Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth plugins #1430

Closed
wants to merge 2 commits into from
Closed

Auth plugins #1430

wants to merge 2 commits into from

Conversation

erictune
Copy link
Member

This supercedes #1358.

Since some folks want a very simple default implementation for auth, and others want to be able to plug in a more full-featured implementation, I've focused on the problem of defining how Authorization plugs in.

In the process, I found I was unable to talk about that without also defining how Authentication and Group Membership should plug in.

I've also removed the text from access.md about "userAccounts", since I no longer feel that is resource type has to be part of kubernetes.

@erictune erictune mentioned this pull request Sep 24, 2014
Closed
@erictune erictune changed the title Added proposal for how Auth plugins work. Auth plugins Sep 24, 2014
@erictune
Copy link
Member Author

As @smarterclayton suggested, lets have a hangout to discuss auth.
I created a poll to pick a time. Anyone interested is welcome.
http://doodle.com/u62he7769miweses
Once a time is selected, I'll contact folks with meeting details.

@erictune erictune mentioned this pull request Sep 29, 2014
Closed
@erictune
Copy link
Member Author

Status update:

Hangout happening tomorrow. Progress on modifying or committing this plan expected for after that.

roberthbailey
roberthbailey reviewed Sep 30, 2014
View reviewed changes
docs/proposals/auth_plugins.md
Here are the key points of the design:
- APIserver Architecture
- Authentication, Group Membership, and Authorization are handled by separate interfaces in separate steps by the APIserver.
- Cluster owners can chose from among contributed pacakges, or write their own go code to handle each of those steps.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: pacakges

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

@smarterclayton
Copy link
Contributor

As per discussion today, LGTM with some follow ups

@liggitt and I will open a quick predesign with the minimal set of in-tree interfaces we need to implement an API handler that can check a token, a simple file based mechanism to serve as the basis for tokens, and the client flags that allow the apiserver to start it. We'll then follow up with a set of pulls (and a pull to this doc) describing a simple oauth server on top of etcd that can sit in the plugins/* dir and serve as a source of oauth flows for tokens which assumes an external user store (of some form). We'll need to sort through what that store's interfaces are.

In parallel we'll want to get the policy / attributes flows you describe here wired in. Some form of ABAC policy is still worth discussing - how do you want to handle that?

@erictune
Copy link
Member Author

erictune commented Oct 1, 2014

I have a mostly written doc describing an ABAC language. I'll send a PR
for that after this merges.

In terms of using and implementing an AuthorizationProvider, I'm happy to
do it. I should probably work on my 0.7 milestone before I do
authorization though.

On Tue, Sep 30, 2014 at 5:42 PM, Clayton Coleman notifications@github.com
wrote:

As per discussion today, LGTM with some follow ups

@liggitt https://github.com/liggitt and I will open a quick predesign
with the minimal set of in-tree interfaces we need to implement an API
handler that can check a token, a simple file based mechanism to serve as
the basis for tokens, and the client flags that allow the apiserver to
start it. We'll then follow up with a set of pulls (and a pull to this doc)
describing a simple oauth server on top of etcd that can sit in the
plugins/* dir and serve as a source of oauth flows for tokens which assumes
an external user store (of some form). We'll need to sort through what that
store's interfaces are.

In parallel we'll want to get the policy / attributes flows you describe
here wired in. Some form of ABAC policy is still worth discussing - how do
you want to handle that?


Reply to this email directly or view it on GitHub
#1430 (comment)
.

@smarterclayton smarterclayton mentioned this pull request Oct 1, 2014
Merged
@erictune
Copy link
Member Author

erictune commented Oct 2, 2014

My notes from hangout:

  • need client plugin too (addressed by Refactor the client (again) to better support auth #1500)
  • want implicit and explicit login flows separate endpoints
  • will eventually want service accounts. these might look like groups. we might want to have an official k8s group representation to support these and to make the group/authz/authn interaction less complex. service accounts are for accessing kubernetes API. Are they different from the idea of having credentials to access some other cloud service, or integrated?
  • something about Kubelet security which I forgot byt maybe @smarterclayton remembers

@smarterclayton
Copy link
Contributor

On Oct 2, 2014, at 7:51 PM, erictune notifications@github.com wrote:

My notes from hangout:

need client plugin too (addressed by #1500)
want implicit and explicit login flows separate endpoints
will eventually want service accounts. these might look like groups. we might want to have an official k8s group representation to support these and to make the group/authz/authn interaction less complex. service accounts are for accessing kubernetes API. Are they different from the idea of having credentials to access some other cloud service, or integrated?
something about Kubelet security which I forgot byt maybe @smarterclayton remembers
Protecting the Kubelet API from malicious parties, which includes the HTTP POST API for creating pods


Reply to this email directly or view it on GitHub.

@erictune erictune force-pushed the auth_plugin_proposal branch 3 times, most recently from e32ad51 to 9f92dd4 Compare October 14, 2014 18:20
This was referenced Nov 6, 2014
Closed
Closed
@kubernetes-bot
Copy link

Can one of the admins verify this patch?

@erictune erictune closed this Mar 4, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smarterclayton smarterclayton

Labels
area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@erictune @smarterclayton @kubernetes-bot @liggitt @roberthbailey @googlebot @bgrant0607