anchore-engine
anchore-engine copied to clipboard
anchore
CLI command Unauthorized
Is this a request for help?: Yes
Is this a BUG REPORT or a FEATURE REQUEST? (choose one):
Version of Anchore Engine and Anchore CLI if applicable: Anchore CLI version 0.9.1 Anchore Engine: docker.io/anchore/anchore-engine:v0.10.0
What happened:
I am deploying anchore engine on Openshift version 4.6 using FluxCD, see sample yaml deployment file below:
apiVersion: helm.fluxcd.io/v1 kind: HelmRelease metadata: name: anchore-engine namespace: devops spec: releaseName: anchore-engine chart: git: https://github.com/anchore/anchore-charts.git path: stable/anchore-engine ref: master values: postgresql: postgresUser: *** postgresPassword: *** postgresDatabase: *** enabled: false externalEndpoint: *** anchoreGlobal: openShiftDeployment: True existingSecret: *** logLevel: DEBUG
After successful deployment, I am unable to login successfully, I always get Unauthorized error.
anchore-cli --u admin --p foobar --debug system status DEBUG:anchorecli.clients.apiexternal:As Account = None DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): :80 DEBUG:urllib3.connectionpool:http://anchore-devops.apps.devocp.safaricom.net:80 "GET / HTTP/1.1" 200 5 DEBUG:anchorecli.clients.apiexternal:As Account = None DEBUG:anchorecli.clients.apiexternal:GET url= DEBUG:anchorecli.clients.apiexternal:GET insecure=True DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): :80 DEBUG:urllib3.connectionpool::80 "GET /system HTTP/1.1" 401 12 DEBUG:anchorecli.cli.utils:fetched httpcode from response: 401 "Unauthorized"
If I access the terminal of all running pods, I can see the CLI PASS and USER is correct:
sh-4.4$ printenv | grep ANCHORE_CLI ANCHORE_CLI_URL=http://localhost:8228 ANCHORE_CLI_USER=admin ANCHORE_CLI_PASS=foobar
From the logs of the API engine pod I see the below error:
[service:api] 2021-08-03 06:40:18+0000 [_GenericHTTPChannelProtocol,17563,10.129.2.1] [PoolThread-twisted.internet.reactor-0] [anchore_engine.subsys.auth.realms/get_authentication_info()] [DEBUG] Attempting to get cached credentials for [admin] [service:api] 2021-08-03 06:40:18+0000 [_GenericHTTPChannelProtocol,17563,10.129.2.1] [PoolThread-twisted.internet.reactor-0] [anchore_engine.subsys.auth.realms/query_authc_info()] [DEBUG] Could not obtain cached credentials for [admin]. Will try to acquire credentials from account store. [service:api] 2021-08-03 06:40:18+0000 [-] Traceback (most recent call last): [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/realm/realm.py", line 257, in assert_credentials_match [service:api] 2021-08-03 06:40:18+0000 [-] verifier.verify_credentials(authc_token, account['authc_info']) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/subsys/auth/stores/verifier.py", line 30, in verify_credentials [service:api] 2021-08-03 06:40:18+0000 [-] return self.simple.verify_credentials(authc_token, account) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/subsys/auth/stores/verifier.py", line 52, in verify_credentials [service:api] 2021-08-03 06:40:18+0000 [-] raise IncorrectCredentialsException [service:api] 2021-08-03 06:40:18+0000 [-] yosai.core.exceptions.IncorrectCredentialsException [service:api] 2021-08-03 06:40:18+0000 [-] [service:api] 2021-08-03 06:40:18+0000 [-] During handling of the above exception, another exception occurred: [service:api] 2021-08-03 06:40:18+0000 [-] [service:api] 2021-08-03 06:40:18+0000 [-] Traceback (most recent call last): [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/authc/authc.py", line 205, in authenticate_account [service:api] 2021-08-03 06:40:18+0000 [-] account = self.do_authenticate_account(authc_token) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/authc/authc.py", line 258, in do_authenticate_account [service:api] 2021-08-03 06:40:18+0000 [-] account = self.authenticate_multi_realm_account(self.realms, authc_token) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/authc/authc.py", line 181, in authenticate_multi_realm_account [service:api] 2021-08-03 06:40:18+0000 [-] return self.authentication_strategy(attempt) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/authc/strategy.py", line 104, in first_realm_successful_strategy [service:api] 2021-08-03 06:40:18+0000 [-] raise realm_errors[0] [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/authc/strategy.py", line 96, in first_realm_successful_strategy [service:api] 2021-08-03 06:40:18+0000 [-] account = realm.authenticate_account(authc_token) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/realm/realm.py", line 228, in authenticate_account [service:api] 2021-08-03 06:40:18+0000 [-] self.assert_credentials_match(verifier, authc_token, account) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/realm/realm.py", line 264, in assert_credentials_match [service:api] 2021-08-03 06:40:18+0000 [-] raise IncorrectCredentialsException(failed_attempts) [service:api] 2021-08-03 06:40:18+0000 [-] yosai.core.exceptions.IncorrectCredentialsException: [1627972818114] [service:api] 2021-08-03 06:40:18+0000 [-] [service:api] 2021-08-03 06:40:18+0000 [-] During handling of the above exception, another exception occurred: [service:api] 2021-08-03 06:40:18+0000 [-] [service:api] 2021-08-03 06:40:18+0000 [-] Traceback (most recent call last): [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/apis/authorization.py", line 304, in authenticate_token [service:api] 2021-08-03 06:40:18+0000 [-] subject.login(authc_token) [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/subject/subject.py", line 396, in login [service:api] 2021-08-03 06:40:18+0000 [-] subject = self.security_manager.login(subject=self, [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/mgt/mgt.py", line 662, in login [service:api] 2021-08-03 06:40:18+0000 [-] account_id = self.authenticator.authenticate_account(subject.identifiers, [service:api] 2021-08-03 06:40:18+0000 [-] File "/usr/local/lib/python3.8/site-packages/yosai/core/authc/authc.py", line 234, in authenticate_account [service:api] 2021-08-03 06:40:18+0000 [-] raise IncorrectCredentialsException [service:api] 2021-08-03 06:40:18+0000 [-] yosai.core.exceptions.IncorrectCredentialsException [service:api] 2021-08-03 06:40:18+0000 [_GenericHTTPChannelProtocol,17563,10.129.2.1] [PoolThread-twisted.internet.reactor-0] [anchore_engine.apis.authorization/authenticate_token()] [ERROR] Login failed [service:api] 2021-08-03 06:40:18+0000 [-] "10.129.2.1" - - [03/Aug/2021:06:40:17 +0000] "GET /system HTTP/1.1" 401 12 "-" "python-requests/2.23.0" [service:api] 2021-08-03 06:40:20+0000 [-] "10.129.2.1" - - [03/Aug/2021:06:40:19 +0000] "GET / HTTP/1.1" 200 5 "-" "python-requests/2.23.0"
What did you expect to happen: I expect successful authentication since I am using the correct credentials.
Any relevant log output from /var/log/anchore: Already provided above
What docker images are you using: docker.io/anchore/anchore-engine:v0.10.0
How to reproduce the issue:
Anything else we need to know:
@jerem-uzoma Thanks for filing this issue. We will take a look at this and get back you when we have some feedback.
@jerem-uzoma Can you connect to your postgres container and confirm that your admin password matches what you have set for ANCHORE_CLI_PASS ? It looks like you may not be setting your default admin password, in which case anchore-engine will generate a randomized password for you when it boostraps.
@jerem-uzoma Could you also check to confirm that your flux deployment is setting a kubernetes secret with the ANCHORE_ADMIN_PASSWORD value set as expected?
I started a shell in the anchore-engine pod and printed the environment variables, then I curled the api with the exact credentials given in the environment variables and get unauthorized. any idea?
I am using the default helm chart values: helm install anchore-engine -f values.yaml anchore/anchore-engine
I changed only line 184 in the values file: defaultAdminPassword: test123456
the same also happens when I use the helm chart with: helm install anchore-engine anchore/anchore-engine
@jerem-uzoma Can you connect to your postgres container and confirm that your admin password matches what you have set for
ANCHORE_CLI_PASS? It looks like you may not be setting your default admin password, in which case anchore-engine will generate a randomized password for you when it boostraps.
Sorry for the late response, I had already resolved this issue and your suggestion here is also on the money.. In my own case the DB team issued a DB that was already used for an initial anchore installation, so although I was setting the password for my new installation the password used in the old installation was always used. I just had to connect to the Postgres DB and get the password used for the old installation and all was fine.
the same also happens when I use the helm chart with:
helm install anchore-engine anchore/anchore-engine
Maybe check in the Postgres DB for the password set for the admin user and ensure you use that password?
Hi, yes I can acknowledge that I had to set the user/password/db in the postgres chart: Postgres dep
postgresUser: anchoreengine
postgresPassword: anchore-postgres,123
postgresDatabase: anchore
Now it works!