rancher: Can't login with Rancher CLI in Rancher 2.2.x when API key is cluster scoped
What kind of request is this (question/bug/enhancement/feature request): bug
Steps to reproduce (least amount of steps as possible): I just installed(clean install) Rancher 2.2.0-rc2 and I did try to login using Rancher CLI v2.2.0-rc9
Result: level=fatal msg="Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=clusterID does not match]
Other details that may be helpful:
Environment information
-
Rancher version (
rancher/rancher
/rancher/server
image tag or shown bottom left in the UI): 2.2.0-rc2 -
Installation option (single install/HA): single
Cluster information
-
Cluster type (Hosted/Infrastructure Provider/Custom/Imported): Infrastructure provider (Digital Ocean)
-
Machine type (cloud/VM/metal) and specifications (CPU/memory): Cloud. 4GB memory and 2vCPUs
-
Kubernetes version (use
kubectl version
):
!!! Note: This kubectl version is from my pc. !!!
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.4", GitCommit:"c27b913fddd1a6c480c229191a087698aa92f0b1", GitTreeState:"clean", BuildDate:"2019-02-28T13:37:52Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.1", GitCommit:"eec55b9ba98609a46fee712359c7b5b365bdd920", GitTreeState:"clean", BuildDate:"2018-12-13T10:31:33Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"linux/amd64"}
- Docker version (use
docker version
):
Client:
Version: 18.09.3
API version: 1.39
Go version: go1.10.8
Git commit: 774a1f4
Built: Thu Feb 28 06:53:11 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.3
API version: 1.39 (minimum version 1.12)
Go version: go1.10.8
Git commit: 774a1f4
Built: Thu Feb 28 05:59:55 2019
OS/Arch: linux/amd64
Experimental: false
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 15 (3 by maintainers)
Commits related to this issue
- Add help text to cluster scoped api key creation rancher/rancher#18639 — committed to westlywright/ui by westlywright 5 years ago
I found it.
It will not work if a scope is selected when adding an API Key.
Just to let you know that this is also affecting the Terraform provider, as it does not allow the usage of scoped tokens. It would be nice, because I don’t want for Terraform to have access to things outside the designed deployemt scope.
Cluster-scoped token’s primary intended use is for communicating with the kubernetes API for a specific cluster. It also works for Rancher api calls that fall under the cluster endopint. This means a token scoped to cluster c-1234 will work for everything under
/v3/clusters/c-1234
. The problem is that the cli currently makes calls that are outside of that scope endpoint (directly under/v3
).The CLI does not work with cluster-scoped tokens. The changes made here were (only) to clarify that.
I really hoped this wasn’t the case 😢 If you scope the api key, you can’t login with it? How does that work?
Is this a feature or should this change? Or can we change where the CLI points so that our cluster-scoped tokens succeed?
@davidnuzik
I think that the help text is missing a key word - “only” - that I think is necessary for complete avoidance of doubt.
As in “Cluster-scoped tokens can only be used to interact directly with the Kubernetes API of clusters configured with an Authorized Cluster Endpoint”.
Version: Master (v2.3) (5/13/19)
This change makes it more clear in the UI via %editApiKey.scopeSelect.helpText% what cluster-scoped tokens can and cannot do.
This helper text also links directly to documentation for Authorized Cluster Endpoint via https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint