[WIP] - keystone token authentication

[zhouhaibing089]

This is the keystone token authentication used as authenticator.Token which provides another authentication options.

features include:

1. token validation via keystone api
2. local validation via decode

referring #25391 as there will be todo list based on the present discussion there, which includes:

1. support keystone v3 token
2. register into authn and adding the flags.

@kfox1111 @liggitt @mkumatag please comment if you get any concern about this, thanks! since there will be more fix accordingly, so I will mark this as a WIP, but u know, it is ready for comments.

Also /cc @ashw7n @uruddarraju and @arkxu who implements the token local validation.

---

This change is

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[kfox1111]

@zhouhaibing089 Thanks for posting this. This code, and the one in the other review seem pretty complimentary. #25391 has a bit less code in the getting of the Keystone Auth user credentials part, reusing a lot of existing code in k8s. I think that part's cleaner over there.

This code seems to be mostly about adding pki token validation support. Thats awesome work. I hadn't attempted that since we're using Fernet tokens on all of our clouds now. The tests here are very nice too.

The rest of #25391 is related to returning data from the token over to authz plugins, and I have one almost completed I think. Once we can figure out the Extra data accessibility thing. I think its only a day or two away before I can post that.

So, how would you like to proceed? I think the other patch is maybe a good place to start from, and then we can rebase this one on top of the other one to add the pki support to it? That way, we don't have one gigantic patch.

I'm much more use to using Gerrit so I don't quite know how the workflow for having one PR depend on another PR works, if that's even possible. Anyone know?

Thanks,
Kevin

[zhouhaibing089]

#25391 has a bit less code in the getting of the Keystone Auth user credentials part, reusing a lot of existing code in k8s. I think that part's cleaner over there.

if you mean reusing most of the plugin/pkg/auth/authentication/password/keystone/keystone.go, I would say it is not clean, they are different, username/password and token should be located at different package, separately, I think @uruddarraju is the author of that file, I have a discussion with him before, as there will be many place using openstack client, it is better to abstract out for reuse in both password/keystone.go and token/keystone/keystone.go.

This code seems to be mostly about adding pki token validation support.

It is also not true, it is a special case that the token which starts with PKIZ_ and MII could be validated locally by downloading the keystone signing cert and decode directly. but if you see apicall.go, it is way to call keystone token api to validate it, it will handle other cases if the local one does not support it.

The rest of #25391 is related to returning data from the token over to authz plugins

I admire your work, which I would like to pick, especially thank you for reminds me of adding Roles into the Extra field.

So, how would you like to proceed?

I do not want to be selfishly, so let's discuss, I personally think porting your feature here would be much easier though.

To address your concern, I will do some refactoring on plugin/pkg/auth/authentication/password/keystone/keystone.go as well.

[zhouhaibing089]

@kfox1111 we could do some offline discussion, however I could not find your email in your profile, so would you mind sending message with me in slack haibzhou or email zhouhaibing089@gmail.com?

[kfox1111]

Its unfortunate you waited so long to post this. I've been working on the other set for a while and I've gotten the whole thing working in the other review.

I was able to test it with PKI tokens with the remote authentication does work with it, so I believe the majority of the code here is an optimization for local authentication of PKI tokens. (All of the vendor/github.com/fullsailor/pkcs7/* stuff)

I think all the other features that this patch does, is already covered in the other version? Are there any gaps?

If that's the case, I still think its probably a good idea to layer these changes on top of the other patch set, rather the selectively copy features from the other patch set into this one. Then this set of optimizations can happen as a separate review, allowing for an easier set of reviews.

To merge, I think all we need to do is merge one file that exists in both:
plugin/pkg/auth/authenticator/token/keystone/keystone.go

And remove the following lines from this patchset as they are no longer needed:
cmd/kube-apiserver/app/options/options.go
cmd/kube-apiserver/app/server.go
federation/cmd/federated-apiserver/app/options/options.go
federation/cmd/federated-apiserver/app/server.go
pkg/apiserver/authenticator/authn.go
pkg/util/openstack/client.go
pkg/util/openstack/doc.go
plugin/pkg/auth/authenticator/token/keystone/apicall.go

[zhouhaibing089]

rebased.

[k8s-github-robot]

@zhouhaibing089 PR needs rebase

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[kfox1111]

keep-open

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[k8s-bot]

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

[zhouhaibing089]

Close it as it is not my focus for now, also it causes many spam messages.

[stevemcquaid]

@zhouhaibing089 I think I would like to pick this up - would you be willing to chat on kube-slack if we have questions?

[kfox1111]

@stevemcquaid : I've got a version here that I think is pretty close: #25624

[liggitt]

@stevemcquaid if you have interest in openstack token auth, I'd recommend working with @kfox1111 instead on #25391

[zhouhaibing089]

@kfox1111 @liggitt @stevemcquaid Basically I am suggesting to move to a webhook implementation, it causes some maintainance pain, as openstack is too diversity, we have v2 token, and now we have v3 toke which adds the domain parameter, and actually, the token itself has four types as far as I know.

If necessary, I will pick something up(like local validator, cache, etc) when @kfox1111 has done all the things right.

[admiyo]

Is this dead? Is it possible to make this use all of the Keystone auth methods instead of hardcoding it to Keystone Password?

[liggitt]

@admiyo see #25391 instead for server side honoring of keystone tokens, and #39587 for client-side hooks to obtain tokens from config read from openstack environment vars