Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Encrypted Authorization Token #107

Open
xsYf6tdq8 opened this issue Aug 2, 2022 · 4 comments
Open

Support for Encrypted Authorization Token #107

xsYf6tdq8 opened this issue Aug 2, 2022 · 4 comments

Comments

@xsYf6tdq8
Copy link

Hello

I would like to use the encrypted authorization tokens for our environment.
I see in the file below that Basic authorization is used and that there is no possibility for 'Custom_Auth'.

Is this on the roadmap?

utils/brocade_connection.py
credential = {"Authorization": "Basic " + login_encoded.decode(), "User-Agent": "Rest-Conf"}
@prasad-valmeti-broadcom
Copy link
Collaborator

Hi,
During login time, Ansible scripts use basic authentication with the user credentials to log in to the switch.
After the login request is successful, retrieve a custom authorization code from the switch's login response.
From that time onwards, all the requests sent by the Ansible scripts use the custom authorization.
Observe the API url_helper from the utils/brocade_url.py
url_helper(URL, body, method, auth, result, validate_certs, timeout, credential=None):

Here 'auth' is a Custom authorization, not the Basic as shown below:
 Authorization      Custom_Basic YWRtaW46eHh4OmFiMmRiZWM5YTkxYjQyNmZlZTQ1NzExZWJlOWQzZjY2YWJkNWNmM2FiMTdlNzk2MDAwMDAwMDAwMDAwMDAwMDA=

 Please let us know if it solves your purpose. If not, could you please give us more details of your requirement?

Regards,
Prasad

@xsYf6tdq8
Copy link
Author

Hello Prasad

Thanks for your reply.

On our environment we enforce the use of named users for auditing purposes. We need the traceability.
We currently manage our systems via SSH and passphrase protected keys. This way we can decrypt the key and easily run scripts safely.
Often these scripts are looped and thus authentication is needed multiple times. It is by no means an option to enter passwords manually. Currently the decrypted SSH keys solves this.

I don't think that storing the switch password on our servers is not safe. We can put it in the Ansible Vault but in that case we have to decrypt the vault when running a playbook. The password for the vault can also be stored in a file but this is also not very secure.
The token is in essence is also just a password but it feels more secure :-)

Kind regards
Bert

@prasad-valmeti-broadcom
Copy link
Collaborator

Hi Bert,
FOS switch support auth-token feature. Token can be created and is used for next REST queries.
Same can be extended Ansible, will explore options and address this in next release.
Regards,
Prasad

@prasad-valmeti-broadcom
Copy link
Collaborator

Hi Bert,
Discussions are in progress with the auth token support based on the SSO. This security feature is being developed in FOS. Once that is available, it will be integrated into ansible. Will post the status on the next steps.
Regards,
Prasad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xsYf6tdq8 @prasad-valmeti-broadcom