Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add auth for gateway calls to /system/async-report #36

Merged
merged 2 commits into from
Sep 8, 2018
Merged

Add auth for gateway calls to /system/async-report #36

merged 2 commits into from
Sep 8, 2018

Conversation

viveksyngh
Copy link
Contributor

@viveksyngh viveksyngh commented Sep 6, 2018
edited
Loading

This commit adds basic authenctication for the gateway to report metrics
of the function when it is called asynchronously.

Signed-off-by: Vivek Singh vivekkmr45@yahoo.in

Description

Motivation and Context

  • I have raised an issue to propose this change (required)

Fixes: #35

How Has This Been Tested?

I have tested on Docker for Mac with OpenFaaS Deployed on Docker swarm

Testcase-1:
Positive case with authentication enabled

  1. Deploy OpenFaaS with authetication enabled with developemt gateway
  2. Deployed development queue-worker service

Output:

func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | Request for figlet.
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | [#2] Received on [faas-request]: 'sequence:5 subject:"faas-request" data:"{\"Header\":{\"Accept-Encoding\":[\"gzip\"],\"Authorization\":[\"Basic YWRtaW46ZTY2Zjc2ZDc4ZmE5ZDU2ODk5NzZhYjVhNzJiYmFiMDFmZjBkZjEzMTM3OGVhMzE3NTgxMDc3OWE4ZjA0MzA3NA==\"],\"Content-Length\":[\"6\"],\"Content-Type\":[\"text/plain\"],\"User-Agent\":[\"Go-http-client/1.1\"],\"X-Call-Id\":[\"e3731439-e872-48fd-ad52-23f76cdcfa23\"],\"X-Start-Time\":[\"1536227465712189800\"]},\"Host\":\"127.0.0.1:8080\",\"Body\":\"Vml2ZWsK\",\"Method\":\"POST\",\"Path\":\"\",\"QueryString\":\"\",\"Function\":\"figlet\",\"CallbackUrl\":null}" timestamp:1536227465712929000 '
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | Wrote 162 Bytes
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | 200 OK
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | Posting report - 200

Testcase-2:
Negative case with authentication enabled, No secrets in queue-worker service

  1. Deploy OpenFaaS with authetication enabled with latest developemt gateway
  2. Deployed development queue-worker service and remove baic-auth secrets from queue-worker service

Output:

func_queue-worker.1.wayeq7x8sfxl@linuxkit-025000000001    | [#1] Received on [faas-request]: 'sequence:6 subject:"faas-request" data:"{\"Header\":{\"Accept-Encoding\":[\"gzip\"],\"Authorization\":[\"Basic YWRtaW46ZTY2Zjc2ZDc4ZmE5ZDU2ODk5NzZhYjVhNzJiYmFiMDFmZjBkZjEzMTM3OGVhMzE3NTgxMDc3OWE4ZjA0MzA3NA==\"],\"Content-Length\":[\"6\"],\"Content-Type\":[\"text/plain\"],\"User-Agent\":[\"Go-http-client/1.1\"],\"X-Call-Id\":[\"eda826fb-1633-48d3-a0df-82695ed98657\"],\"X-Start-Time\":[\"1536227638385668000\"]},\"Host\":\"127.0.0.1:8080\",\"Body\":\"Vml2ZWsK\",\"Method\":\"POST\",\"Path\":\"\",\"QueryString\":\"\",\"Function\":\"figlet\",\"CallbackUrl\":null}" timestamp:1536227638386352700 '
func_queue-worker.1.wayeq7x8sfxl@linuxkit-025000000001    | Request for figlet.
func_queue-worker.1.wayeq7x8sfxl@linuxkit-025000000001    | Wrote 162 Bytes
func_queue-worker.1.wayeq7x8sfxl@linuxkit-025000000001    | 200 OK
func_queue-worker.1.wayeq7x8sfxl@linuxkit-025000000001    | Error with AddBasicAuth : Unable to read basic auth: unable to load /run/secrets/basic-auth-user
func_queue-worker.1.wayeq7x8sfxl@linuxkit-025000000001    | Posting report - 401

Testcase-3:
Positive case with authentication disabled, secrets passed in queue-worker service

  1. Deploy OpenFaaS with authentication disabled with latest development gateway
  2. Deployed developement queue-worker service with basic-auth secrets

Output:

func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | [#1] Received on [faas-request]: 'sequence:4 subject:"faas-request" data:"{\"Header\":{\"Accept-Encoding\":[\"gzip\"],\"Authorization\":[\"Basic YWRtaW46ZTY2Zjc2ZDc4ZmE5ZDU2ODk5NzZhYjVhNzJiYmFiMDFmZjBkZjEzMTM3OGVhMzE3NTgxMDc3OWE4ZjA0MzA3NA==\"],\"Content-Length\":[\"6\"],\"Content-Type\":[\"text/plain\"],\"User-Agent\":[\"Go-http-client/1.1\"],\"X-Call-Id\":[\"cf976ecf-75f2-4683-b05e-7c8e5a48c0bd\"],\"X-Start-Time\":[\"1536227320141442100\"]},\"Host\":\"127.0.0.1:8080\",\"Body\":\"Vml2ZWsK\",\"Method\":\"POST\",\"Path\":\"\",\"QueryString\":\"\",\"Function\":\"figlet\",\"CallbackUrl\":null}" timestamp:1536227320142143700 '
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | Request for figlet.
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | Wrote 162 Bytes
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | 200 OK
func_queue-worker.1.5j4r4hhdnr93@linuxkit-025000000001    | Posting report - 200

Testcase-4:
Positive test case with authetication disabled, secrets not passed in queue-worker service

  1. Deploy OpenFaaS with authentication disabled with latest development gateway
  2. Deployed developement queue-worker service without basic-auth secrets

Output:

func_queue-worker.1.qvdcfs67ksvh@linuxkit-025000000001    | Request for figlet.
func_queue-worker.1.qvdcfs67ksvh@linuxkit-025000000001    | [#1] Received on [faas-request]: 'sequence:3 subject:"faas-request" data:"{\"Header\":{\"Accept-Encoding\":[\"gzip\"],\"Authorization\":[\"Basic YWRtaW46ZTY2Zjc2ZDc4ZmE5ZDU2ODk5NzZhYjVhNzJiYmFiMDFmZjBkZjEzMTM3OGVhMzE3NTgxMDc3OWE4ZjA0MzA3NA==\"],\"Content-Length\":[\"6\"],\"Content-Type\":[\"text/plain\"],\"User-Agent\":[\"Go-http-client/1.1\"],\"X-Call-Id\":[\"60db984a-fdcf-4219-afe2-a2c2ce337d66\"],\"X-Start-Time\":[\"1536227171301993300\"]},\"Host\":\"127.0.0.1:8080\",\"Body\":\"Vml2ZWsK\",\"Method\":\"POST\",\"Path\":\"\",\"QueryString\":\"\",\"Function\":\"figlet\",\"CallbackUrl\":null}" timestamp:1536227171302635000 '
func_queue-worker.1.qvdcfs67ksvh@linuxkit-025000000001    | Wrote 162 Bytes
func_queue-worker.1.qvdcfs67ksvh@linuxkit-025000000001    | Error with AddBasicAuth : Unable to read basic auth: unable to load /run/secrets/basic-auth-user
func_queue-worker.1.qvdcfs67ksvh@linuxkit-025000000001    | 200 OK
func_queue-worker.1.qvdcfs67ksvh@linuxkit-025000000001    | Posting report - 200

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@viveksyngh
Add auth for gateway calls to /system/async-report
bd58fc8 
This commit adds basic authenctication for the gateway to report metrics
of the function when it is called asynchronously.

Signed-off-by: Vivek Singh <vivekkmr45@yahoo.in>
alexellis
alexellis reviewed Sep 6, 2018
View reviewed changes
auth.go Outdated
)

//AddBasicAuth to a request by reading secrets
func AddBasicAuth(req *http.Request) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this code taken from the openfaas/faas project? perhaps we could vendor it or move it to the faas-provider project? cc @bartsmykla

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used openfaas-cloud for the reference. I did not check if this is available in openfaas/faas.

@alexellis
Copy link
Member

Excellent detail on the test scenarios.

@viveksyngh viveksyngh mentioned this pull request Sep 6, 2018
Merged
11 tasks
alexellis
alexellis reviewed Sep 6, 2018
View reviewed changes
Dockerfile Show resolved Hide resolved
alexellis
alexellis requested changes Sep 6, 2018
View reviewed changes
Copy link
Member

@alexellis alexellis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested

@viveksyngh
Use faas-provider auth package to load credentials
3b61d03 
Signed-off-by: Vivek Singh <vivekkmr45@yahoo.in>
alexellis
alexellis requested changes Sep 8, 2018
View reviewed changes
Copy link
Member

@alexellis alexellis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Outstanding changes are required. Please ping me again when done. Thanks Vivek

@viveksyngh
Copy link
Contributor Author

I have used faas-provider to vendor load credentials code instead of faas. is any other changes required for this?

@alexellis alexellis merged commit c7e1ca1 into openfaas:master Sep 8, 2018
@alexellis
Copy link
Member

I've released this now via https://github.com/openfaas/nats-queue-worker/releases/tag/0.5.1

Please could you update all the relevant places / YAML files in a PR for faas/faas-netes?

@viveksyngh
Copy link
Contributor Author

yes

@alexellis alexellis mentioned this pull request Sep 17, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexellis alexellis alexellis requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Auth needed for gateway calls to /system/async-report
2 participants
@viveksyngh @alexellis