-
Notifications
You must be signed in to change notification settings - Fork 39.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugin/pkg/client/auth: add openstack auth provider #39587
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package(default_visibility = ["//visibility:public"]) | ||
|
||
licenses(["notice"]) | ||
|
||
load( | ||
"@io_bazel_rules_go//go:def.bzl", | ||
"go_library", | ||
"go_test", | ||
) | ||
|
||
go_test( | ||
name = "go_default_test", | ||
srcs = ["openstack_test.go"], | ||
library = ":go_default_library", | ||
tags = ["automanaged"], | ||
) | ||
|
||
go_library( | ||
name = "go_default_library", | ||
srcs = ["openstack.go"], | ||
tags = ["automanaged"], | ||
deps = [ | ||
"//vendor/github.com/golang/glog:go_default_library", | ||
"//vendor/github.com/gophercloud/gophercloud/openstack:go_default_library", | ||
"//vendor/k8s.io/client-go/rest:go_default_library", | ||
], | ||
) | ||
|
||
filegroup( | ||
name = "package-srcs", | ||
srcs = glob(["**"]), | ||
tags = ["automanaged"], | ||
visibility = ["//visibility:private"], | ||
) | ||
|
||
filegroup( | ||
name = "all-srcs", | ||
srcs = [":package-srcs"], | ||
tags = ["automanaged"], | ||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,161 @@ | ||
/* | ||
Copyright 2017 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package openstack | ||
|
||
import ( | ||
"fmt" | ||
"net/http" | ||
"sync" | ||
"time" | ||
|
||
"github.com/golang/glog" | ||
"github.com/gophercloud/gophercloud/openstack" | ||
|
||
restclient "k8s.io/client-go/rest" | ||
) | ||
|
||
func init() { | ||
if err := restclient.RegisterAuthProviderPlugin("openstack", newOpenstackAuthProvider); err != nil { | ||
glog.Fatalf("Failed to register openstack auth plugin: %s", err) | ||
} | ||
} | ||
|
||
// DefaultTTLDuration is the time before a token gets expired. | ||
const DefaultTTLDuration = 10 * time.Minute | ||
|
||
// openstackAuthProvider is an authprovider for openstack. this provider reads | ||
// the environment variables to determine the client identity, and generates a | ||
// token which will be inserted into the request header later. | ||
type openstackAuthProvider struct { | ||
ttl time.Duration | ||
|
||
tokenGetter TokenGetter | ||
} | ||
|
||
// TokenGetter returns a bearer token that can be inserted into request. | ||
type TokenGetter interface { | ||
Token() (string, error) | ||
} | ||
|
||
type tokenGetter struct{} | ||
|
||
// Token creates a token by authenticate with keystone. | ||
func (*tokenGetter) Token() (string, error) { | ||
options, err := openstack.AuthOptionsFromEnv() | ||
if err != nil { | ||
return "", fmt.Errorf("failed to read openstack env vars: %s", err) | ||
} | ||
client, err := openstack.AuthenticatedClient(options) | ||
if err != nil { | ||
return "", fmt.Errorf("authentication failed: %s", err) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. wondering whether all errors should include the "openstack" reference. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sttts ah, well, this is not the case for other providers.. I am ok to add the word if your opinion is strong.. |
||
} | ||
return client.TokenID, nil | ||
} | ||
|
||
// cachedGetter caches a token until it gets expired, after the expiration, it will | ||
// generate another token and cache it. | ||
type cachedGetter struct { | ||
mutex sync.Mutex | ||
tokenGetter TokenGetter | ||
|
||
token string | ||
born time.Time | ||
ttl time.Duration | ||
} | ||
|
||
// Token returns the current available token, create a new one if expired. | ||
func (c *cachedGetter) Token() (string, error) { | ||
c.mutex.Lock() | ||
defer c.mutex.Unlock() | ||
|
||
var err error | ||
// no token or exceeds the TTL | ||
if c.token == "" || time.Now().Sub(c.born) > c.ttl { | ||
c.token, err = c.tokenGetter.Token() | ||
if err != nil { | ||
return "", fmt.Errorf("failed to get token: %s", err) | ||
} | ||
c.born = time.Now() | ||
} | ||
return c.token, nil | ||
} | ||
|
||
// tokenRoundTripper implements the RoundTripper interface: adding the bearer token | ||
// into the request header. | ||
type tokenRoundTripper struct { | ||
http.RoundTripper | ||
|
||
tokenGetter TokenGetter | ||
} | ||
|
||
// RoundTrip adds the bearer token into the request. | ||
func (t *tokenRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { | ||
// if the authorization header already present, use it. | ||
if req.Header.Get("Authorization") != "" { | ||
return t.RoundTripper.RoundTrip(req) | ||
} | ||
|
||
token, err := t.tokenGetter.Token() | ||
if err == nil { | ||
req.Header.Set("Authorization", "Bearer "+token) | ||
} else { | ||
glog.V(4).Infof("failed to get token: %s", err) | ||
} | ||
|
||
return t.RoundTripper.RoundTrip(req) | ||
} | ||
|
||
// newOpenstackAuthProvider creates an auth provider which works with openstack | ||
// environment. | ||
func newOpenstackAuthProvider(clusterAddress string, config map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) { | ||
var ttlDuration time.Duration | ||
var err error | ||
|
||
ttl, found := config["ttl"] | ||
if !found { | ||
ttlDuration = DefaultTTLDuration | ||
// persist to config | ||
config["ttl"] = ttlDuration.String() | ||
if err = persister.Persist(config); err != nil { | ||
return nil, fmt.Errorf("failed to persist config: %s", err) | ||
} | ||
} else { | ||
ttlDuration, err = time.ParseDuration(ttl) | ||
if err != nil { | ||
return nil, fmt.Errorf("failed to parse ttl config: %s", err) | ||
} | ||
} | ||
|
||
// TODO: read/persist client configuration(OS_XXX env vars) in config | ||
|
||
return &openstackAuthProvider{ | ||
ttl: ttlDuration, | ||
tokenGetter: &tokenGetter{}, | ||
}, nil | ||
} | ||
|
||
func (oap *openstackAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper { | ||
return &tokenRoundTripper{ | ||
RoundTripper: rt, | ||
tokenGetter: &cachedGetter{ | ||
tokenGetter: oap.tokenGetter, | ||
ttl: oap.ttl, | ||
}, | ||
} | ||
} | ||
|
||
func (oap *openstackAuthProvider) Login() error { return nil } |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
/* | ||
Copyright 2017 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package openstack | ||
|
||
import ( | ||
"math/rand" | ||
"net/http" | ||
"testing" | ||
"time" | ||
) | ||
|
||
// testTokenGetter is a simple random token getter. | ||
type testTokenGetter struct{} | ||
|
||
const LetterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this can be private, can't it? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. oh, test. does not matter.... |
||
|
||
func RandStringBytes(n int) string { | ||
b := make([]byte, n) | ||
for i := range b { | ||
b[i] = LetterBytes[rand.Intn(len(LetterBytes))] | ||
} | ||
return string(b) | ||
} | ||
|
||
func (*testTokenGetter) Token() (string, error) { | ||
return RandStringBytes(32), nil | ||
} | ||
|
||
// testRoundTripper is mocked roundtripper which responds with unauthorized when | ||
// there is no authorization header, otherwise returns status ok. | ||
type testRoundTripper struct{} | ||
|
||
func (trt *testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { | ||
authHeader := req.Header.Get("Authorization") | ||
if authHeader == "" || authHeader == "Bearer " { | ||
return &http.Response{ | ||
StatusCode: http.StatusUnauthorized, | ||
}, nil | ||
} | ||
return &http.Response{StatusCode: http.StatusOK}, nil | ||
} | ||
|
||
func TestOpenstackAuthProvider(t *testing.T) { | ||
trt := &tokenRoundTripper{ | ||
RoundTripper: &testRoundTripper{}, | ||
} | ||
|
||
tests := []struct { | ||
name string | ||
ttl time.Duration | ||
interval time.Duration | ||
same bool | ||
}{ | ||
{ | ||
name: "normal", | ||
ttl: 2 * time.Second, | ||
interval: 1 * time.Second, | ||
same: true, | ||
}, | ||
{ | ||
name: "expire", | ||
ttl: 1 * time.Second, | ||
interval: 2 * time.Second, | ||
same: false, | ||
}, | ||
} | ||
|
||
for _, test := range tests { | ||
trt.tokenGetter = &cachedGetter{ | ||
tokenGetter: &testTokenGetter{}, | ||
ttl: test.ttl, | ||
} | ||
|
||
req, err := http.NewRequest(http.MethodPost, "https://test-api-server.com", nil) | ||
if err != nil { | ||
t.Errorf("failed to new request: %s", err) | ||
} | ||
trt.RoundTrip(req) | ||
header := req.Header.Get("Authorization") | ||
if header == "" { | ||
t.Errorf("expect to see token in header, but is absent") | ||
} | ||
|
||
time.Sleep(test.interval) | ||
|
||
req, err = http.NewRequest(http.MethodPost, "https://test-api-server.com", nil) | ||
if err != nil { | ||
t.Errorf("failed to new request: %s", err) | ||
} | ||
trt.RoundTrip(req) | ||
newHeader := req.Header.Get("Authorization") | ||
if newHeader == "" { | ||
t.Errorf("expect to see token in header, but is absent") | ||
} | ||
|
||
same := newHeader == header | ||
if same != test.same { | ||
t.Errorf("expect to get %t when compare header, but saw %t", test.same, same) | ||
} | ||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a commented import like the gce one does in the examples.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry that I am not sure what's the example are your referring?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like here: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/examples/create-update-delete-deployment/main.go#L33
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sttts that's the usage part, while the intention here is introducing a new auth-provider in client-go. the import line is at https://github.com/kubernetes/kubernetes/pull/39587/files#diff-a5c163dc6716888c4db9660991b9c7f6R24, which makes it enabled by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's only enabled if the package is also imported (which for some (hopefully good) reason it is not in the client-go examples).
Also there are other places where we load the plugins, e.g. in pkg/kubeapiserver/authenticator/config.go:43. Would maybe be good to turn those into an import of
k8s.io/client-go/plugin/pkg/client/auth
instead of listing all plugins there. Maybe there are other places.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, we should change all places like kubeapiserver/authenticator/config.go:43 to import k8s.io/client-go/plugin/pkg/client/auth instead, rather than trying to "me too" lots of partial lists. I don't think that should be done as part of this PR, however (will require very different approvers, etc).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, I see, kube-apiserver itself is also a client for kube-apiserver, and so it also require this list of plugins.
does it make sense to change the import at
pkg/kubeapiserver/authenticator/config.go
in a separate PR? @stttsThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, follow-up is fine.