用户登陆账户密码错误

jinchen

登陆账户密码错误
[root@master _]# kubectl -n kubesphere-system logs -l app=ks-account
I0803 06:06:08.267726 1 im.go:448] auth failed jinchen@163.com LDAP Result Code 49 “Invalid Credentials”:
I0803 06:06:18.960533 1 im.go:448] auth failed jinchen@163.com LDAP Result Code 49 “Invalid Credentials”:
I0803 06:39:25.252572 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
I0803 06:39:45.084842 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
I0803 06:44:23.884000 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
I0803 06:44:55.792378 1 im.go:448] auth failed jinchen@163.com LDAP Result Code 49 “Invalid Credentials”:
I0803 06:48:36.156788 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
I0803 06:50:52.789203 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
I0803 06:52:42.712353 1 im.go:448] auth failed fuchangjie LDAP Result Code 49 “Invalid Credentials”:
I0803 07:18:44.050448 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:

[root@master _]# kubectl -n kubesphere-system logs -l app=ks-apigateway
2020/08/03 07:18:44 Unauthorized,no token found
E0803 07:18:44.148206 1 authenticate.go:170] signature is invalid
10.233.70.173 03/Aug/2020:07:18:44 +0000 GET /kapis/iam.kubesphere.io/v1alpha2/users/admin HTTP/1.1 401 17 0ms
2020/08/03 07:18:44 Unauthorized,signature is invalid
E0803 07:18:44.148524 1 authenticate.go:170] signature is invalid
2020/08/03 07:18:44 Unauthorized,signature is invalid
10.233.70.173 03/Aug/2020:07:18:44 +0000 GET /kapis/tenant.kubesphere.io/v1alpha2/workspaces HTTP/1.1 401 17 0ms
10.233.70.173 03/Aug/2020:07:18:44 +0000 GET /kapis/v1alpha1/configz HTTP/1.1 200 245 4ms
2020/08/03 07:18:44 Unauthorized,no token found
10.233.70.173 03/Aug/2020:07:18:44 +0000 GET /kapis/iam.kubesphere.io/v1alpha2/oauth/configs HTTP/1.1 401 17 0ms

api- gateway 和 accout 的secret设置是一样的，现在这问题怎么破，只能重新安装吗

[root@master _]# kubectl exec -n kubesphere-system ks-apigateway-64fc668896-r78cp env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=ks-apigateway-64fc668896-r78cp
JWT_SECRET=BvDXH1wSu8clZWON8wQ2TlsmUzcmFKwiSYUtHpPPXLwNqO4h9LVM00bLzNPmED5M5MCNL6gadJrxh5Yjklrw4ckx6ko9HJ6f1uw

[root@master _]# kubectl exec -n kubesphere-system ks-account-676658dc59-r9crk env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=ks-account-676658dc59-r9crk
KUBECTL_IMAGE=192.168.5.64:5000/astrolabe/kubectl:v1.0.0
JWT_SECRET=BvDXH1wSu8clZWON8wQ2TlsmUzcmFKwiSYUtHpPPXLwNqO4h9LVM00bLzNPmED5M5MCNL6gadJrxh5Yjklrw4ckx6ko9HJ6f1uw

貌似问题就在jwt 认证这里，怎么破。。。

huanggze

jinchen https://kubesphere.com.cn/forum/d/1442-kubesphere-web

jinchen

huanggze 我这不是密码错误啊。。。默认密码P@88w0rd

jinchen

huanggze 我现在是密码没问题ldap里边能看到，pod运行状态正确，jwt_secret 环境变量设置一致

hongming

jinchen
I0803 07:18:44.050448 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
这行错误是因为密码输错了
E0803 07:18:44.148524 1 authenticate.go:170] signature is invalid
这行错误是因为 secret 不一致，需要重新登录

如果你自己修改过 secret 的话，需要重启一下 ks-apigateway 和 ks-account

kubectl -n kubesphere-system rollout restart deploy ks-apigateway ks-account

jinchen

hongming 我进入容器更改了默认密码，仍然不行

/ # packet='PUT /kapis/iam.kubesphere.io/v1alpha2/users/admin HTTP/1.1\r\nHost: ks-account.kubesphere-system.svc:9090\r\nUser-Agent: curl/7.54.0\r\nAccept: /\r\nContent-Type: application/json\r\
nContent-Length: 105\r\n\r\n{“username”: “admin”,“email”:“admin@kubesphere.io”,“cluster_role”: “cluster-admin”,“password”:“P@88w0rd”}'; echo -ne $packet | nc ks-account.kubesphere-system.svc 80
HTTP/1.1 200 OK
Content-Type: application/json
Date: Mon, 03 Aug 2020 08:45:54 GMT
Content-Length: 287

{
“username”: “admin”,
“email”: “admin@kubesphere.io”,
“lang”: “zh”,
“description”: “Administrator account that was always created by default.”,
“create_time”: “2020-07-13T15:42:19Z”,
“avatar_url”: "",
“last_login_time”: “2020-08-03T02:38:12Z”,
“status”: 0,
“cluster_role”: ""
}/ #

现在定位不到为什么会用户密码认证失败

今天早晨集群node1节点出现notready的状态，导致很多Pod 状态pending，然后mysql 和ldap都是pending，我将node1重启后，所有pod恢复正常，但是就出现了目前的无法登陆的情况，密码已经修改成默认了，jwt_secret没有改过，确认一致了，但是仍然无法解决，我并不想重新重装-，-

hongming

jinchen 日志里还是会有 LDAP Result Code 49 “Invalid Credentials” 是吗

hongming

hongming 容器里执行

curl --location --request POST 'http://ks-apigateway.kubespehre.io/kapis/iam.kubesphere.io/v1alpha2/login' \
--header 'Content-Type: application/json' \
--data-raw '{
	"username":"admin",
	"password":"P@88w0rd"
}'

看看能不能正常登录，排除一下外部干扰因素，另外 ks-account 修改过配置吗

jinchen

hongming 对的

[root@master _]# kubectl -n kubesphere-system logs -l app=ks-account
W0803 08:31:54.098681 1 client_config.go:549] Neither –kubeconfig nor –master was specified. Using the inClusterConfig. This might not work.
I0803 08:31:54.722202 1 server.go:113] Server listening on 0.0.0.0:9090
I0803 08:32:19.799461 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
I0803 08:45:10.456723 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:
I0803 08:45:30.511364 1 im.go:448] auth failed admin LDAP Result Code 49 “Invalid Credentials”:

而且，今天上午还登陆成功过，node1节点是中午午休出现的问题

jinchen

hongming accout配置的话改了登陆试错limit次数，我觉得这个应该不会影响吧。。。。然后容器内部的/bin/sh那么小，curl都没有，我从外部试试

jinchen

hongming 看样子好像是console有问题。。。。
我在master节点获取到了acces_token

curl -X POST http://192.168.5.64:30881/kapis/iam.kubesphere.io/v1alpha2/login -H ‘Content-Type: application/json’ -d ‘{“username”:“admin”,“password”:“P@88w0rd”}’
{
“access_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImFkbWluQGt1YmVzcGhlcmUuaW8iLCJpYXQiOjE1OTY0NDUyOTksInVzZXJuYW1lIjoiYWRtaW4ifQ.ZYfgHNc3l9hWa9T9GJTYKQ5_8xLHJZghiYqTljVTe3s”
}

[root@master _]# curl -X POST http://192.168.5.64:30881/kapis/iam.kubesphere.io/v1alpha2/login -H ‘Content-Type: application/json’ -d ‘{“username”:“jinchen”,“password”:“Jl920529″}’
{
“access_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImppbmNoZW5AMTYzLmNvbSIsImlhdCI6MTU5NjQ0NTY2OSwidXNlcm5hbWUiOiJqaW5jaGVuIn0.tQ7vYU6wqB4vi-K19yHidIEmqFxcEfOz8Q-dNwH0ouM”
}

两个账户都可以获取到

jinchen

hongming 行了。。。定位到了问题。。。自信满满的觉得前端没问题，console镜像被莫名其妙的换了，多谢多谢，找了半天问题，原来是console 有问题。。。。

zyl

jinchen 大佬，问题是怎么解决的啊，我也遇到了同样问题，我是关掉了kubesphere-logging-system 功能后，ks-account，ks-apigateway，ks-console 这3个容器重启了，然后ldap里的用户就登不了？

usernamecantbeXXX

zyl 我也是类似的问题改了admin密码所有LDAP账户全挂了

hongming

usernamecantbeXXX 检查一下自定义的配置还在不在，看看是不是和这个问题一样

zyl

usernamecantbeXXX ldap 脚本再执行下，就可以了

usernamecantbeXXX

hongming 谢谢，已解决。的确是cm的配置没了，已恢复。

xingxing122

usernamecantbeXXX 配置没有了，咋解决的