-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT based authentication support #6
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Martin,
Don't be discouraged by any of my remarks. Those changes look pretty neat already. Thanks for working on this! \o/
No problem, I submitted that WIP precisely to get these remarks! Has you may know, I'm very new to Go so any comments are more than welcome. |
c488028
to
c1b5cd0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot! The patch looks pretty good already. Let's go for the icing on the cake. 👍
Secured mode can be activated and configured through the CLI.
5c59308
to
614d066
Compare
@EdSchouten: I've added basic unit tests for the JWT auth. validator. How does that all look to you now? |
TLS connection details can be specified in the blobstore configuration.
Authenticated mode can be activated and configured through the CLI.
Forwarding client context allows for authorization credentials to be forwarded along to be remote service.
c5d7f29
to
0f41b1f
Compare
0f41b1f
to
aa091c7
Compare
Hi there! Mind rebasing your PR off master? Then we can merge this! |
Any update on this? Authentication seems like a hard requirement for many deployments of buildbarn. |
@t-chaik is unfortunately no longer contributing to this project, which is why this PR never made any further progress. Fortunately, some progress has been made on this in the meantime. gRPC servers can nowadays be configured to use an authenticator: bb-storage/pkg/proto/configuration/grpc/grpc.proto Lines 29 to 65 in 7e30b99
bb-storage/pkg/grpc/authenticator.go Lines 15 to 54 in 7e30b99
There are a couple of basic ones: always allow, always deny, TLS client certificate validation and an It now makes sense to work on this, because Bazel finally gained support for properly passing in credentials: bazelbuild/bazel#10015 bazelbuild/bazel#10634 |
Awesome! Just two days ago :) My project just got setup with RBE and are looking to use buildbarn for our CI pipeline. I'd love to be able to expose a public endpoint for my team to make authenticated build requests. How can I help? Does bb-storage need support for jwt/oauth2/etc or is it already good to go with the latest bazel and some flag configuration? |
You should be able to get it all working by doing this:
|
Let’s close this specific PR, as the author will likely not update this. |
This series of patch introduce JWT based authentication support for the min gRPC endpoint:
"grpc"
blobstore
backend:Suggestion on better naming for API, CLI and configuration are very welcome.