rancher: Can't login with Rancher CLI in Rancher 2.2.x when API key is cluster scoped

What kind of request is this (question/bug/enhancement/feature request): bug

Steps to reproduce (least amount of steps as possible): I just installed(clean install) Rancher 2.2.0-rc2 and I did try to login using Rancher CLI v2.2.0-rc9

Result: level=fatal msg="Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=clusterID does not match]

Other details that may be helpful:

Environment information

  • Rancher version (rancher/rancher/rancher/server image tag or shown bottom left in the UI): 2.2.0-rc2

  • Installation option (single install/HA): single

Cluster information

  • Cluster type (Hosted/Infrastructure Provider/Custom/Imported): Infrastructure provider (Digital Ocean)

  • Machine type (cloud/VM/metal) and specifications (CPU/memory): Cloud. 4GB memory and 2vCPUs

  • Kubernetes version (use kubectl version):

!!! Note: This kubectl version is from my pc. !!!

Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.4", GitCommit:"c27b913fddd1a6c480c229191a087698aa92f0b1", GitTreeState:"clean", BuildDate:"2019-02-28T13:37:52Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.1", GitCommit:"eec55b9ba98609a46fee712359c7b5b365bdd920", GitTreeState:"clean", BuildDate:"2018-12-13T10:31:33Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"linux/amd64"}
  • Docker version (use docker version):
Client:
 Version:           18.09.3
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        774a1f4
 Built:             Thu Feb 28 06:53:11 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.3
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.8
  Git commit:       774a1f4
  Built:            Thu Feb 28 05:59:55 2019
  OS/Arch:          linux/amd64
  Experimental:     false

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (3 by maintainers)

Commits related to this issue

Most upvoted comments

I found it.

It will not work if a scope is selected when adding an API Key.

Just to let you know that this is also affecting the Terraform provider, as it does not allow the usage of scoped tokens. It would be nice, because I don’t want for Terraform to have access to things outside the designed deployemt scope.

Cluster-scoped token’s primary intended use is for communicating with the kubernetes API for a specific cluster. It also works for Rancher api calls that fall under the cluster endopint. This means a token scoped to cluster c-1234 will work for everything under /v3/clusters/c-1234. The problem is that the cli currently makes calls that are outside of that scope endpoint (directly under /v3).

The CLI does not work with cluster-scoped tokens. The changes made here were (only) to clarify that.

I really hoped this wasn’t the case 😢 If you scope the api key, you can’t login with it? How does that work?

Is this a feature or should this change? Or can we change where the CLI points so that our cluster-scoped tokens succeed?

@davidnuzik

I think that the help text is missing a key word - “only” - that I think is necessary for complete avoidance of doubt.

As in “Cluster-scoped tokens can only be used to interact directly with the Kubernetes API of clusters configured with an Authorized Cluster Endpoint”.

Version: Master (v2.3) (5/13/19)

This change makes it more clear in the UI via %editApiKey.scopeSelect.helpText% what cluster-scoped tokens can and cannot do.

image

This helper text also links directly to documentation for Authorized Cluster Endpoint via https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint