If Admin password changed in console, how does one get that for REST calls?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

If Admin password changed in console, how does one get that for REST calls?

oldgluuser

All of the examples use admin:admin, which I have used up to this point as well.  However, if a console user changes the password in the GLU console then that password is needed for other Agents/scripts to use.  How does one obtain the password in this, I believe 'normal'/'typical' use case?
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

frenchyan
Administrator
The password for the admin user in the console is only used in the console: 

1) either to access the console via a web browser
2) or to access the console via the REST api

The password is not used in the agents or anywhere else. When you install glu, you setup a set of public/private keys and this is used for the security and has nothing to do with the admin user/password.

Yan
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

oldgluuser
Yes, and if it has changed and one needs to access the console via the REST API, how do you get the password?  It was changed in the Console GUI by an enduser/administrator.  
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

frenchyan
Administrator
The password you use in the REST api is the same you use when you log into the console. If a user has changed the password and you don't know the password, there is no real way to retrieve it as the code uses bcrypt to do a one way hash (https://github.com/pongasoft/glu/blob/master/console/org.linkedin.glu.console-webapp/grails-app/domain/org/linkedin/glu/console/domain/DbUserCredentials.groovy#L39)

In this case you would have to modify the database by hand to store a well known salt/hashed password combination

Yan
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

oldgluuser
I guess this seems broken, at least to me.  That is, any user of the REST APIs can not use the Console to change the password.   Manually editing any/all references to that password does not seem practical even if one 'knows' that password.  In my case, other administrators would be setting it, so it is not possible to even know what it would be.    I guess I need to write a shell script to override the setting of the password - it can call out to the code referenced above, but also store in a more accessible manner.

I would suggest that JWT or other certificate-based means of authorizing the REST calls is probably needed.
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

frenchyan
Administrator
I am not sure I fully understand what you are describing as a problem.​

1) you can change your password anytime using the console
2) there is no REST api to change a password because you can do it with the console so it seemed that for such a rare thing, it was unnecessary to implement it as a REST API: if you have access to the REST API, you have access to the console.
3) there is obviously no REST API or simply no way to retrieve a (lost) password as this would be a major security concern.
4) there is a "reset password" feature for an admin. An admin can reset the password of any other user.
5) if there is only 1 admin user and you forgot the password (or you forgot the password of ALL admin users) then this is when you need to manually change the database which should be a very rare thing.

So what is exactly your issue? What is "broken" as you put it?

Yan


Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

oldgluuser
This post was updated on .
Sorry, I missed your reply until now.   I suspect you are thinking of only one usecase wherein the entire "GLU" mechanism is within your own systems/walls.   In this usecase, you are the one changing the password via the console, so you can go into the REST api uses and also change it there.  Not really a problem here!

However, in another usecase, the system controlled by GLU is sent to all the individual customers - on their computers at their sites.  These customers, being security conscious, want to change the Admin password via the GLU console.  However, once they do that, they break all the REST API calls.  Hence my use of the word "broken".   There does not appear to be a way to accommodate this.  If the rest API's could use certificates instead, that would be one way - a REST API to change the password would be another.
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

frenchyan
Administrator
I guess we are not understanding each other. I still fail to understand your use-case.

A few thoughts (trying to guess since I don't understand):
* ​If you give your customers ADMIN access then they can change anything in glu which does not seem to be a good thing to me (including other customers?).
* If a customer change their ADMIN password I do not understand why that break all the REST api calls. The REST api is not broken. The REST api requires a password like the web interface. If you don't provide the right password then yes it will not work. But it is not broken. It is how you use it which seems broken. It seems to me that you are bundling 2 things that you are giving to your customers: access via the console and access via REST api. I am not sure how you give REST api access to your customers but I assume it is via a script which somehow has knowledge of the original admin password (or in other words, it is hardcoded somewhere). If you want to allow your customers to change their admin password then you need to give them a tool that will both change the password in the console and the password in the rest api scripts you provide them. At this stage there is no plugin in glu that would allow to invoke another (custom) step when the password is changed but it could be added.
* If the client does not have access to the REST api and only you do, you can use different users for different purposes. For example you could create a "REST" user distinct from the admin user you provide your client. This REST user would have its own password so even if the client changes theirs it won't affect your scripts relying on the password.

Yan
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

oldgluuser
Yes, access is provided to them via scripts.  Although the original Admin password was changed, many still want to change the one we provide.  So customers "use" the REST API via indirection, they do not call it directly themselves.  Nonetheless, it is hardcoded in various places as there not a way that use of any such password can be subsequently changed without breaking things.

Using a "REST USER" as you suggest in the third bullet is a good short term idea.   But really this is just a stop-gap mechanism.  The underlying problem that the use of a password in the REST api without having a means to programmatically update such is still present.  Again though, it seems a chicken and egg problem - I do not have a REST API to create a REST USER, only the GUI.  Is that correct?  In such a case, I do not see how to implement this idea.  That is, I would need/want to create this user during install, how might that be done?
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

frenchyan
Administrator
Ok so just to be clear, glu is not broken. What is broken is the way you package and distribute glu to your clients. This may have been from a misunderstanding of how glu works in the first place but glu is working as it was intended to be used: the web interface and the REST api both use the same "server" and as such require the same credentials for the same user. If you invoke the REST api using a user and you have changed the password of that user in the UI, then yes you need to make calls to the REST api using the same password. Or in other words, whatever script is wrapping the calls to the REST api must be updated with the new password.

So to answer your questions:
* no there is no REST api to add and/or manage users in the most recent version of glu
* why having a REST api to add a user would help you? If you have access to the REST api of the client, you also have access to their console.
* during install you said that you "change the admin password", how do you do that? can't you use the same method to create a REST user?

I do not know how you package/distribute glu to your clients, but maybe you may want to start a fresh install of glu, using the UI, change the admin password, create a REST user with ADMIN privilege and password of your choosing. Then stop glu and use the state that glu is at this point in time to create the distribution for your clients.

Yan




Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

oldgluuser
This post was updated on .
Seems broken to me compared with most other REST APIs.  Nonetheless, I have figured out how to use 'curl' to change password via 'http' method (i.e. non-REST) calls, so I am good to go.

If I type in the point a third time I can't see why it would make sense to you, so I apologize about not being able to clearly define what I see as the issue.  However, if I am correct, any use of the REST API will be subsequently made non-functional by any UI user changing the password of the User for the REST calls.   If such calls are embedded in scripts and/or code, then a new release would be required to change that - which of course, is not viable - that would need to make the releases unique to each customer all over the world.

I plan on storing encrypted data in zookeeper and having these values pulled out dynamically.  This way, WHEN they change, no corresponding script/code change is required.

Topically, what I was trying to describe is also discussed here: https://stormpath.com/blog/secure-your-rest-api-right-way
See the section entitled: Password Reset Problems
Reply | Threaded
Open this post in threaded view
|

Re: If Admin password changed in console, how does one get that for REST calls?

oldgluuser
There are several questions on Stack Overflow that likely do a FAR better job of what I was trying to describe:

http://stackoverflow.com/questions/319530/restful-authentication?noredirect=1&lq=1

http://stackoverflow.com/questions/4817643/how-to-secure-restful-web-services

JSON Web Tokens are described here:

https://jwt.io/introduction/