enhancement: Secure OAuth Resource Storage #323
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
approved
|
|
||
| ### Upgrade / Downgrade Strategy | ||
|
|
||
| - New kube-apiserver will authorize clients with old tokens (43 characters long) |
There was a problem hiding this comment.
shouldn't the new Kube invalidate the old (not secure) tokens? If yes, does it have an impact on upgrades?
There was a problem hiding this comment.
Why should it? They expire eventually (after a day by default).
| or the output of etcdctl can be used to act as any oauth authenticated user in the | ||
| cluster. | ||
|
|
||
| A side-effect of the proposed compound tokens is that it allows to hide the secret part |
There was a problem hiding this comment.
hiding content on read is novel and violates standard kube conventions.
There was a problem hiding this comment.
Yeah, we have explicitly rejected that repeatedly. The original designs for tokens discussed having a read index.
|
|
||
| ### Goals | ||
|
|
||
| - Change the `oauthaccesstokens` and `oauthauthorizetokens` storage format and schema such that |
There was a problem hiding this comment.
how short lived are oauthaccesstokens. I thought it was order of minutes.
There was a problem hiding this comment.
the default expiry of oauthaccesstokens is set to a day in 4.x, oauthauthorizetokens usually last for only a few seconds as they are deleted upon oauthaccesstoken retrieval
| pass 43 bytes bearer token, leading into the zero length case. | ||
|
|
||
| Old kube-apiserver (on downgrade) will try to lookup the token object via the whole token | ||
| and fail. I.e. on downgrade clients have to reauthenticate. |
There was a problem hiding this comment.
This section should also include details on the tokens' creation and handling in the oauth-server as this would also need some changes, see the storage implementation we use to plug into osin:
https://github.com/openshift/oauth-server/blob/31279d2cabc12e26f7ab716b5f65e055214d372f/pkg/osinserver/registrystorage/storage.go
As an example that stands out, OAuthAuthorizeTokens' storage is specifically used during the authorization code grant in https://github.com/openshift/oauth-server/blob/31279d2cabc12e26f7ab716b5f65e055214d372f/vendor/github.com/RangelReale/osin/access.go#L183-L183.
These changes will most likely be small, yet worth mentioning.
| ### Implementation Details/Notes/Constraints [optional] | ||
|
|
||
| The oauth authorizer in kube-apiserver in v4.6 will split the provided bearer token into | ||
| the first 43 bytes (256 bits, compare https://github.com/openshift/oauth-server/blob/3539e4065084dc0b5f35e43d7ea49631df99760d/pkg/server/crypto/random.go#L31-L35) |
There was a problem hiding this comment.
This will break some test cases and potentially some very rarely used features around direct token assignment. Please call that out.
I'd like to also place a character we expect at byte 44 so that when we change this in the future (and I bet we will), we'll have something clear to look for.
There was a problem hiding this comment.
No need to obfuscate. type:<token> works fine.
sttts
force-pushed
the
sttts-oauth-storage-format
branch
2 times, most recently
from
f12f663
to
c75cfe5
Compare
|
/retitle enhancement: Secure OAuth Resource Storage |
sttts
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
sttts
force-pushed
the
sttts-oauth-storage-format
branch
from
c75cfe5
to
e44507f
Compare
|
/lgtm @smarterclayton or @derekwaynecarr can you approve this? |
openshift-ci-robot
added
the
do-not-merge/hold
sttts
force-pushed
the
sttts-oauth-storage-format
branch
from
1e373f3
to
4b2b0de
Compare
|
/lgtm |
|
@openshift/openshift-architects second ping :-) |
| of the actual token (not decoded, but plain base64) encoded as base64. The bearer | ||
| token will also carry the prefix, but have the token in plain text. | ||
|
|
||
| In v4.(n-1) and in v4.n: |
There was a problem hiding this comment.
My only concern would be what N and (N-1) are if a user attempts an emergency unsupported rollback to N-1. And if we are certain that their N-1 has support for sha256: tokens.
There was a problem hiding this comment.
Worst that can happen is that users have to relogin.
There was a problem hiding this comment.
To be clear: this means that we add sha256 support in 4.n-1.x. If the customer does a downgrade to that, everything keeps working. If the the customer does a downgrade to 4.n-1.x-1, then users have to relogin, but otherwise things keep working. So it is similar as tokens that expire (after a day by default), but enforced by the unsupported downgrade.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
Prototype PRs: openshift/oauth-server#50, openshift/origin#25217