New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth plugins #1430
Auth plugins #1430
Conversation
As @smarterclayton suggested, lets have a hangout to discuss auth. |
Status update: Hangout happening tomorrow. Progress on modifying or committing this plan expected for after that. |
Here are the key points of the design: | ||
- APIserver Architecture | ||
- Authentication, Group Membership, and Authorization are handled by separate interfaces in separate steps by the APIserver. | ||
- Cluster owners can chose from among contributed pacakges, or write their own go code to handle each of those steps. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: pacakges
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
As per discussion today, LGTM with some follow ups @liggitt and I will open a quick predesign with the minimal set of in-tree interfaces we need to implement an API handler that can check a token, a simple file based mechanism to serve as the basis for tokens, and the client flags that allow the apiserver to start it. We'll then follow up with a set of pulls (and a pull to this doc) describing a simple oauth server on top of etcd that can sit in the plugins/* dir and serve as a source of oauth flows for tokens which assumes an external user store (of some form). We'll need to sort through what that store's interfaces are. In parallel we'll want to get the policy / attributes flows you describe here wired in. Some form of ABAC policy is still worth discussing - how do you want to handle that? |
I have a mostly written doc describing an ABAC language. I'll send a PR In terms of using and implementing an AuthorizationProvider, I'm happy to On Tue, Sep 30, 2014 at 5:42 PM, Clayton Coleman notifications@github.com
|
My notes from hangout:
|
|
e32ad51
to
9f92dd4
Compare
Can one of the admins verify this patch? |
9f92dd4
to
e766e72
Compare
e766e72
to
6fdcab5
Compare
This supercedes #1358.
Since some folks want a very simple default implementation for auth, and others want to be able to plug in a more full-featured implementation, I've focused on the problem of defining how Authorization plugs in.
In the process, I found I was unable to talk about that without also defining how Authentication and Group Membership should plug in.
I've also removed the text from access.md about "userAccounts", since I no longer feel that is resource type has to be part of kubernetes.