-
Notifications
You must be signed in to change notification settings - Fork 454
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enhancement: Secure OAuth Resource Storage #323
enhancement: Secure OAuth Resource Storage #323
Conversation
|
||
### Upgrade / Downgrade Strategy | ||
|
||
- New kube-apiserver will authorize clients with old tokens (43 characters long) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't the new Kube invalidate the old (not secure) tokens? If yes, does it have an impact on upgrades?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why should it? They expire eventually (after a day by default).
or the output of etcdctl can be used to act as any oauth authenticated user in the | ||
cluster. | ||
|
||
A side-effect of the proposed compound tokens is that it allows to hide the secret part |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hiding content on read is novel and violates standard kube conventions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we have explicitly rejected that repeatedly. The original designs for tokens discussed having a read index.
|
||
### Goals | ||
|
||
- Change the `oauthaccesstokens` and `oauthauthorizetokens` storage format and schema such that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how short lived are oauthaccesstokens. I thought it was order of minutes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the default expiry of oauthaccesstokens is set to a day in 4.x, oauthauthorizetokens usually last for only a few seconds as they are deleted upon oauthaccesstoken retrieval
pass 43 bytes bearer token, leading into the zero length case. | ||
|
||
Old kube-apiserver (on downgrade) will try to lookup the token object via the whole token | ||
and fail. I.e. on downgrade clients have to reauthenticate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section should also include details on the tokens' creation and handling in the oauth-server as this would also need some changes, see the storage implementation we use to plug into osin:
https://github.com/openshift/oauth-server/blob/31279d2cabc12e26f7ab716b5f65e055214d372f/pkg/osinserver/registrystorage/storage.go
As an example that stands out, OAuthAuthorizeTokens' storage is specifically used during the authorization code grant in https://github.com/openshift/oauth-server/blob/31279d2cabc12e26f7ab716b5f65e055214d372f/vendor/github.com/RangelReale/osin/access.go#L183-L183.
These changes will most likely be small, yet worth mentioning.
### Implementation Details/Notes/Constraints [optional] | ||
|
||
The oauth authorizer in kube-apiserver in v4.6 will split the provided bearer token into | ||
the first 43 bytes (256 bits, compare https://github.com/openshift/oauth-server/blob/3539e4065084dc0b5f35e43d7ea49631df99760d/pkg/server/crypto/random.go#L31-L35) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will break some test cases and potentially some very rarely used features around direct token assignment. Please call that out.
I'd like to also place a character we expect at byte 44 so that when we change this in the future (and I bet we will), we'll have something clear to look for.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to obfuscate. type:<token>
works fine.
f12f663
to
c75cfe5
Compare
/retitle enhancement: Secure OAuth Resource Storage |
c75cfe5
to
e44507f
Compare
/lgtm @smarterclayton or @derekwaynecarr can you approve this? |
1e373f3
to
4b2b0de
Compare
/lgtm |
@openshift/openshift-architects second ping :-) |
of the actual token (not decoded, but plain base64) encoded as base64. The bearer | ||
token will also carry the prefix, but have the token in plain text. | ||
|
||
In v4.(n-1) and in v4.n: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My only concern would be what N and (N-1) are if a user attempts an emergency unsupported rollback to N-1. And if we are certain that their N-1 has support for sha256:
tokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worst that can happen is that users have to relogin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear: this means that we add sha256 support in 4.n-1.x. If the customer does a downgrade to that, everything keeps working. If the the customer does a downgrade to 4.n-1.x-1, then users have to relogin, but otherwise things keep working. So it is similar as tokens that expire (after a day by default), but enforced by the unsupported downgrade.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
Prototype PRs: openshift/oauth-server#50, openshift/origin#25217