Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy not providing user info should cause error #42421

Closed
wants to merge 1 commit into from
Closed

proxy not providing user info should cause error #42421

wants to merge 1 commit into from

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Mar 2, 2017
edited by k8s-github-robot

Fixes #42437

When using a front proxy authenticator it should behave like this:

  1. unrecognized client-cert: skip
  2. unrecognized subject: skip
  3. recognized client-cert/subject, missing username: fail (the data provided was invalid)

In addition, the group information should come from the front proxy and not be later manipulated. Having that separation eliminates weird cases like the proxy saying a user is system:anonymous and the authentication chain adding group system:authenticated.

@kubernetes/sig-auth-pr-reviews

You cannot use a front proxy client certificate as front proxy client and a direct user against the API.

@deads2k deads2k added the kind/bug Categorizes issue or PR as related to a bug. label Mar 2, 2017
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 2, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@k8s-github-robot k8s-github-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. release-note-label-needed labels Mar 2, 2017
@deads2k deads2k added this to the v1.6 milestone Mar 2, 2017
@deads2k
Copy link
Contributor Author

deads2k commented Mar 2, 2017

@ncdc @enj ptal.

@liggitt liggitt added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Mar 2, 2017
liggitt
liggitt reviewed Mar 2, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go Outdated
@@ -111,5 +95,23 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur
if c.Anonymous {
authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator())
}

// front proxies go first, but since they provide group information, we need to ensure that we don't add *more*
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

watch the if len(authenticators) == 0 case above

Copy link
Member

@liggitt liggitt Mar 2, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be more straightforward to build the top-level chain at the end, and skip the early returns, e.g.

topLevelAuthenticators []authenticator.Request{}
if c.RequestHeaderConfig != nil {
  topLevelAuthenticators = append(topLevelAuthenticators, ...)
}
if len(authenticators) > 0 {
  topLevelAuthenticators = append(topLevelAuthenticators, group.NewGroupAdder(unionauth.New(authenticators...), []string{user.AllAuthenticated}))
}
if c.Anonymous {
  topLevelAuthenticators = append(topLevelAuthenticators, anonymous.NewAuthenticator())
}
return unionauth.NewFailOnError(topLevelAuthenticators...)

@deads2k
Copy link
Contributor Author

deads2k commented Mar 2, 2017

watch the if len(authenticators) == 0 case above

made it a switch case covering all four cases.

@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 2, 2017
@liggitt liggitt added area/security sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Mar 2, 2017
@deads2k deads2k force-pushed the auth-02-no-double-group branch 2 times, most recently from 8dcee4b to 21c3ff3 Compare March 2, 2017 20:46
liggitt
liggitt reviewed Mar 2, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go Outdated
@@ -122,10 +123,13 @@ func (a *Verifier) AuthenticateRequest(req *http.Request) (user.Info, bool, erro
}

if _, err := req.TLS.PeerCertificates[0].Verify(optsCopy); err != nil {
return nil, false, err
if invalidCertErr, ok := err.(x509.CertificateInvalidError); ok && invalidCertErr.Reason == x509.Expired {
Copy link
Member

@liggitt liggitt Mar 2, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unknown authority is a separate error (x509.UnknownAuthorityError). all the CertificateInvalidError reasons seem like things we'd want to bubble on (and the godoc supports that that error is for "odd" errors and should probably be dealt with uniformly)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@liggitt
Copy link
Member

liggitt commented Mar 2, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

The following people have approved this PR: deads2k, liggitt

Needs approval from an approver in each of these OWNERS Files:

We suggest the following people:
cc @sttts
You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

enj
enj reviewed Mar 2, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go Outdated
@@ -107,7 +108,7 @@ func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string,
func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
name := headerValue(req.Header, a.nameHeaders)
if len(name) == 0 {
return nil, false, nil
return nil, false, errors.New("proxy did not provide user information")
}
groups := allHeaderValues(req.Header, a.groupHeaders)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we need to require at least one group as well?

Copy link
Member

@liggitt liggitt Mar 2, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope. auth proxies would be well-advised to include either system:authenticated or system:unauthenticated, but are the final say on the identity of the incoming user

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, bears more thought. will discuss tomorrow.

@liggitt liggitt added do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Mar 2, 2017
@deads2k
Copy link
Contributor Author

deads2k commented Mar 2, 2017

We could make an empty usrername from a front proxy turn into system:anonymous and system:unauthenticated and then have a conditional group adder for system:authenticated. It would mean I went through a lot of motion today, but might match expectation.

@enj
Copy link
Member

enj commented Mar 3, 2017

How about:

  1. username and groups required, if missing, error
  2. if username == system:anonymous, requires groups == [system:unauthenticated], extras == empty, else error
  3. if any other username, groups must contain system:authenticated and must not contain system:unauthenticated, else error

I see a few problems with it though:

  1. Lots of special casing around username and groups
  2. Not sure if you could go through the front proxy with a token that the API server would understand but the proxy does not (i.e. proxy says you are system:anonymous but if you hit the API server directly you would be authenticated as a valid user).

@k8s-github-robot k8s-github-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 3, 2017
@deads2k
Copy link
Contributor Author

deads2k commented Mar 3, 2017

Updated to special case the anonymous user in our proxy.

@liggitt liggitt modified the milestones: v1.7, v1.6 Mar 3, 2017
@liggitt
Copy link
Member

liggitt commented Mar 3, 2017
edited

This has implications for auth proxies that pass through requests with authorization headers without adding user info. Will revisit the proxy client cert fallback issue in 1.7. Go ahead and open a smaller PR for 1.6 that just includes the improvement to the group adder to fix #42437

@k8s-ci-robot
Copy link
Contributor

@deads2k: The following test(s) failed:

Test name Commit Details Rerun command
Jenkins GCE Node e2e 83f7d34 link @k8s-bot node e2e test this
Jenkins GKE smoke e2e 83f7d34 link @k8s-bot cvm gke e2e test this
Jenkins GCI GKE smoke e2e 83f7d34 link @k8s-bot gci gke e2e test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@deads2k deads2k mentioned this pull request Mar 3, 2017
Merged
k8s-github-robot pushed a commit that referenced this pull request Mar 6, 2017
Merge pull request #42491 from deads2k/auth-03-adder
61e7d1e 
Automatic merge from submit-queue

make the system:authenticated group adder smarter

Fixes #42437 

This prevents the group adder from adding the system:authenticated group when:
 1. it's already in the list
 2. the user is system:anonymous
 3. system:unauthenticated is in the list

Smaller alternative to #42421 for 1.6.

@kubernetes/sig-auth-pr-reviews @enj @liggitt
@k8s-github-robot
Copy link

@deads2k PR needs rebase

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 6, 2017
@enj
Copy link
Member

enj commented May 4, 2017

Keep open for now I suppose?

@liggitt liggitt removed this from the v1.7 milestone May 31, 2017
@k8s-github-robot
Copy link

This PR hasn't been active in 90 days. Closing this PR. Please reopen if you would like to work towards merging this change, if/when the PR is ready for the next round of review.

cc @deads2k @liggitt

You can add 'keep-open' label to prevent this from happening again, or add a comment to keep it open another 90 days

@deads2k deads2k deleted the auth-02-no-double-group branch August 3, 2017 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@enj enj enj left review comments

Assignees

@liggitt liggitt

Labels
area/security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. kind/bug Categorizes issue or PR as related to a bug. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@deads2k @k8s-reviewable @liggitt @k8s-github-robot @enj @k8s-ci-robot