Custom username and password for API access

Is there any way to access the API using a username and a password that isn’t auto generated? Not being able to figure out how to specify one is hampering my efforts to script everything (without getting really fancy).

If there isn’t a way to do this maybe you have security concerns with this approach but I can still log into the Ember admin website using a custom username:password and then have full access to the API (which any hacker could do) because it gives me a cookie after Ember login that allows this. I could maybe get around this by having a fake login that grabs the cookie: PL=rancher; token=xx; CSRF=xx and puts it on every request but that seems really hacky when:

http://user:pass@vg1:8080/v1/projects/1a5

could work

1 Like

I had a similar question, for both adding hosts and API keys.

Without these, I cannot script my tests, so they cannot run automatically, which interferes with my ability to develop against the platform.

There is intentionally not UI for this because it’s not a very good idea in general. API keys are intended to have a known amount of entropy and be verified fast. User-supplied credentials have usually very little, and are stored with a multi-round hashing that takes a comparatively long time to calculate.

Anyway, if you click on the API endpoint and navigate to /v1/apikeys , you can create a new key and the public and secret values can be set to whatever you want if you are an admin (or access control is off).

Like everything else, the same request can be made with curl. If access control is on then you need an already existing key* to authenticate the request with. But any CLI would have the same problem…

*: If you really want you can post access control credentials to /v1/token and use that to authenticate future requests. (This is how the UI works)

It seems that almost every idea which is great for development is horrible for production. :slight_smile:

With the help of this and another issue against rancher I was able to write a script that built a Rancher server and a Rancher host, with the host running Convoy. Still have not yet figured out how to properly mount devicemapper on Convoy, hoping another forum exchange will hold the secret.

Awesome, this solves my problem in a rather elegant way. For me its helping me script initial box / “rancher cluster” setup with Ansible without jumping through too many hoops. Thank you for the quick solution and advise!

Also in feedback to the whole entropy/hashing thing: that could probably be solved with a quick in memory cache if you are concerned with people pounding the heck out of the API (internally you are doing 10000s of rounds of bcrypt on each call or something).

something like:

dbUserId | RANCHER_ACCESS_KEY | RANCHER_SECRET_KEY

in memory wouldn’t cause any sort of vulnerabilities and make the APIs be a bit more open to scripting from start to finish which many people are likely interested in doing (if they didn’t discover this post of course). Thanks again.

This doesn’t seem to work as @vincent mentions. Did this:

curl -u "8421B623B37B5562C5EF:TaaPer7KqNrp47WQ1BLxdExczDKzZ5iRLjVfwxsh" \
-X POST \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{"accountId":"1a1", "publicValue":"test", "secretValue":"test"}' \
'http://vg1:8080/v1/apikeys'

And got back this

{
  "id": "1c36",
  "type": "apiKey",
  "links": {
    "self": "http://vg1:8080/v1/apikeys/1c36",
    "account": "http://vg1:8080/v1/apikeys/1c36/account",
    "images": "http://vg1:8080/v1/apikeys/1c36/images",
    "instances": "http://vg1:8080/v1/apikeys/1c36/instances",
    "certificate": "http://vg1:8080/v1/apikeys/1c36/certificate"
  },
  "actions": {
    "activate": "http://vg1:8080/v1/apikeys/1c36/?action=activate",
    "remove": "http://vg1:8080/v1/apikeys/1c36/?action=remove",
    "deactivate": "http://vg1:8080/v1/apikeys/1c36/?action=deactivate"
  },
  "name": null,
  "state": "registering",
  "accountId": "1a5",
  "created": "2016-06-18T23:16:58Z",
  "createdTS": 1466291818000,
  "description": null,
  "kind": "apiKey",
  "publicValue": "D5A83F269199EF858DDB",
  "removed": null,
  "secretValue": "4PTaBqHTVTWqaFHhuUVeWUAhZuLUK7NWRJSSkGeT",
  "transitioning": "yes",
  "transitioningMessage": "In Progress",
  "transitioningProgress": null,
  "uuid": "2ad778c1-74ba-4bb6-af10-53f4b08f1cb8"
} 

Every time I call it a new apiKey is created but not using the values specified. I can use the way the UI does it for now.

There is a reason all major providers work this way and don’t let you supply your own keys…

The point is that the API keys are known to be 240 random bits (assuming you know the access key), so dictionaries and brute forcing even a single key it is totally impractical and therefore API key validation can be fast, which is desirable. User provided passwords are generally terrible and very practical to.

Since the response is a key for account 1a5 (which is the “Default” environment), the credentials you passed to authenticate the request to make another key appear to be an API key for that environment. Only admin account keys can set the public/secret value, and an environment key wouldn’t be able to set the account ID, still those 3 fields are being ignored in your request as they are not settable by the account making the request.

1 Like

Thanks for the help and info Vincent. In case anyone else is looking to do this here is how I did it:

  1. default rancher install with no auth set up on the web UI

  2. run the below

curl -X POST \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{"type":"apikey", "accountId":"1a5", "publicValue":"test", "secretValue":"test"}' \
'http://HOST_NAME:8080/v1/apikeys'
  1. lock the web UI down!