When trying to setup local access control, application comes back with UnAuthorized. It will allow access control with github.
I have the same problem.
My Setup:
Single Rancher instance with a external mysql db for presist data.
thanks for help
I have a solution.
Do you use a domain rancher.example.com?
First i use the server IP and the local auth not work, when you use a domain the local auth works fine.
Can you provide more information on how you started rancher server (ie did you do any special configuration)? I have not seen issues when setting it up on a vanilla install using a server IP. I also don’t have my rancher server and agents in the same host.
Can you provide the logs from inside the container? This doc provides how to get them:
Domain vs IP doesn’t really make any sense… we also use IPs for most of our testing.
There’s 2 separate API calls, one to send the auth configuration and then another to test it by generating an auth token. I think there’s a race condition there and it’s maybe easier to trigger with MySQL on a remote host.
For the testing purpose I am using IP address to access rancher. I agree domain or IP should not make a difference.
This is a plain ole vanilla install on ubuntu 14.0.4
I just tried to local auth again and here is the debug log entries:
015-09-16 15:04:40,953 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(AgentApiKeyCreate)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Running pre listener [AgentApiKeyCreate]
2015-09-16 15:04:40,953 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(AgentApiKeyCreate)] [] [cutorService-10] [DefaultProcessInstanceImpl] Finished pre listener [AgentApiKeyCreate]
2015-09-16 15:04:40,953 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(ApiKeyCreate)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Running pre listener [ApiKeyCreate]
2015-09-16 15:04:40,953 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(ApiKeyCreate)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Finished pre listener [ApiKeyCreate]
2015-09-16 15:04:40,953 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(RegisterTokenCreate)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Running pre listener [RegisterTokenCreate]
2015-09-16 15:04:40,953 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(RegisterTokenCreate)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Finished pre listener [RegisterTokenCreate]
2015-09-16 15:04:40,954 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(SshKeyCreate)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Running pre listener [SshKeyCreate]
2015-09-16 15:04:40,954 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(SshKeyCreate)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Finished pre listener [SshKeyCreate]
2015-09-16 15:04:40,957 DEBUG [1fae2839-7f24-4403-ba5d-a41d5da7181e:58] [credential:8] [credential.create->(ActivateByDefault)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Running post listener [ActivateByDefault]
ial:8] [credential.create->(ActivateByDefault)] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Finished post listener [ActivateByDefault]
2015-09-16 15:04:41,077 INFO [28d41c42-fb7e-4ff1-880f-f42fee1bf959:58] [credential:8] [credential.activate] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Changing state [registering->activating] on [credential:8]
2015-09-16 15:04:41,185 INFO [28d41c42-fb7e-4ff1-880f-f42fee1bf959:58] [credential:8] [credential.activate] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Changing state [activating->active] on [credential:8]
2015-09-16 15:04:41,386 DEBUG [:] [] [] [] [cutorService-10] [c.p.e.p.i.DefaultProcessInstanceImpl] Exiting [DONE] process [credential.activate:58] on resource [8]
@Bill_George I have finally been able to reproduce not having any hosts in Rancher yet.
Can you let me know if this was your setup?
If so, the workaround is to click on the “Enable Local Auth” button again.
I’ve created an issue to track this: https://github.com/rancher/rancher/issues/2051
Please note, that we don’t recommend people switching between authentication providers in your same rancher set up.
Thank Denise, but this does not work. I have reinstalled a few times trying different things. No hosts yet just fresh install. Bring up Rancher, go to access control, select local, do step one (user name) even used admin, set pass, click enable, error, click again error.
Tried using another user name, same response, it create user but will not activate local auth.
@Bill_George I just re-read your response that it doesn’t work for you. (after clickin enable, error, click again.) Can you give it some time before clicking on it again?
Another workaround is to add a host first and then enabling access control?
@denise I just tried as you suggested 
“no joy”. I had also tried after adding hosts to. Restarted container to see if a reset would trigger anything.
Restarting the rancher server container won’t reset the database. Could you do me a favor and try doing a new install? The DB might have been corrupted with all of our attempts.
If you do a fresh install, add a host and then do local auth, you shouldn’t hit any issues (from the testing that I’ve done.)
Still have same error, and in the debug log it looks as there is a fail to update for the database
015-09-16 20:58:59,428 ERROR [04b597b2-3022-434b-a905-8795c104616d:49] [credential:10] [credential.activate] [] [cutorService-25] [c.p.e.p.i.DefaultProcessInstanceImpl] Unknown exception java.lang.IllegalStateException: Failed to update
Can you provide some information from the database?
- Exec into the rancher server database. On the host run
docker exec -it <server_container_id> bash - Switch to mysql.
mysql - Switch to cattle DB.
use cattle; - Provide the following table information.
select * from account;
select * from credential;
select * from setting;
From there, we can look to see why your setup isn’t working with the workarounds and provide some SQL commands to get it going for you.
first select:
+----+-----------------------+------------+-----------------------+-------------+----------+---------------------+---------------------+---------------------+-----------------------------------+-------------+------------------+
| id | name | kind | uuid | description | state | created | removed | remove_time | data | external_id | external_id_type |
+----+-----------------------+------------+-----------------------+-------------+----------+---------------------+---------------------+---------------------+-----------------------------------+-------------+------------------+
| 1 | Bill George | admin | admin | NULL | active | NULL | NULL | NULL | {"fields":{"hasLoggedIn":true}} | NULL | NULL |
| 2 | system | system | system | NULL | inactive | NULL | NULL | NULL | NULL | NULL | NULL |
| 3 | superadmin | superadmin | superadmin | NULL | inactive | NULL | NULL | NULL | NULL | NULL | NULL |
| 4 | token | token | token | NULL | active | 2015-09-16 20:54:34 | NULL | NULL | {} | NULL | NULL |
| 5 | Default | project | adminProject | NULL | active | 2015-09-16 20:54:34 | NULL | NULL | {"fields":{"defaultNetworkId":5}} | NULL | NULL |
| 6 | machineServiceAccount | service | machineServiceAccount | NULL | active | 2015-09-16 20:54:52 | NULL | NULL | {} | NULL | NULL |
| 7 | NULL | agent | agentAccount1 | NULL | removed | 2015-09-16 20:55:54 | 2015-09-16 21:12:51 | 2015-09-16 21:13:51 | {} | NULL | NULL |
| 8 | NULL | agent | agentAccount2 | NULL | active | 2015-09-16 20:57:40 | NULL | NULL | {} | NULL | NULL |
+----+-----------------------+------------+-----------------------+-------------+----------+---------------------+---------------------+---------------------+-----------------------------------+-------------+------------------+
8 rows in set (0.00 sec)
select * from credential;
+----+------+------------+-------------------+--------------------------------------+-------------+--------+---------------------+---------------------+---------------------+------+----------------------+----------------------------------------------------------------------------------------------+-------------+
| id | name | account_id | kind | uuid | description | state | created | removed | remove_time | data | public_value | secret_value | registry_id |
+----+------+------------+-------------------+--------------------------------------+-------------+--------+---------------------+---------------------+---------------------+------+----------------------+----------------------------------------------------------------------------------------------+-------------+
| 1 | NULL | 5 | registrationToken | 9b12ad53-2e8c-4710-9d47-76844e82d989 | NULL | active | 2015-09-16 20:54:53 | NULL | NULL | {} | AB8AD347D917391C28B4 | JYSX73YP7QjLN8CjRmcH1KjM3ic2DPbap5xuW1WC | NULL |
| 2 | NULL | 6 | agentApiKey | d2f408cc-55bb-4123-a464-79fa471a6928 | NULL | active | 2015-09-16 20:54:53 | NULL | NULL | {} | 746A08FF49669C6B4FA4 | 7UuTv1jdp1YnKmK7Huj2CnZzKStCHiLNPBscrzmM | NULL |
| 3 | NULL | 7 | agentApiKey | 928fc86e-a827-49da-902b-df0980a6737c | NULL | purged | 2015-09-16 20:55:54 | 2015-09-16 21:12:50 | 2015-09-16 21:13:50 | {} | FA95F4553594688D2329 | G7K9w5FSrhvLwN2gvfL9Y5nXJdPpiD8GUpBgi42Q | NULL |
| 4 | NULL | 8 | agentApiKey | 85157308-6647-43d0-82c4-a73f51e9bb6b | NULL | active | 2015-09-16 20:57:41 | NULL | NULL | {} | 3768CDC8F34A2BF0A84A | 2tC4rRwrJSpBzNPcu3EqjyVt6ZjXx7ekcoMEmBeg | NULL |
| 19 | NULL | 1 | password | 2d521036-3022-43a0-acf3-09a4ba71bf18 | NULL | active | 2015-09-16 21:08:52 | NULL | NULL | {} | bgeorge | SHA256:0cb470f52842f4e2f4c8:c5d60b589e8c4debfd0bc2fc9c344d6763d778ec2b15a7589d274ecaccc04fec | NULL |
+----+------+------------+-------------------+--------------------------------------+-------------+--------+---------------------+---------------------+---------------------+------+----------------------+----------------------------------------------------------------------------------------------+-------------+
5 rows in set (0.00 sec)
select * from setting;
+----+------------------------------+-----------------------------+
| id | name | value |
+----+------------------------------+-----------------------------+
| 1 | api.auth.provider.configured | localAuthConfig |
| 2 | api.host | http://192.168.160.187:8080 |
| 3 | api.security.enabled | false |
| 4 | api.auth.local.access.mode | unrestricted |
+----+------------------------------+-----------------------------+
4 rows in set (0.01 sec)
Can you run these 2 mysql statements to the DB? Afterwards, can you refresh your page and you should have local auth enabled and required to login with your username/password.
update setting set value="true" where name="api.security.enabled";
update account set external_id=19, external_id_type="rancher_id" where id=1;
@denise WOO HOO ! Thank you for the help, seems a problem with setting the security flag.
Thanks again