Comments (6)
Yes please
from ziti.
Supporting key/cert alternative to password would be welcome. Still, I think the only way for the admin to obtain a cert is by POSTing a CSR to /edge/client/v1/current-api-session/certificates
, and the obtained ephemeral cert is only valid for obtaining an API session token after adding a cert authenticator for the admin user's identityId
. If that's accurate, then I feel like we need more than just a key/cert input params for the ziti edge login
command.
If we use these ephemeral certs with the ziti
CLI, we'd also need a renewal mechanism integrated with the CLI's session cache. That is a bit more complicated than the life cycle of a typical, long-lived edge identity. Could we add an enrollment operation that accepts a permanent password instead of one-time password? That way, the default admin could obtain a long-lived client certificate to use with the management API's cert authentication method.
from ziti.
Workaround cert auth
# tofu
curl --silent --show-error --fail --insecure \
"https://minicontroller.ziti/.well-known/est/cacerts" \
| openssl base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs -out ~/Downloads/minicontroller-ca-bundle.pem
# login
curl \
--request POST \
--header 'content-type: application/json' \
--data '{}' \
--silent --show-error --fail \
--cert ~/Downloads/zitiadmin-client.crt \
--key ~/Downloads/zitiadmin-client.key \
--cacert ~/Downloads/minicontroller-ca-bundle.pem \
"https://minicontroller.ziti/edge/client/v1/authenticate?method=cert" \
| jq .data.token \
| xargs ziti edge login "minicontroller.ziti:443" \
--yes --username admin \
--token
from ziti.
ziti edge login --client-cert
works now, but it's necessary to parse the certificate from the enrolled JSON identity config file. It would be more convenient to use the identity config file directly, e.g., ziti edge login --identity /tmp/admin-with-cert-auth.json
where /tmp/admin-with-cert-auth.json
is the enrolled JSON config file for an identity with isAdmin: true
.
The easiest way to obtain a client cert for an admin identity is to create the identity with isAdmin: true
and enroll the JWT. That results in a JSON identity config, but I can't use that JSON directly with ziti edge login
, so I need to parse out the cert and key as separate files and use them with ziti edge login --clien-cert CERT --client-key KEY
.
Workaround:
❯ jq -r '.id.key' < /tmp/admin-with-cert-auth.json | sed 's/^pem://' > /tmp/admin-with-cert-auth.key
❯ jq -r '.id.cert' < /tmp/admin-with-cert-auth.json | sed 's/^pem://' > /tmp/admin-with-cert-auth.cert
❯ ziti edge login miniziti-controller.192.168.49.2.sslip.io:443 \
--username admin-with-cert-auth \
--client-cert /tmp/admin-with-cert-auth.cert \
--client-key /tmp/admin-with-cert-auth.key
Token: d34a3a91-f0ea-4f8f-a055-cbd8b45fb4b8
Saving identity 'default' to /home/kbingham/.config/ziti/ziti-cli.json
from ziti.
It would be useful if ziti edge login
could parse the client cert and key from a Ziti-standard file representing an enrolled identity context as JSON.
from ziti.
I added this back in summer 2023 and @qrkourier confirms it succeeds. I think there's another feature request in here to allow an enrolled identity file to be used for auth as well, saving people the work of unwrapping the identity.
from ziti.
Related Issues (20)
- BUG: OIDC authentication does not convert config type names to ids
- Raft should not initialize if db is misconfigured HOT 3
- atomic database initialize
- Update Enrollment Processes For HA
- delete of non-existent entity causes panic when run on follower controller
- Implement subscriber model for identity/service events in router HOT 1
- support IPv4 address for controller and router package and container image HOT 3
- renew the controller's leaf certs at interval
- override controller and router run args
- add CITATION.cff HOT 2
- redress how controller db bootstrapping works
- support alt server certs in Linux and Docker deployments
- JWKS endpoints may not refresh on new KID
- hint how to deploy a private router
- uninstall router scriptlet fails to remove temp file
- linux router - require ctrl address HOT 1
- Identities for edge routers with tunneling enabled sometimes show hasEdgeRouterConnection=false even though everything is OK
- Add config information to router data model HOT 2
- harden, scan, and attest container images
- Feature Request - config.d style configuration for ziti controller HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ziti.