New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ziti edge login with Ziti-standard identity file #1730
Comments
This will make it significantly easier to follow the best practice of using certificate authenticators with the mgmt API instead of an admin password. |
The
|
@qrkourier I would love to have an alternative to the current password-only login method! Another point, not 100% directly related would be to have special non-expiring API tokens, which is the problem I was facing with the openziti_exporter. |
@mjtrangoni While this issue is being worked you can use this approach to log in as an administrator without a password. You must create the identity with the The ziti ops unwrap \
--cert /tmp/admin-with-cert-auth.cert \
--key /tmp/admin-with-cert-auth.key \
--ca /tmp/admin-with-cert-auth.ca then ziti edge login miniziti-controller.192.168.49.2.sslip.io:443 \
--username admin-with-cert-auth \
--client-cert /tmp/admin-with-cert-auth.cert \
--client-key /tmp/admin-with-cert-auth.key \
--ca /tmp/admin-with-cert-auth.ca |
The easiest way to obtain an admin client cert is to enroll the JWT with the CLI. This produces a Ziti-standard JSON file with the identity's context, including the cert, key, and trust bundle.
Before using that identity with
ziti edge login --client-cert
, it's currently necessary to first unpack the enrolled context file into its component parts: cert, key, and bundle, e.g.ziti ops unwrap ./ziti-id.json
produces./cert
,./key
, and./ca
PEM files.This unwrap step would be superfluous if the ziti CLI could use its own Ziti-standard JSON file like this
ziti edge login --identity ./ziti-id.json
.This issue is peeled off from a comment in a related issue #127 (comment)
The text was updated successfully, but these errors were encountered: