The Cerberus micro-service, a secure property store for cloud applications. It includes a REST API, authentication and encryption features, as well as a self-service web UI for users.
Home Page: http://nike-inc.github.io/cerberus
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
In GetCategory line 65, the ResponseInfo not set HttpStatusCode, so the HttpStatusCode of the response is unknown, i think this should return a exact status code, do you think so?
if (category.isPresent()) {
return ResponseInfo.newBuilder(category.get()).build();
}When reading through the Cerberus docs I noticed that https://help.github.com/send-pull-requests/ is a broken link
cerberus/docs/contributing/how-to-contribute.md -> Additional Resources -> GitHub pull request documentation -> https://help.github.com/send-pull-requests/
I say most of the endpoints in this project use CompletableFuture.supplyAsync when override the method
CompletableFuture<ResponseInfo<O>> execute(RequestInfo<I> request, Executor longRunningTaskExecutor, ChannelHandlerContext ctx);
of StandardEndpoint<I, O>.
I test it locally and find the traceId is missed in the log . I use
AsyncNettyHelper.supplierWithTracingAndMdc( () -> doExecute(request, longRunningTaskExecutor, ctx) , ctx)
then the traceId is printed normally.
Do you have the same problem?
I keep running into an issue trying to start locally when trying ./run.sh. I followed all the steps and installed [email protected] on my Macbook. Also created the cms database and I also created the ~/.cerberus/cerberus-local.yaml which I derived from https://github.com/Nike-Inc/cerberus/blob/master/cerberus-web/src/main/resources/cerberus.yaml
I wonder if I'm missing something
It seems like cerberus could be very useful as a multi-account IAM, generating STS tokens across multiple AWS accounts by IAM role if it supported the AWS Secrets backend in vault. Has this been considered and ruled out, or just not implemented?
I've tried just mounting the AWS backend under the vault secrets/shared/ path, but CMS does not display the vault path at all.
For an IAM role that exists, and is attached to an SDB, Cerberus throws an authentication error. It looks like a parsing bug on the role name that leads to the name being suffixed with a space. When I remove and re-add the role from the SDB, save it, then edit it, I can confirm that it's adding another space.
Initial stack trace:
A Important error occured
com.amazonaws.services.kms.model.AWSKMSException: Unable to authenticate IAM role due to the following error(s):
Error ID:64081477-2add-4ccf-a042-d6627076474f
Code: 10
Message: An error occurred while fulfilling the request
Please refer to the Cerberus Java Client documentation.
If you are unsure of what this means please ask in the #cd channel on Slack. (Service: null; Status Code: 0; Error Code: null; Request ID: null)
at com.lookout.cerberus.client.SecretStoreClient.authenticate(SecretStoreClient.java:110)
at com.lookout.cerberus.client.SecretStoreClient.(SecretStoreClient.java:50)
at com.lookout.cerberus.client.SecretStoreClient.(SecretStoreClient.java:58)
at com.lookout.cerberus.client.Cerberus.initializeCerberusClient(Cerberus.java:82)
at com.lookout.cerberus.client.Cerberus.fetchFromCerberus(Cerberus.java:59)
at com.lookout.cerberus.client.Cerberus.retrieve(Cerberus.java:53)
at com.lookout.bac.instruction.processor.FileSystemSecretSaver.process(FileSystemSecretSaver.java:30)
at com.lookout.bac.instruction.processor.InstructionProcessor.processInstruction(InstructionProcessor.java:13)
at com.lookout.bac.instruction.InstructionManager.process(InstructionManager.java:33)
at com.lookout.bac.instruction.InstructionManager.processInstruction(InstructionManager.java:38)
at com.lookout.bac.Application.main(Application.java:30)
See attached screenshots as well.
I'm following the tutorial on Cerberus administrator but the link for utility scripts repo does not exist. I couldn't find the perfect place to post this so I figured I'll just create an issue here.
This is the tutorial: https://engineering.nike.com/cerberus/docs/administration-guide/creating-an-environment
Configured CMS for local testing via Okta or One Login does not seem to connect to either service for authentication and fails with:
"Server Message: Server did not respond with message, checkout the console for full response
Relevant src/main/resources/cms-local-overrides.conf file:
JDBC.url="jdbc:mysql://localhost:3306/cms?useUnicode=true&characterEncoding=utf8&useLegacyDatetimeCode=false&serverTimezone=UTC&useSSL=false"
JDBC.username="cms"
JDBC.password="<removed>"
cms.admin.group="<removed>"
root.user.arn="root"
admin.role.arn="admin"
cms.role.arn="admin"
#cms.auth.connector=com.nike.cerberus.auth.connector.onelogin.OneLoginAuthConnector
#auth.connector.onelogin.api_region=us
#auth.connector.onelogin.subdomain=<removed>
#auth.connector.onelogin.client_id=<removed>
#auth.connector.onelogin.client_secret=<removed>
cms.auth.connector=com.nike.cerberus.auth.connector.okta.OktaAuthConnector
auth.connector.okta.api_key=<removed>
auth.connector.okta.base_url=<removed>
Note the AWS ARNs are dummy ones. I am 90% this is my error, but I am not sure.
Lots of corporate environments do not have Okta, OneLogin, etc to authenticate with. Good ol' LDAP/Active Directory is the only identity management solution available to us.
Steps to reproduce: Don't have Okta or OneLogin. Have LDAP
Earliest version known to be an issue: v0.10.0
I noticed when starting this project locally from scratch that there is a bit of chicken and egg issue with cerberus.auth.token.hash.salt
This is normally generated by the LCM CLI when you create an environment.
If I want to run Cerberus locally with out having an env, I had to copy and paste code from here:
https://github.com/Nike-Inc/cerberus-lifecycle-cli/blob/36dda5b5148cafb9aeb389b64a6f599fa22d2b4c/src/main/java/com/nike/cerberus/service/SaltGenerator.java
into a groovyConsole and execute it and then use that output in my cerberus-local.yaml
There should be a flag that I can set such as auth.token.hash.salt.autoGenerateForSingleInstanceMode that is set to false by default with a note about if you enable it, it doesn't work with cerberus being in clustered mode, and is for local dev and invalidates tokens after reboots etc.
OR maybe the salt should be stored in the database encrypted with KMS and it can be loaded into the memory at runtime and you delete that property all together?
traceId=e7e8ba519c741e85 2017-02-04T05:08:44,955Z [epollEventLoopGroup-3-7] appname=cms environment=cerberus-test version=0.12.0 |-ERROR c.n.b.h.r.RiposteUnhandledExceptionHandler - Caught unhandled exception: error_uid=e3dc74a9-afba-48f4-a1e9-2494e23b89e5, dtrace_id=e7e8ba519c741e85, exception_class=java.util.concurrent.CompletionException, returned_http_status_code=500, contributing_errors="GENERIC_SERVICE_ERROR", request_uri="/v1/auth/iam-role", request_method="POST", query_string="null", request_headers="Accept=application/json,CloudFront-Viewer-Country=US,CloudFront-Forwarded-Proto=https,CloudFront-Is-Tablet-Viewer=false,CloudFront-Is-Mobile-Viewer=false,X-Forwarded-Proto=https,Connection=keep-alive,CloudFront-Is-SmartTV-Viewer=false,X-Forwarded-Port=443,Via=1.1 a970721b7e7e7717531fc56b64b3884f.cloudfront.net (CloudFront),host=xxxxxxxxxxxxxx,X-Amz-Cf-Id=VPUCT40x9KqdIQV4fwZN4Pjv1oYYYER4RrIqh6jjyJFBFlIAiVGtLg==,X-Forwarded-For=52.55.130.29, 54.239.145.100, 172.20.0.252, 172.20.8.39,content-type=application/json,Content-Length=88,X-Real-IP=172.20.0.252,CloudFront-Is-Desktop-Viewer=true", unhandled_error="true"
java.util.concurrent.CompletionException: java.lang.IllegalArgumentException: Specified region is not valid.
at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1592)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: Specified region is not valid.
at com.nike.cerberus.aws.KmsClientFactory.getClient(KmsClientFactory.java:65)
at com.nike.cerberus.service.KmsService.provisionKmsKey(KmsService.java:79)
at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:102)
at com.nike.cerberus.service.AuthenticationService.getKeyId(AuthenticationService.java:363)
at com.nike.cerberus.service.AuthenticationService.authenticate(AuthenticationService.java:179)
at com.nike.cerberus.endpoints.authentication.AuthenticateIamRole.lambda$execute$13(AuthenticateIamRole.java:51)
at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
... 3 common frames omitted
Caused by: java.lang.IllegalArgumentException: Cannot create enum from us-east-2 value!
at com.amazonaws.regions.Regions.fromName(Regions.java:73)
at com.nike.cerberus.aws.KmsClientFactory.getClient(KmsClientFactory.java:62)
... 9 common frames omitted
Need to handle this exception, as it is leaking as a generic server error.
Delete category always return HttpResponseStatus.NO_CONTENT.code() status and with Void response, then how should user knows delete category success or not?
public ResponseInfo<Void> deleteCategory(final String id) {
final boolean isDeleted = categoryService.deleteCategory(id);
if (isDeleted) {
return ResponseInfo.<Void>newBuilder().withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code()).build();
}
return ResponseInfo.<Void>newBuilder().withHttpStatusCode(HttpResponseStatus.NOT_FOUND.code()).build();
}It would be great to support standards compliant OIDC for integration as an alternative to the direct integration with the Okta API. This would open the door for Cerberus to integrate with a variety of auth providers (including Okta).
Hello. Cerberus Utility Script project link is broken -- github "not the page you're looking for". Was this repo made private? The broken link: https://github.com/Nike-Inc/cerberus-util-scripts
Instructions indicate this repo has a README to create a proper Amazon Machine Image for hosting Cerberus. Some pointers would be helpful. Thanks.
https://engineering.nike.com/cerberus/docs/administration-guide/creating-an-environment
Create the Cerberus AMI
Clone or download the Cerberus Utility Script project and follow the README to create the AMI for the Cerberus Management Service.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.