traefik-on-service-fabric icon indicating copy to clipboard operation
traefik-on-service-fabric copied to clipboard

Published 20 hours ago verified publisher icon jjcollinge

Connect to SF that uses windows security

Open dealboy opened this issue 6 years ago • 6 comments

Hi there,

I would like to use the traefic with SF provider but my use case has windows security enabled, not certificates.

I configured traefic to run under user account that has read access to the SF cluster, but it is not enough as the communication is http and no credentials are passed. (in the traefik logs I get an 401 unauthorized error when traefik tries to query SF for applications)

Is there a way to configure that?

thanks Yannis

dealboy avatar Oct 24 '17 14:10 dealboy

Currently the fork doesn't include support for Windows Credentials.

Potentially we could test using something like https://github.com/Azure/go-ntlmssp in the provider to support NTLM auth. We're considering refactoring out the sf goclient into it's own package so this could sit under this work.

The toml config here could then be updated to include the credentials for the user.

@jjcollinge what do you think?

lawrencegripper avatar Oct 24 '17 15:10 lawrencegripper

@dealboy thanks for raising this issue - as @lawrencegripper mentioned, this is not a currently supported scenario. However, we are going to pick up this piece of work as part of our go SF SDK extraction #8.

jjcollinge avatar Oct 24 '17 16:10 jjcollinge

that's great, thanks guys! I will be watching the repo for changes!

minor comment: beyond setting credentials in toml config, consider (if possible) to also support integrated windows authentication based on the account that runs the traefik (client) service.

dealboy avatar Oct 24 '17 17:10 dealboy

Np, thanks for trying out Traefik on SF!

I think using integrated security will be an order of magnitude more complex as we're working in golang which doesn't support it out of the box. I believe we'd need to be able to use SSPI API, as was attempted here or this library looks like it may enable it gssapi. Happy to consider it a stretch goal for further down the line, sound good?

lawrencegripper avatar Oct 25 '17 07:10 lawrencegripper

Do you guys think there will be any movement on this enhancement soon? The only way I've been working around Windows Authentication is to write another WebAPI to run as an authorized user to proxy the calls from Traefik to Service Fabric's API.

lyweilian avatar Jan 11 '19 21:01 lyweilian

Hi, I'm afraid there isn't currently any ongoing work on this issue. We've very much open to contributions if anyone would like to pick it up and start working on it though.

lawrencegripper avatar Jan 14 '19 08:01 lawrencegripper