREST 1.0, we can use 61
as request and check 70
as response. About predefined message IDs, refer to here.
Gaps between the requirements and the PoC:
tedge.toml
, whilst the requirements is in a different location.tedge connect c8y
connection check with Basic Auth.I think 1) will the most time consumption as we don't have such mechanism now. It requires a small design level decision, which means it contains uncertainty in estimate. 2) and 3) should be straight-forward. 4) can be implemented in 1-2 days by using the build-in templates.
Excluding the device bootstrapping, I would say 1.5 weeks (including review process).
- Credentials (username and password) are stored in
tedge.toml
, whilst the requirements is in a different location.I think 1) will the most time consumption as we don't have such mechanism now. It requires a small design level decision, which means it contains uncertainty in estimate.
The password must not be stored in tedge.toml
but in well-protected file, which path is given by the config. Exactly as for the private key associated to device certificate.
There is small issue for the device id which is currently stored in the device certificate. We will have to handle a specific case here (storing/reading the device from an external file or simply tedge.toml
).
Is your feature request related to a problem? Please describe.
Support Cumulocity IoT basic auth registration process to provide an upgrade path for existing customers whom use (legacy) SmartREST 1.0 (which is not supported when using cert based authentication)
Background
Existing customers with existing agents would like to take advantage of thin-edge.io and slowing migrate custom components. However these agents sometimes use SmartREST 1.0 which is incompatible with the cert-based device credentials (the default authentication used by thin-edge.io).
Describe the solution you'd like
Add support for basic auth device credentials for the Cumulocity IoT mapper so that devices can be registered following the Device Registration mechanism.
Implementation details
When using basic auth device credentials
Authorization: Basic <base64(username:password)>
s/uat
ands/dat
topics as they are only supported when using cert-based device credentials and errors will be posted tos/e
if they are subscribed toOpen questions
Implementation plan
The feature implementation can be broken into the following parts:
tedge config set c8y.registration_mode "basic"
tedge
and with600
permissions)tedge config set c8y.smartrest1.templates "template1,template2"
tedge connect
and the "basic" registration mode is active (there are some UX aspects here to consider).Describe alternatives you've considered
Additional context
Check list for components that require an update of the Authorization header mechanisms:
127.0.0.1:8001/c8y
service)