Prisma1: PRISMA_MANAGEMENT_API_SECRET not working at 1.7

Created on 25 Apr 2018  路  4Comments  路  Source: prisma/prisma1

I'm trying to use the management api secret to secure my Prisma Server, as it is described in the documentation.

Current behavior
I can add projects, remove and deploy to my Prisma Server without a token.

Reproduction

  • I just followed the example described here

docker-compose.yml:

version: '3'
services:
  prisma:
    image: prismagraphql/prisma:1.7
    restart: always
    ports:
    - "4466:4466"
    environment:
      PRISMA_CONFIG: |
        managementApiSecret: my-server-secret-123
        port: 4466
        databases:
          default:
            connector: mysql  # or `postgres`
            active: true
            host: db
            port: 3306        # or `5432` for `postgres`
            user: root
            password: prisma
  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_USER: root
      MYSQL_ROOT_PASSWORD: prisma

Then run docker-compose up -d, go to the browser, open http://localhost:4466/cluster and send some requests without any token

Expected behavior?
To reject requests to the cluster that don't have a valid token

bu0-needs-info
Source
picture lucasmafra

Most helpful comment

Hello @lucasmafra,

a few things you can do to help us diagnose the issue:

  • Can you please grep your docker logs for Warning: Cluster authentication is disabled.. If this shows up the server did not pick up the JWT secret.
  • If the above doesn't show up, can you please dump the env of your docker container and check if the config is actually the one shown in your report. (docker exec <container ID> env).

Thanks.

picture dpetrick on 25 Apr 2018
👍2

All 4 comments

Hello @lucasmafra,

a few things you can do to help us diagnose the issue:

  • Can you please grep your docker logs for Warning: Cluster authentication is disabled.. If this shows up the server did not pick up the JWT secret.
  • If the above doesn't show up, can you please dump the env of your docker container and check if the config is actually the one shown in your report. (docker exec <container ID> env).

Thanks.

dpetrick picture dpetrick on 25 Apr 2018
👍2

Hi @dpetrick

I got this log:

prisma_1  | Warning: Cluster authentication is disabled. To protect your cluster you should provide one (not both) of the environment variables 'CLUSTER_PUBLIC_KEY' (asymmetric, deprecated soon) or 'PRISMA_MANAGEMENT_API_JWT_SECRET' (symmetric).
lucasmafra picture lucasmafra on 25 Apr 2018

I found it. It was totally my fault. I was placing the managementApiKey property inside the databases properties. I'm sorry.

lucasmafra picture lucasmafra on 25 Apr 2018

Edit: Didn't see your comment. Glad it worked out!

Thanks @lucasmafra,

ignore the rest of the warning in the logs, it was written without the Prisma config YAML in mind. It's only important that the warning was printed, which means no auth module was loaded. The Api secret is actually loaded via the YAML you pass in for PRISMA_CONFIG, hence the docker-compose env var. Can you dump your env vars as described in my previous comment and look whether or not the PRISMA_CONFIG is correct? E.g. the one you posted is correct, does it look like that one?

dpetrick picture dpetrick on 25 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nikolasburk picture nikolasburk  路  3Comments
sorenbs picture sorenbs  路  3Comments
marktani picture marktani  路  3Comments
marktani picture marktani  路  3Comments
AlessandroAnnini picture AlessandroAnnini  路  3Comments