Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote suite access documentation is inadequate. #2341

Closed
hjoliver opened this issue Jul 2, 2017 · 7 comments
Closed

Remote suite access documentation is inadequate. #2341

hjoliver opened this issue Jul 2, 2017 · 7 comments
Assignees
@hjoliver
Labels
bug Something is wrong :( small
Milestone
cylc-7.5.0

Comments

@hjoliver
Copy link
Member

hjoliver commented Jul 2, 2017

To access a suite running under another user account, the CUG currently says you just need to install the suite passphrase in the right place: https://cylc.github.io/cylc/html/single/cug-html.html#12.6.1 (and that clients will automatically retrieve and install it if you have non-interactive ssh to the suite account).

In fact, additionally:

  1. ssl.cert must be installed in the same place
  2. if you do have non-interactive ssh to the suite account, clients will also use that to get the suite port from the contat file; otherwise the --port option is also required (after using cylc scan to find the port).
@hjoliver hjoliver added the bug Something is wrong :( label Jul 2, 2017
@hjoliver hjoliver added this to the next release milestone Jul 2, 2017
@matthewrmshin matthewrmshin mentioned this issue Jul 4, 2017
Closed
@hjoliver hjoliver self-assigned this Jul 4, 2017
@hjoliver
Copy link
Member Author

hjoliver commented Jul 4, 2017
edited
Loading

Also, even for "public" (no passphrase) access, the SSL certificate is now required (disregarding fallback to HTTP, which we'll remove - #2204)

@hjoliver hjoliver mentioned this issue Jul 5, 2017
Merged
@hjoliver hjoliver added the small label Jul 5, 2017
@matthewrmshin
Copy link
Contributor

Actually, the SSL certificate is not strictly required. It is required to ensure a secure connection (so the client can trust the server).

@matthewrmshin
Copy link
Contributor

matthewrmshin commented Jul 5, 2017
edited
Loading

(Otherwise cylc scan of suites of other users would not work.)

@hjoliver
Copy link
Member Author

hjoliver commented Jul 5, 2017

Yeah, without the SSL cert I get InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. then it connects anyway. Should we not allow this?

@matthewrmshin
Copy link
Contributor

We still need to sort this out somehow. If we can somehow have a root certificate (for generating per-suite certificates) accessible by all clients, then this should no longer be a problem, but I am not sure how to do this for a multi-user environment.

@hjoliver
Copy link
Member Author

hjoliver commented Jul 5, 2017

Actually, thanks to #2253 I only get the above warning if cylc < 7.4.0 is on the client end. I wonder if, in lieu of the root certificate solution, instead of filtering this warning we should abort - i.e. require users to have ssl.cert alongside passphrase (it's not much more onerous than passphrase alone)??

@matthewrmshin
Copy link
Contributor

... require users to have ssl.cert alongside passphrase ...

This will not work for cylc scan (of other suite owners), but I suppose we can treat cylc scan as a special case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hjoliver hjoliver

Labels
bug Something is wrong :( small
Projects
None yet
Milestone
cylc-7.5.0
Development

No branches or pull requests
2 participants
@matthewrmshin @hjoliver