Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: Add ability to set the auth scheme for targets #127

Open
vlahan opened this issue Jul 5, 2023 · 3 comments
Open

FR: Add ability to set the auth scheme for targets #127

vlahan opened this issue Jul 5, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@vlahan
Copy link

vlahan commented Jul 5, 2023

The current implementation passes the user credentials via two predefined request headers "Username" and "Password".

The goal of this request is to add a new option to pygnmi to select among different authentication schemes. For example to be able to send the credentials in a format compatible with https://datatracker.ietf.org/doc/html/rfc7235#section-4.2 and https://datatracker.ietf.org/doc/html/rfc7617 i.e. by sending an "Authorization" header with the value "Basic base64enc(username:password)".

Note: this is a mirror request to the following newly introduced feature in gNMIc and insures compatibility between pygnmi and gNMIc.

openconfig/gnmic#137
openconfig/gnmic#160
@akarneliuk
Copy link
Owner

Hey @vlahan ,

Thanks for reaching out on this. In principle, this can be implemented. I'd need to test it somewhere, though. Do you have any advise, what that could be tested again?

Best,
Anton

@akarneliuk akarneliuk added the enhancement New feature or request label Jul 24, 2023
@vlahan
Copy link
Author

vlahan commented Aug 31, 2023
edited
Loading

Hi @akarneliuk,

apologies for the late reply.

One option is to test this using Caddy as a reverse proxy to an internal gnmi server on localhost that has authentication and tls disabled. In this scenario caddy takes over the basic authentication and the tls termination.

Here is a simple Caddyfile with basic auth for user "admin":

{
	servers :9339 {
		protocols h1 h2 h2c
	}

	log {
		level DEBUG
	}
}

:9339 {
	tls /etc/ssl/certs/public.pem /etc/ssl/private/key.pem
	route {
		basicauth * {
			# create hash using ./caddy hash-password
			admin /BCRYPT_HASH/
		}
		# point to internal gNMI server listening on localhost
		reverse_proxy h2c://localhost:19339
	}
}

@vlahan
Copy link
Author

vlahan commented Oct 13, 2023

Hi @akarneliuk,

please let me know if you might benefit from more information on the FR. If you share some of your thinking on prefered design, we can also try to provide a patch proposal. After the corresponding change in gNMIc we are now forced to use a dedicated workaround for pygnmi in our test scripts, so we have strong interest in an upstream solution that achieves parity so we can simplify the handling.

--Vlado

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlahan @akarneliuk