bosh ssh authentication problem with bosh director - 401 not authorized?


Dmitriy Kalinin
 

check out bosh.io/docs/director-users.html.

if you lost your pasword to the director, you can set preconfigured users and run bosh-init to update the director.

bosh ssh didnt change the way it works to auth.

Sent from my iPhone

On Jan 8, 2016, at 12:46 PM, Rafal Radecki <radecki.rafal(a)gmail.com> wrote:

Hi All :)

I am currently investigating a problem on one of my development environments.
I have deployed CF through microbosh. I had access to bosh cli and could use bosh ssh with no problem. Yesterday it stopped working and I suspect that someone changed the way bosh cli authenticates with the bosh director on microbosh vm.

When I invoke bosh ssh I get:

ubuntu(a)ip-10-10-0-67:~/workspace/deployments/microbosh$ bosh ssh

[WARNING] Loading the cli took 21.6 seconds, consider cleaning your gem environment
"""
1. data/0
2. backbone_z1/0
3. runner_z1/0
4. runner_z1/1
5. runner_z1/2
6. runner_z1/3
7. public_haproxy_z1/0
8. private_haproxy_z1/0
9. api_z1/0
10. health_z1/0
11. services_z1/0
12. acceptance_tests_runner/0
13. smoke_tests_runner/0
Choose an instance: 1
Acting as user 'admin' on deployment 'cf-aws-tiny' on 'bosh-vpc-aba3f6ce'
Enter password (use it to sudo on remote host): ********
Target deployment is `cf-aws-tiny'

Setting up ssh artifacts
HTTP 401: Not authorized
"""

I can see on the microbosh machine that the request goes through nginx which listens on TCP 25555 and then it is forwarded to
"ruby /var/vcap/packages/director/bin/bosh-director -c /var/vcap/jobs/director/config/director.yml" process which listens on TCP 25556. In nginx logs (/var/vcap/data/sys/log/director/director.stderr.log) I get:

"""
10.10.0.67 - - [08/Jan/2016:20:30:44 +0000] "POST /deployments/cf-aws-tiny/ssh HTTP/1.0" 401 15 0.6529
127.0.0.1 - - [08/Jan/2016:20:31:38 +0000] "GET /deployments HTTP/1.0" 401 15 0.6245
"""

And in the ruby process' logfile (/var/vcap/sys/log/director/director.debug.log from /var/vcap/jobs/director/config/director.yml) :

"""
D, [2016-01-08 20:34:38 #6980] [] DEBUG -- Director: (0.000121s) SELECT NULL
D, [2016-01-08 20:34:38 #6980] [] DEBUG -- Director: (0.000104s) SELECT NULL
D, [2016-01-08 20:34:38 #6980] [] DEBUG -- Director: (0.000194s) SELECT * FROM "users" WHERE ("username" = 'admin') LIMIT 1
"""

In /info endpoint:

"""
wget -nv http://127.0.0.1:25556/info -O - 2>&1
{"name":"bosh-vpc-aba3f6ce","uuid":"fd5dbdc5-9533-4497-84e9-69579185524a","version":"1.2989.0 (00000000)","user":null,"cpi":"aws","user_authentication":{"type":"basic","options":{}},"features":{"dns":{"status":true,"extras":{"domain_name":"microbosh"}},"compiled_package_cache":{"status":false,"extras":{"provider":null}},"snapshots":{"status":false}}}2016-01-08 20:35:55 URL:http://127.0.0.1:25556/info [352/352] -> "-" [1]
"""

I see that basic auth is used and I also got an information that someone has recreated through bosh the 'admin' user with a new password (<lol> :D). I cannot now login with bosh login, bosh status gives:

"""
ubuntu(a)ip-10-10-0-67:~/workspace/deployments/microbosh$ bosh status

[WARNING] Loading the cli took 21.7 seconds, consider cleaning your gem environment

Config
/home/ubuntu/.bosh_config

Director
Name bosh-vpc-xxx
URL https://10.10.1.4:25555
Version 1.2989.0 (00000000)
User not logged in
UUID ...
CPI aws
dns enabled (domain_name: microbosh)
compiled_package_cache disabled
snapshots disabled

Deployment
Manifest /home/ubuntu/workspace/deployments/cf-boshworkspace/.deployments/cf-aws-tiny.yml
"""

Is there a way to restore the password for admin user or create a new user for bosh login? Or maybe something else should be done?

BR,
Rafal.


Rafal Radecki
 

Hi All :)

I am currently investigating a problem on one of my development environments.
I have deployed CF through microbosh. I had access to bosh cli and could use bosh ssh with no problem. Yesterday it stopped working and I suspect that someone changed the way bosh cli authenticates with the bosh director on microbosh vm.

When I invoke bosh ssh I get:

ubuntu(a)ip-10-10-0-67:~/workspace/deployments/microbosh$ bosh ssh

[WARNING] Loading the cli took 21.6 seconds, consider cleaning your gem environment
"""
1. data/0
2. backbone_z1/0
3. runner_z1/0
4. runner_z1/1
5. runner_z1/2
6. runner_z1/3
7. public_haproxy_z1/0
8. private_haproxy_z1/0
9. api_z1/0
10. health_z1/0
11. services_z1/0
12. acceptance_tests_runner/0
13. smoke_tests_runner/0
Choose an instance: 1
Acting as user 'admin' on deployment 'cf-aws-tiny' on 'bosh-vpc-aba3f6ce'
Enter password (use it to sudo on remote host): ********
Target deployment is `cf-aws-tiny'

Setting up ssh artifacts
HTTP 401: Not authorized
"""

I can see on the microbosh machine that the request goes through nginx which listens on TCP 25555 and then it is forwarded to
"ruby /var/vcap/packages/director/bin/bosh-director -c /var/vcap/jobs/director/config/director.yml" process which listens on TCP 25556. In nginx logs (/var/vcap/data/sys/log/director/director.stderr.log) I get:

"""
10.10.0.67 - - [08/Jan/2016:20:30:44 +0000] "POST /deployments/cf-aws-tiny/ssh HTTP/1.0" 401 15 0.6529
127.0.0.1 - - [08/Jan/2016:20:31:38 +0000] "GET /deployments HTTP/1.0" 401 15 0.6245
"""

And in the ruby process' logfile (/var/vcap/sys/log/director/director.debug.log from /var/vcap/jobs/director/config/director.yml) :

"""
D, [2016-01-08 20:34:38 #6980] [] DEBUG -- Director: (0.000121s) SELECT NULL
D, [2016-01-08 20:34:38 #6980] [] DEBUG -- Director: (0.000104s) SELECT NULL
D, [2016-01-08 20:34:38 #6980] [] DEBUG -- Director: (0.000194s) SELECT * FROM "users" WHERE ("username" = 'admin') LIMIT 1
"""

In /info endpoint:

"""
wget -nv http://127.0.0.1:25556/info -O - 2>&1
{"name":"bosh-vpc-aba3f6ce","uuid":"fd5dbdc5-9533-4497-84e9-69579185524a","version":"1.2989.0 (00000000)","user":null,"cpi":"aws","user_authentication":{"type":"basic","options":{}},"features":{"dns":{"status":true,"extras":{"domain_name":"microbosh"}},"compiled_package_cache":{"status":false,"extras":{"provider":null}},"snapshots":{"status":false}}}2016-01-08 20:35:55 URL:http://127.0.0.1:25556/info [352/352] -> "-" [1]
"""

I see that basic auth is used and I also got an information that someone has recreated through bosh the 'admin' user with a new password (<lol> :D). I cannot now login with bosh login, bosh status gives:

"""
ubuntu(a)ip-10-10-0-67:~/workspace/deployments/microbosh$ bosh status

[WARNING] Loading the cli took 21.7 seconds, consider cleaning your gem environment

Config
/home/ubuntu/.bosh_config

Director
Name bosh-vpc-xxx
URL https://10.10.1.4:25555
Version 1.2989.0 (00000000)
User not logged in
UUID ...
CPI aws
dns enabled (domain_name: microbosh)
compiled_package_cache disabled
snapshots disabled

Deployment
Manifest /home/ubuntu/workspace/deployments/cf-boshworkspace/.deployments/cf-aws-tiny.yml
"""

Is there a way to restore the password for admin user or create a new user for bosh login? Or maybe something else should be done?

BR,
Rafal.