MANTA_NO_AUTH=1 environment variable is not honored

[dekobon]

When running within a Manta zone, MANTA_NO_AUTH=1 is set. This allows for an application to connect to Manta using the running account without doing HTTP signature authentication.

You can't run golang apps directly in Manta zones / jobs becausetriton-go doesn't disable HTTP signatures when this environment variable is present and enabled.

[jwreagor]

Thanks Elijah. Sounds like I can patch this relatively easy since this is just a shut off valve around our inclusion of HTTP signature authentication to outgoing requests.

/cc @misterbisson

[jwreagor]

I have a bug fix in the works but I'm hitting an issue with crypto/x509 not finding the default location for SSL root certificates under SmartOS. Still researching...

[dekobon]

Is there a way to disable the who crypto module entirely if you are running with MANTA_NO_AUTH enabled?

[jwreagor]

I killed the open PR because there are a couple small details I missed the first go.

• We're looking for MANTA_NO_AUTH=true
• We should skip initialization of an SSH key signer at client config time. There are log warnings against this today and MANTA_NO_AUTH should ignore them.
• Given that MANTA_URL=http://localhost:80/ is set within a Manta zone, this probably means consumers of our SDK shouldn't have to manually set s.Client.InsecureSkipTLSVerify(). This is a little sloppy today and I feel like it can be safely handled for the consumer based on whatever API endpoint/URL they pass in.

I should note that I feel like the Go SDK should not utilize default environment variables to self configure the clients. How those values arrive when configuring a client is up to the consumer and we don't enforce any naming conventions like MANTA_USER or MANTA_ACCOUNT (except in our examples).

With all of that said, here's an example I'm working with...

package main

import (
	"context"
	"fmt"
	"log"
	"os"

	triton "github.com/joyent/triton-go"
	"github.com/joyent/triton-go/storage"
)

func main() {
	mantaUser, foundUser := os.LookupEnv("MANTA_USER")
	if !foundUser {
		log.Fatal("Couldn't find \"MANTA_USER\" in your environment")
	}

	mantaURL, foundURL := os.LookupEnv("MANTA_URL")
	if !foundURL {
		log.Fatal("Couldn't find \"MANTA_URL\" in your environment")
	}

	s, err := storage.NewClient(&triton.ClientConfig{
		MantaURL:    mantaURL,
		AccountName: mantaUser,
	})
	if err != nil {
		log.Fatalf("could not init client: %s", err)
	}

	// NOTE: I'll try to also remove this step.
	s.Client.InsecureSkipTLSVerify()

	ctx := context.Background()
	list, err := s.Dir().List(ctx, &storage.ListDirectoryInput{
                DirectoryName: "/stor",
        })
	if err != nil {
		log.Fatalf("cannot list storage entries: %s", err)
	}

	for _, entry := range list.Entries {
		fmt.Println(entry.Name)
	}
}

[jwreagor]

@stack72 This is another Manta related issue that was half completed and I never got back to due to priorities. I'm positive it's worth the effort and would be beneficial for learning Manta jobs/zones.

It's the ability to run triton-go from within a Manta zone which doesn't require the normal HTTP signature auth. This would lead to more portable tooling around Manta.