Hi all,
I am experimenting with a high availability setup using Kea 3.0.2 and I’m
observing that the HA control socket accepts any authentication credentials
regardless of the values for basic-auth-user and basic-auth-password. I don't
observe this behavior with the normal control socket.
I'm sure there's just something off with my config so I'd appreciate any
assistance.
Behavior:
--8<---------------cut here---------------start------------->8---
# Normal 8004 socket, invalid credentials gives 401 unauthorized
$ echo "" | kea-shell --host localhost --port 8004 --auth-user admin
--auth-password fake list-commands
Failed to run: HTTP Error 401: Unauthorized
# HA 8005 socket, invalid credentials are accepted
# Expected behavior: 401 Unauthorized
$ echo "" | kea-shell --host localhost --port 8005 --auth-user admin
--auth-password fake list-commands
[ { "arguments": [ "build-report ... etc ...
--8<---------------cut here---------------end--------------->8---
Example config:
--8<---------------cut here---------------start------------->8---
{
"Dhcp4": {
"hooks-libraries": [{
"library":
"/opt/homebrew/Cellar/kea/3.0.2/lib/kea/hooks/libdhcp_lease_cmds.so",
"parameters": { }
}, {
"library":
"/opt/homebrew/Cellar/kea/3.0.2/lib/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [{
"this-server-name": "foobar1",
"mode": "hot-standby",
"heartbeat-delay": 10000,
"max-response-delay": 60000,
"max-ack-delay": 5000,
"max-unacked-clients": 0,
"peers": [{
"name": "foobar1",
"url": "http://127.0.0.1:8005/";,
"role": "primary",
"auto-failover": true,
"basic-auth-user": "admin",
"basic-auth-password": "foobar"
}, {
"name": "foobar2",
"url": "http://192.168.1.100:8005/";,
"role": "standby",
"auto-failover": true,
"basic-auth-user": "admin",
"basic-auth-password": "foobar"
}]
}]
}
}],
"control-socket": {
"socket-type": "http",
"socket-address": "127.0.0.1",
"socket-port": 8004, // This must be different from the HA
socket port
"authentication": {
"type": "basic",
"realm": "kea-dhcpv4-server",
"clients": [
{
"user": "admin",
"password": "12345678"
} ]
}
},
"interfaces-config": {
"interfaces": [ "en0" ]
},
"loggers": [
{
"name": "kea-dhcp4",
"output-options": [
{
"output": "kea-dhcp4.log"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}
--8<---------------cut here---------------end--------------->8---
Thanks, appreciate the help.
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
[email protected]
