-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(*) refactor authz and authn to plugins #2837
Conversation
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Codecov Report
@@ Coverage Diff @@
## master #2837 +/- ##
==========================================
+ Coverage 52.34% 52.43% +0.08%
==========================================
Files 888 898 +10
Lines 51804 52052 +248
==========================================
+ Hits 27118 27293 +175
- Misses 22536 22588 +52
- Partials 2150 2171 +21
Continue to review full report at Codecov.
|
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Summary
Refactor authentication and authorization to be separate components and to be pluggable.
Right now we have a simple client cert auth to execute administrative operations like generating tokens or managing secrets.
Authentication is pluggable which means that a mesh operator and developers of products building on top of Kuma can plug their own authentication mechanism.
Simple RBAC (admin can operate on Secrets) is refactored in a way that it can be replaced.
When accessing CP in localhost instead of doing immediate authorization, we now log in user as
admin
/admin
so RBAC / filters can read this data and react properly.A user has a role attached to it. Right now there are 2 simple static roles (user/admin). Admins are defined in a Kuma CP config. This strategy can be replaced by providing your own
RoleAssignments
.Access to resources is now validated in
ResourceAccess
component.Initially, I had a plan to build an
RBACResoruceManager
and make this manager default to the whole project, but in the end, I did not do this becauseResourceManager
ResourceManager
. This can be error-prone (if we forget to do this) and a bit cumbersome.Next steps (for better understanding of the context)
name/group
info which is consistent with other tokenslocalhostIsAdmin
set to true on Kuma CP start.ResourceAccess
as Kubernetes hooksDocumentation
Testing
Backwards compatibility
allowFromLocalhost
->localhostIsAdmin
. There will be more breaking changes build on top of it. I don't think it's a good idea to backport it.