headplane icon indicating copy to clipboard operation
headplane copied to clipboard
verified publisher icon tale

[FR] Ability to create Pre Auth Keys

Open mitchellkellett opened this issue 1 year ago • 1 comments

Currently, there's no functionality to create Pre Auth Keys for a user in the UI. This functionality exists in the API but not in the UI. It would be handy to have. I work around this by creating one via the CLI when needed.

mitchellkellett avatar Jul 03 '24 03:07 mitchellkellett

Definitely something I was planning to do on the settings page!

tale avatar Jul 04 '24 21:07 tale

Ok now that I have some time here are some definite goals that I want to accomplish:

  • Pre-auth keys management UI in the settings tab
  • Utilize the API route to register nodes given a user and the key.
  • Simple onboarding flow on the machines page to add a new device to the network.

tale avatar Oct 02 '24 17:10 tale

This is now generally available in 0.3.2! You can now manage and expire pre-authentication keys from the settings UI. On the main machines page you can also choose to generate a pre-auth key for registering a node or register it via the mkey.

CleanShot 2024-10-11 at 03 21 37@2x

tale avatar Oct 11 '24 07:10 tale

Got “Unexpected Server Error” when I wanted to create an auth-key.

Following is headplane log

RangeError: Invalid time value
    at Date.toISOString (<anonymous>)
    at action$7 (file:///app/build/server/index.js?t=1728630686000:2271:24)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Object.callRouteAction (/app/node_modules/.pnpm/@[email protected][email protected]/node_modules/@remix-run/server-runtime/dist/data.js:37:16)
    at /app/node_modules/.pnpm/@[email protected]/node_modules/@remix-run/router/router.ts:4817:21
    at callLoaderOrAction (/app/node_modules/.pnpm/@[email protected]/node_modules/@remix-run/router/router.ts:4879:16)
    at async Promise.all (index 2)
    at callDataStrategyImpl (/app/node_modules/.pnpm/@[email protected]/node_modules/@remix-run/router/router.ts:4720:17)
    at callDataStrategy (/app/node_modules/.pnpm/@[email protected]/node_modules/@remix-run/router/router.ts:3975:19)
    at submit (/app/node_modules/.pnpm/@[email protected]/node_modules/@remix-run/router/router.ts:3737:21)

leeaash avatar Oct 17 '24 07:10 leeaash

I'm not able to reproduce effectively, can you tell me what you did?

tale avatar Oct 17 '24 20:10 tale

I'm not able to reproduce effectively, can you tell me what you did?

On the pop-up page after I clicked ‘Create pre-auth key’, choose a user then clicked ‘Generate’, got the error show-up. IMG_0023 IMG_0025

leeaash avatar Oct 18 '24 01:10 leeaash

Ah my bad, in Japanese when it's localizing the date, it doesn't end up in the proper ISO format. I'll need to fix this to account for the browser-side language that is my bad.

tale avatar Oct 19 '24 00:10 tale

Fixed in 0.3.3.

tale avatar Oct 29 '24 15:10 tale

Hi, I am using OIDC to login to headplane.

When I try to create a pre-auth key for a user, the list from which to select the user for which to create the key is empty.

Does the creation of pre-auth keys only work for locally managed users? Or am I missing something?

Thanks.

gitwittidbit avatar Dec 12 '24 21:12 gitwittidbit

Does the user exist in Headscale yet? They will either need to have been manually created, or logged in and automatically been created (depending on your config).

mitchellkellett avatar Dec 12 '24 21:12 mitchellkellett

Sorry, I'm completely new to this and probably don't fully understand how it all works together.

I thought that I would use headplane to i.a. create users in headscale. And since headplane itself recommends managing users via OIDC, I assumed that if I use OIDC to log a user in to headplane, it would automatically create that user in headscale. Apparently, this is not the case. But if it isn't, what's the point of managing users via OIDC instead of locally?

Or should I first create the user locally/manually and then link to an OIDC account?

gitwittidbit avatar Dec 12 '24 21:12 gitwittidbit

This is actually probably bug on my end. Let me see this edge case and what we can do about it.

tale avatar Dec 13 '24 17:12 tale

Before you invest any time in this edge case, could you maybe briefly explain how it is supposed to work? I am happy to use headplane the way you intended it to be used. It's just that I am new to all this and don't know how it is supposed to work.

I mean, I could use OIDC to simply log in to headplane and create the headscale users manually/locally.

gitwittidbit avatar Dec 14 '24 13:12 gitwittidbit

I'm not 100% sure how Headscale handles OIDC registrations. From what I can recall, it automatically created my tale user when I registered my first machines in my tailnet. But this was before Headplane existed, leading me to believe that how Headplane approaches it is wrong.

You probably could create the users manually/locally and it'll pick them up via OIDC (but don't quote me on that, I'd need to double check when I get some time).

tale avatar Dec 14 '24 23:12 tale

Headscale will automatically create users if your config allows them (e.g., groups, domains, etc.). Headplane then seems to pick up any users that exist in Headscale.

In my environment, I have manually provisioned users that I know will match actual users even if they've never logged in. For example, my user was automatically created as mitchell when I first logged in with OIDC to headscale. I've also created dave even though Dave hasn't logged in yet. But when Dave does log in, it will match.

** Note that this may change with the new v0.24.0-beta.1 release.

mitchellkellett avatar Dec 14 '24 23:12 mitchellkellett