Merge pull request #577 from nnmin-aws/nnmin-rel

Add Username Prefix Enforce for DynamicFile mode

README.md

@@ -158,7 +158,26 @@ useful if you're migrating from/to EKS and want to keep your mappings, or are
 running EKS in addition to some other AWS cluster(s) and want to have the same
 mappings in each.
 
-### 5. Set up kubectl to use authentication tokens provided by AWS IAM Authenticator for Kubernetes
+#### `DynamicFile`
+A local file specified by cfg.dynamicfilepath can serve as the backend. The file
+content is expected to be in exactly the same format as the EKSConfigMap. Whenever
+this file content changes, authenticator will automatically reload it.  This
+provides more flexibility on managing the ARN mappings.
+
+Check https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/hack/dev/authenticator_with_dynamicfile_mode.yaml
+about how to configure the DynamicFile mode.
+
+Run `make e2e RUNNER=kind` to play with a kind cluster with DynamicFile mode enable.
+### 5. How to configure reservedPrefixConfig for Kubernetes usernames
+The aws-iam-authenticator can support reserved prefix for k8s username. If the reserved prefix is
+set, then the username with the reserved prefix will not be authenticated with the error
+"username must not begin with with the following prefixes:".
+
+Check https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/hack/dev/authenticator_with_dynamicfile_mode.yaml
+about how to configure the reserved prefix.
+
+
+### 6. Set up kubectl to use authentication tokens provided by AWS IAM Authenticator for Kubernetes
 
 > This requires a 1.10+ `kubectl` binary to work. If you receive `Please enter Username:` when trying to use `kubectl` you need to update to the latest `kubectl`
 

cmd/aws-iam-authenticator/root.go

@@ -103,8 +103,11 @@ func getConfig() (config.Config, error) {
 		EC2DescribeInstancesQps:           viper.GetInt("server.ec2DescribeInstancesQps"),
 		EC2DescribeInstancesBurst:         viper.GetInt("server.ec2DescribeInstancesBurst"),
 		ScrubbedAWSAccounts:               viper.GetStringSlice("server.scrubbedAccounts"),
-		DynamicFilePath:                   viper.GetString("server.dynamicfilepath"),
-		DynamicFileUserIDStrict:           viper.GetBool("server.dynamicfileUserIDStrict"),
+		//flags for dynamicfile mode
+		//DynamicFilePath: the file path containing the roleMapping and userMapping
+		DynamicFilePath: viper.GetString("server.dynamicfilepath"),
+		//DynamicFileUserIDStrict: if true, then aws UserId from sts will be used to look up the roleMapping/userMapping; or aws IdentityArn is used
+		DynamicFileUserIDStrict: viper.GetBool("server.dynamicfileUserIDStrict"),
 	}
 	if err := viper.UnmarshalKey("server.mapRoles", &cfg.RoleMappings); err != nil {
 		return cfg, fmt.Errorf("invalid server role mappings: %v", err)
@@ -115,7 +118,16 @@ func getConfig() (config.Config, error) {
 	if err := viper.UnmarshalKey("server.mapAccounts", &cfg.AutoMappedAWSAccounts); err != nil {
 		logrus.WithError(err).Fatal("invalid server account mappings")
 	}
-
+	var reservedPrefixConfig []config.ReservedPrefixConfig
+	if err := viper.UnmarshalKey("server.reservedPrefixConfig", &reservedPrefixConfig); err != nil {
+		return cfg, fmt.Errorf("invalid reserved prefix config: %v", err)
+	}
+	if len(reservedPrefixConfig) > 0 {
+		cfg.ReservedPrefixConfig = make(map[string]config.ReservedPrefixConfig)
+		for _, c := range reservedPrefixConfig {
+			cfg.ReservedPrefixConfig[c.BackendMode] = c
+		}
+	}
 	if featureGates.Enabled(config.ConfiguredInitDirectories) {
 		logrus.Info("ConfiguredInitDirectories feature enabled")
 	}

hack/dev/access-entries-username-prefix.template

@@ -0,0 +1,13 @@
+{
+  "mapRoles": [
+    {
+      "rolearn": "arn:aws:iam::{{AWS_ACCOUNT}}:role/{{USERNAME_TEST_ROLE}}",
+      "username": "{{SessionName}}:masters",
+      "groups": [
+        "system:masters"
+      ],
+      "userid": "{{USER_ID}}"
+    }
+  ]
+}
+

hack/dev/authenticator_with_dynamicfile_mode.yaml

@@ -7,6 +7,14 @@ server:
   kubeconfig: {{AUTHENTICATOR_KUBECONFIG}}
   backendmode: [ "MountedFile", "DynamicFile" ]
   dynamicfilepath: {{AUTHENTICATOR_DYNAMICFILE_PATH}}
+  reservedPrefixConfig:
+  - backendmode: DynamicFile
+    usernamePrefixReserveList:
+    - "aws:"
+    - "iam:"
+    - "amazon:"
+    - "system:"
+    - "eks:"
   mapUsers:
   - userARN: {{ADMIN_ARN}}
     username: kubernetes-admin

hack/e2e-dynamicfile.sh

@@ -26,6 +26,7 @@ OUTPUT="${OUTPUT:-${REPO_ROOT}/_output}"
 # Location of templates, config files, mounts
 policies_template="${REPO_ROOT}/hack/dev/policies.template"
 access_entry_template="${REPO_ROOT}/hack/dev/access-entries.template"
+access_entry_username_prefix_template="${REPO_ROOT}/hack/dev/access-entries-username-prefix.template"
 policies_json="${OUTPUT}/dev/authenticator/policies.json"
 allow_assume_role_policies_template="${REPO_ROOT}/hack/dev/allow_assume_role_policy.template"
 allow_assume_role_policies_json="${OUTPUT}/dev/authenticator/allow_assume_role_policy.json"
@@ -37,7 +38,7 @@ kubectl_kubeconfig="${client_dir}/kubeconfig.yaml"
 REGION=${AWS_REGION:-us-west-2}
 AWS_ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text)
 AWS_TEST_ROLE=${AWS_TEST_ROLE-authenticator-dev-cluster-testrole}
-
+USERNAME_TEST_ROLE=${USERNAME_TEST_ROLE-authenticator-username-testrole}
 
 function e2e_mountfile() {
   sleep 5
@@ -54,6 +55,78 @@ function e2e_mountfile() {
 
 }
 
+function e2e_dynamicfile_username_prefix_enforce(){
+  set +e
+  RoleOutput=$(aws iam get-role --role-name ${USERNAME_TEST_ROLE} 2>/dev/null)
+
+  if [ -z "$RoleOutput" ]; then
+      sed -e "s|{{AWS_ACCOUNT}}|${AWS_ACCOUNT}|g" \
+              "${policies_template}" > "${policies_json}"
+      sleep 2
+      aws iam create-role --role-name ${USERNAME_TEST_ROLE} --assume-role-policy-document file://${policies_json} 1>/dev/null
+      sleep 10
+  fi
+
+  #detect if run on github and allow the test account to assume role accordingly
+  if [ $CI = true ]
+      then
+          OUT=$(aws iam list-attached-user-policies --user-name awstester)
+          echo $OUT
+          if [ -z "$OUT" ]
+              then
+                  OUT=$(aws iam list-policies --query 'Policies[?PolicyName==`allow-assume-role`]'|jq '.[0]'|jq -r '.Arn')
+                  echo $OUT
+                  if [ -z "$OUT" ]; then
+                      sed -e "s|{{AWS_ACCOUNT}}|${AWS_ACCOUNT}|g" \
+                          "${allow_assume_role_policies_template}" > "${allow_assume_role_policies_json}"
+                      sleep 2
+                      OUT=$(aws iam create-policy --policy-name allow-assume-role --policy-document file://${allow_assume_role_policies_json})
+                      policy_arn=$(echo $OUT| jq -r '.Policy.Arn')
+                  else
+                      policy_arn=$OUT
+                  fi
+                  echo ${policy_arn}
+                  OUT=$(aws iam attach-user-policy --policy-arn ${policy_arn} --user-name awstester)
+                  echo $OUT
+                  echo $(aws iam get-user)
+          fi
+  fi
+
+  set -e
+  OUT=$(aws sts assume-role --role-arn arn:aws:iam::${AWS_ACCOUNT}:role/${USERNAME_TEST_ROLE} --role-session-name system);\
+  export AWS_ACCESS_KEY_ID=$(echo $OUT | jq -r '.Credentials''.AccessKeyId');\
+  export AWS_SECRET_ACCESS_KEY=$(echo $OUT | jq -r '.Credentials''.SecretAccessKey');\
+  export AWS_SESSION_TOKEN=$(echo $OUT | jq -r '.Credentials''.SessionToken');
+
+  OUT=$(aws sts get-caller-identity|grep "${USERNAME_TEST_ROLE}")
+  echo "assumed role: "$OUT
+  if [ -z "$OUT" ]
+      then
+          echo "can't assume-role: "${USERNAME_TEST_ROLE}
+          exit 1
+  fi
+  USERID=$(aws sts get-caller-identity|jq -r '.UserId'|cut -d: -f1)
+  echo "userid: " $USERID
+
+  #update access entry to add the test role
+  sed -e "s|{{AWS_ACCOUNT}}|${AWS_ACCOUNT}|g" \
+      -e "s|{{USERNAME_TEST_ROLE}}|${USERNAME_TEST_ROLE}|g" \
+      -e "s|{{USER_ID}}|${USERID}|g" \
+            "${access_entry_username_prefix_template}" > "${access_entry_tmp}"
+  mv "${access_entry_tmp}"  "${access_entry_json}"
+  #sleep 10 seconds to make access entry effective
+  sleep 10
+  set +e
+  OUT=$(kubectl --kubeconfig=${kubectl_kubeconfig} --context="test-authenticator" get nodes 2>/var/tmp/err.txt)
+  if grep -q "Unauthorized" "/var/tmp/err.txt"; then
+      echo "end to end testing for dynamicfile mode succeeded"
+  else
+      echo "end to end testing for dynamicfile mode failed"
+      exit 1
+  fi
+  unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
 function e2e_dynamicfile(){
   set +e
   RoleOutput=$(aws iam get-role --role-name authenticator-dev-cluster-testrole 2>/dev/null)
@@ -134,21 +207,21 @@ function e2e_dynamicfile(){
   if [ ! -z "$OUT" ]
       then
           echo $OUT
-          unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
-          aws iam delete-role --role-name ${AWS_TEST_ROLE}
           echo "end to end testing for dynamicfile mode succeeded"
-          exit 0
 
       else
           echo "testing failed"
           exit 1
   fi
+  unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
 }
 
 echo "start end to end testing for mountfile mode"
 e2e_mountfile
 echo "starting end to end testing for dynamicfile mode"
 e2e_dynamicfile
+echo "starting end to end testing for dynamicfile mode with username prefix"
+e2e_dynamicfile_username_prefix_enforce
 
 
 

pkg/config/types.go

@@ -141,15 +141,24 @@ type Config struct {
 	// +optional
 	Kubeconfig string
 
-	// BackendMode is an ordered list of backends to get mappings from. Comma-delimited list of: MountedFile,EKSConfigMap,CRD
+	// BackendMode is an ordered list of backends to get mappings from. Comma-delimited list of: MountedFile,EKSConfigMap,CRD,DynamicFile
 	BackendMode []string
 
 	// Ec2 DescribeInstances rate limiting variables initially set to defaults until we completely
 	// understand we don't need to change
 	EC2DescribeInstancesQps   int
 	EC2DescribeInstancesBurst int
-	//Dynamic File Path for DynamicFile BackendMode
+	// Dynamic File Path for DynamicFile BackendMode
 	DynamicFilePath string
-	//use UserId for mapping, IdentityArn is not used any more when DynamicFileUserIDStrict=true
+	// Use UserId for mapping, IdentityArn is not used any more when DynamicFileUserIDStrict=true
 	DynamicFileUserIDStrict bool
+	// ReservedPrefixConfig defines reserved username prefixes for each backend
+	ReservedPrefixConfig map[string]ReservedPrefixConfig
+}
+
+type ReservedPrefixConfig struct {
+	// Backend mode defined in Config.BackendMode
+	BackendMode string `json:"backendmode" yaml:"backendmode"`
+	// Defines the reserved prefixes for kubernetes username
+	UsernamePrefixReserveList []string `json:"usernamePrefixReserveList,omitempty" yaml:"usernamePrefixReserveList,omitempty"`
 }

pkg/mapper/configmap/mapper.go

@@ -59,3 +59,7 @@ func (m *ConfigMapMapper) Map(identity *token.Identity) (*config.IdentityMapping
 func (m *ConfigMapMapper) IsAccountAllowed(accountID string) bool {
 	return m.AWSAccount(accountID)
 }
+
+func (m *ConfigMapMapper) UsernamePrefixReserveList() []string {
+	return []string{}
+}

pkg/mapper/crd/mapper.go

@@ -120,3 +120,7 @@ func (m *CRDMapper) Map(identity *token.Identity) (*config.IdentityMapping, erro
 func (m *CRDMapper) IsAccountAllowed(accountID string) bool {
 	return false
 }
+
+func (m *CRDMapper) UsernamePrefixReserveList() []string {
+	return []string{}
+}

pkg/mapper/dynamicfile/dynamicfile.go

@@ -20,9 +20,10 @@ type DynamicFileMapStore struct {
 	users map[string]config.UserMapping
 	roles map[string]config.RoleMapping
 	// Used as set.
-	awsAccounts  map[string]interface{}
-	filename     string
-	userIDStrict bool
+	awsAccounts               map[string]interface{}
+	filename                  string
+	userIDStrict              bool
+	usernamePrefixReserveList []string
 }
 
 type DynamicFileData struct {

pkg/mapper/dynamicfile/mapper.go

@@ -18,6 +18,9 @@ func NewDynamicFileMapper(cfg config.Config) (*DynamicFileMapper, error) {
 	if err != nil {
 		return nil, err
 	}
+	if value, exists := cfg.ReservedPrefixConfig[mapper.ModeDynamicFile]; exists {
+		ms.usernamePrefixReserveList = value.UsernamePrefixReserveList
+	}
 	return &DynamicFileMapper{ms}, nil
 }
 
@@ -62,3 +65,7 @@ func (m *DynamicFileMapper) Map(identity *token.Identity) (*config.IdentityMappi
 func (m *DynamicFileMapper) IsAccountAllowed(accountID string) bool {
 	return m.AWSAccount(accountID)
 }
+
+func (m *DynamicFileMapper) UsernamePrefixReserveList() []string {
+	return m.usernamePrefixReserveList
+}

pkg/mapper/file/mapper.go

@@ -11,9 +11,10 @@ import (
 )
 
 type FileMapper struct {
-	lowercaseRoleMap map[string]config.RoleMapping
-	lowercaseUserMap map[string]config.UserMapping
-	accountMap       map[string]bool
+	lowercaseRoleMap          map[string]config.RoleMapping
+	lowercaseUserMap          map[string]config.UserMapping
+	accountMap                map[string]bool
+	usernamePrefixReserveList []string
 }
 
 var _ mapper.Mapper = &FileMapper{}
@@ -42,7 +43,9 @@ func NewFileMapper(cfg config.Config) (*FileMapper, error) {
 	for _, m := range cfg.AutoMappedAWSAccounts {
 		fileMapper.accountMap[m] = true
 	}
-
+	if value, exists := cfg.ReservedPrefixConfig[mapper.ModeMountedFile]; exists {
+		fileMapper.usernamePrefixReserveList = value.UsernamePrefixReserveList
+	}
 	return fileMapper, nil
 }
 
@@ -90,3 +93,7 @@ func (m *FileMapper) Map(identity *token.Identity) (*config.IdentityMapping, err
 func (m *FileMapper) IsAccountAllowed(accountID string) bool {
 	return m.accountMap[accountID]
 }
+
+func (m *FileMapper) UsernamePrefixReserveList() []string {
+	return m.usernamePrefixReserveList
+}

pkg/mapper/mapper.go

@@ -42,6 +42,7 @@ type Mapper interface {
 	Start(stopCh <-chan struct{}) error
 	Map(identity *token.Identity) (*config.IdentityMapping, error)
 	IsAccountAllowed(accountID string) bool
+	UsernamePrefixReserveList() []string
 }
 
 func ValidateBackendMode(modes []string) []error {

pkg/server/server.go

@@ -355,6 +355,15 @@ func (h *handler) authenticateEndpoint(w http.ResponseWriter, req *http.Request)
 	})
 }
 
+func ReservedPrefixExists(username string, reservedList []string) bool {
+	for _, prefix := range reservedList {
+		if len(prefix) > 0 && strings.HasPrefix(username, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
 func (h *handler) doMapping(identity *token.Identity) (string, []string, error) {
 	var errs []error
 
@@ -366,6 +375,9 @@ func (h *handler) doMapping(identity *token.Identity) (string, []string, error)
 			if err != nil {
 				return "", nil, fmt.Errorf("mapper %s renderTemplates error: %v", m.Name(), err)
 			}
+			if len(m.UsernamePrefixReserveList()) > 0 && ReservedPrefixExists(username, m.UsernamePrefixReserveList()) {
+				return "", nil, fmt.Errorf("invalid username '%s' for mapper %s: username must not begin with with the following prefixes: %v", username, m.Name(), m.UsernamePrefixReserveList())
+			}
 			return username, groups, nil
 		} else {
 			if err != mapper.ErrNotMapped {

pkg/server/server_test.go

@@ -169,6 +169,46 @@ func validateMetrics(t *testing.T, opts validateOpts) {
 	}
 }
 
+func TestReservedPrefixExists(t *testing.T) {
+	cases := []struct {
+		username     string
+		reservedList []string
+		want         bool
+	}{
+		{
+			"system:masters",
+			[]string{"aws:", "eks:", "amazon:", "iam:", "system:"},
+			true,
+		},
+		{
+			"test",
+			[]string{"aws:", "eks:", "amazon:", "iam:", "system:"},
+			false,
+		},
+		{
+			"eksb:test",
+			[]string{"aws:", "eks:", "amazon:", "iam:", "system:"},
+			false,
+		},
+		{
+			"eks:test",
+			[]string{"aws:", "eks:", "amazon:", "iam:", "system:"},
+			true,
+		},
+	}
+	for _, c := range cases {
+		if got := ReservedPrefixExists(c.username, c.reservedList); got != c.want {
+			t.Errorf(
+				"Unexpected result: ReservedPrefixExists(%v,%v): got: %t, wanted %t",
+				c.username,
+				c.reservedList,
+				got,
+				c.want,
+			)
+		}
+	}
+}
+
 func TestAuthenticateNonPostError(t *testing.T) {
 	resp := httptest.NewRecorder()
 	req := httptest.NewRequest("GET", "http://k8s.io/authenticate", nil)