Can't authorize devices: auth_set empty if identity too long

General Discussions
1

Some devices, if they have too long identity fields, become impossible to authorize, and even after purging (only purging is still possible at least via cURL, where as WebUI hides buttons for both actions).

That is due the server never full-filling the auth_sets field, which is mandatory to authorize the device, this renders the device inaccessible to updates. As shown below, the list_devices output exemplifies where auth_sets is empty.

json[13].auth_sets = [];
json[13].created_ts = "2020-07-10T06:52:47.927Z";
json[13].decommissioning = false;
json[13].id = "0485e482-4257-435a-8613-4798a5a2236a";
json[13].identity_data = {};
json[13].identity_data.flash_otherdate = "2020-01-20T15:16:58Z";
json[13].identity_data.flash_date = "2020-07-10T06:52:46Z";
json[13].identity_data.flash_owner = "The original caretaker and device owner";
json[13].identity_data.flash_uuid = "0485e482-4257-435a-8613-4798a5a2236a";
json[13].identity_data.hw_hardware = "BCM2835";
json[13].identity_data.hw_model = "Raspberry Pi 3 Model B Plus Rev 1.3";
json[13].identity_data.hw_revision = "000000";
json[13].identity_data.hw_serial = "0000000000000000";
json[13].identity_data.mac = "a4:42:f3:2f:34:88";
json[13].status = "pending";
json[13].updated_ts = "2020-07-10T06:52:47.927Z";

commands used:

# Sanity pre-checks
which curl base64 jq gron >/dev/null

curl_opts=(--silent --verbose) # --insecure

login() {
	MENDER_SERVER_URI=${MENDER_SERVER_URI-'https://127.0.0.1:443'}
	JWT=$(read -rp 'user: ' user; read -srp 'pass: ' pass; curl "${curl_opts[@]}" -X POST "$MENDER_SERVER_URI"/api/management/v1/useradm/auth/login -H "Authorization: Basic $(printf %s:%s "$user" "$pass" | base64 -w0)")
	declare -p MENDER_SERVER_URI JWT
}

list_devices() {
	curl "${curl_opts[@]}" -X GET $MENDER_SERVER_URI/api/management/v2/devauth/devices -H "Authorization: Bearer $JWT"
}

nuke_devices() {
	for x in $(curl "${curl_opts[@]}" -H "Authorization: Bearer $JWT" $MENDER_SERVER_URI/api/management/v2/devauth/devices | jq -r .[].id); do
		time (set -x; curl "${curl_opts[@]}" -H "Authorization: Bearer $JWT" -X DELETE $MENDER_SERVER_URI/api/management/v2/devauth/devices/$x | jq .)
	done
}

login
list_devices
nuke_devices
sleep 1h
list_devices

Iā€™m posting here as issue pages are disabled on mendersoftware/integration.

2

Hi @edgar444 thanks for the detailed writeup. @tranchitella, @merlin can you guys review and create an appropriate JIRA ticket?

3

Hello and thank you for trying Mender and the report. I confirm it is a bug and will be fixed in the next release. it is due to a total length of identity data.

peter

1 Like
4

Hi @edgar444 ,

Thanks for the report, it is being tracked here: https://tracker.mender.io/browse/MEN-3816

I would also mention that some of what you have as identity data might be better suited for inventory. You can see the difference here https://docs.mender.io/hosted/overview/identity and here https://docs.mender.io/hosted/overview/inventory

PS! The official issue tracker for Mender is here: https://tracker.mender.io/projects/MEN