-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kuma-cp) User Token for API Server authentication #2892
Conversation
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@@ -12269,4 +12269,4 @@ spec: | |||
name: prometheus-server | |||
- name: storage-volume | |||
persistentVolumeClaim: | |||
claimName: prometheus-server | |||
claimName: prometheus-server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, why the last line disappeared from these 3 files?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure. I regenerated everything using UPDATE_GOLDEN_FILES
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get the same if I update just on master
:
app/kumactl/cmd/install/testdata/install-gateway-enterprise.defaults.golden.yaml | 2 +-
app/kumactl/cmd/install/testdata/install-gateway-enterprise.overrides.golden.yaml | 2 +-
app/kumactl/cmd/install/testdata/install-gateway.defaults.golden.yaml | 2 +-
app/kumactl/cmd/install/testdata/install-gateway.overrides.golden.yaml | 2 +-
app/kumactl/cmd/install/testdata/install-metrics.defaults.golden.yaml | 2 +-
app/kumactl/cmd/install/testdata/install-metrics.no-grafana.golden.yaml | 2 +-
app/kumactl/cmd/install/testdata/install-metrics.no-prometheus.golden.yaml | 2 +-
app/kumactl/cmd/install/testdata/install-metrics.overrides.golden.yaml | 2 +-
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran out of time on this review, planning to finish up tomorrow.
DefaultSerialNumber = 1 | ||
) | ||
|
||
var SigningKeyNotFound = errors.New("there is no Signing Key in the Control Plane.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, no full-stop in the error string
cmd.Flags().StringVar(&args.name, "name", "", "name of the user") | ||
_ = cmd.MarkFlagRequired("name") | ||
cmd.Flags().StringVar(&args.group, "group", "", "group of the user") | ||
cmd.Flags().DurationVar(&args.validFor, "valid-for", 0, `how long the token will be valid (for example "24h"). If 0, then token has no expiration time`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"never" seems like a really long default ... IMHO better to make a short default so people have to either rotate or make a decision to make it long
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think short implicit default is just asking for confusion. If we don't want to do infinity as default (which I get that it is not ideal), we should make this argument required and let the user decide always. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think short implicit default is just asking for confusion. If we don't want to do infinity as default (which I get that it is not ideal), we should make this argument required and let the user decide always. WDYT?
Yeh, I can live with making it required. Let's also take an issue to support "infinity" to me an forever, rather than overloading "0" for that.
Something's up with codecov here? |
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Codecov Report
@@ Coverage Diff @@
## master #2892 +/- ##
==========================================
+ Coverage 52.32% 52.43% +0.10%
==========================================
Files 900 912 +12
Lines 52296 52688 +392
==========================================
+ Hits 27362 27625 +263
- Misses 22756 22857 +101
- Partials 2178 2206 +28
Continue to review full report at Codecov.
|
pkg/plugins/authn/api-server/tokens/issuer/default_signing_key.go
Outdated
Show resolved
Hide resolved
ID: core.NewUUID(), | ||
IssuedAt: jwt.NewNumericDate(now), | ||
NotBefore: jwt.NewNumericDate(now.Add(time.Minute * -5)), // todo(jakubdyszkiewicz) parametrize via config and go through all clock skews in the project | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make sense to set the iss
and aud
claims here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what would you put in both iss
and aud
in this case?
I was considering putting name into aud
but then what about groups? should this be in payload as a separate field like we do right now?
What about iss
? Should this be just Kuma User Token
? Or should this contain username of user that issued the token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issuer would be the control plane that minted the token and the audience would be any control plane for that cluster. Larger question is whether those are actually concrete concepts that are useful here :)
|
||
if validFor != 0 { | ||
c.RegisteredClaims.ExpiresAt = jwt.NewNumericDate(now.Add(validFor)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WDYT about a tracking issue for config to set default and maximum ticket lifetimes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this to be required always and 0 do not mean infinite
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
7b1aee2
to
430515a
Compare
Summary
This PR introduces a new authentication mechanism in Kuma called User Token.
User Token is a JWT token that contains
name
andgroup
.Why?
Currently, our authentication mechanism is based on client certificates. We want to ditch it because
It is very similar to Dataplane Token that we use already, meaning there are similar endpoint and
kumactl
cli commands to generate a token.Additionally, this token supports
Those features will be carried to other tokens in a system for consistency.
In this PR, User Token auth is opt-in feature. I'll change it as a default and deprecate the current mechanism.
Implementation
It was implemented as a plugin. Once we try to carry rotation, revocation, and expiration to other tokens we can try to DRY the logic of Token Issuer.
TODO
In the next PR, I want to provide changes to kumactl to support configuring control plane with user token. Right now it's possible through
--headers 'authorization=Bearer XYZ'
Documentation
Testing
Backwards compatibility