Skip to content

[che-auth] - implement new auth for devworkspaces on Openshift in che-server #19703

New issue
New issue
Closed
Closed
[che-auth] - implement new auth for devworkspaces on Openshift in che-server#19703
Assignees
sparkoo
Labels
area/che-serverkind/taskInternal things, technical debt, and to-do tasks to be performed.severity/P1Has a major impact to usage or development of the system.
Milestone
7.32
@sparkoo

Description

@sparkoo
sparkoo
opened on Apr 28, 2021

Is your task related to a problem? Please describe.

scope: Openshift only, Devworkspaces with devfile v2 only

In new Authentication/Authorization architecture, we won't use Keycloak as an identity/oidc provider. Instead of that, we will use Openshift oauth directly and whole authn/authz will be delegated to different layer above che-server. Che-server then assumes that incoming requests are authenticated and contains Openshift token header.

Describe the solution you'd like

The che-server has single-user and multi-user mode. Single-user fakes the users by providing single anonymous user and is using h2 db for persistence. Multi-user fully depends on Keycloak, is using keycloak tokens, is touching keycloak db etc. This new authentication will need to live as a 3rd option to these 2 modes. Let's call it openshift-user (just for purpose of this issue description).

diagram

gateway

openshift-user

very rough prototype implementation is here: https://github.com/eclipse/che/pull/19685/files (it's modified multi-user)

We need to do several things in che-server:

  • Create new che-server configuration beside single-user and multi-user. How to configure it?
  • Get rid of stuff that is touching Keycloak api
  • /keycloak/settings must return 404. This switches the dashboard into single-user mode, which is fine for now.
  • Think what to do with ProfileDao. We're using it for additional user attributes (real name, email, ...). Where should we store this data?
  • Openshift implementation of UserDao. Many of methods there won't be supported. Be aware that we should be using user's token there, so most probably we won't have enough permissions to things like listing all users.
  • Create client with user's token in OpenshiftClientFactory
  • Create http client with user's token in OpenshiftClientFactory
  • Use the http client ^ in kubernetes api proxy /unsupported/k8s - use token from Authorization header or X-Forwarded-Access-Token
  • In case we would like to use X-Forwarded-Access-Token, we would need implement this when impersonating the OpenshiftClient with User's token.
  • most probably expose that we're running in openshift-user for dashboard

Describe alternatives you've considered

Additional context

epic: Authentication and authorization in Eclipse Che #19182

Metadata

Metadata

Assignees

Labels

area/che-serverkind/taskInternal things, technical debt, and to-do tasks to be performed.severity/P1Has a major impact to usage or development of the system.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions