Add HTTP Basic Auth support #96
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds the support to run ironic using `http_basic`. To enable that is necessary to set USE_HTTP_BASIC to true, and also specify values for the following enviroment variables: -IRONIC_HTTP_BASIC_USERNAME -IRONIC_HTTP_BASIC_PASSWORD (cherry picked from commit a7ee6b6)
By default, ironic-conductor currently binds to any IP address, so it is accessible outside of the pod. When no authentication method is used for json-rpc, bind only to localhost so that only other containers in the same pod can connect to the json-rpc server. This will break any deployments that put ironic-conductor and ironic-api in separate pods but do not specify basic_auth. This is probably a good thing. (cherry picked from commit 5392a56)
(cherry picked from commit 8d9a1c4)
* Allow basic_auth to be configured independently on different interfaces, based on the presence of the required configuration data, rather than using a single global USE_HTTP_BASIC environment variable. * Expect all server credentials to be passed in the form of an HTTP_BASIC_HTPASSWD environment variable containing both the username and the *hash* of the password, in the htpasswd format. This is more secure, as it allows containers not to hold a copy of the password when they don't need it purely for authenticating connections. * Keep server auth user files locally rather than on the /shared volume, so that different servers can have different credentials. * Expect client credentials to be passed in the form of a file named /auth/ironic-inspector/auth-config (for ironic-inspector) or /auth/ironic-rpc/auth-config (for the json-rpc interface to ironic-conductor), formatted as an ini config file setting the appropriate options (for basic auth, this is auth_strategy=http_basic, and the username and password options; however this mechanism should work unchanged for other auth strategies). This is more secure because in k8s the password is never passed as an environment variable nor written to disk, but remains in a tmpfs filesystem. (cherry picked from commit a6bfc7b)
|
/approve |
openshift-ci-robot
added
the
approved
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dhellmann, juliakreger, zaneb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Expect all server credentials to be passed in the form of an
HTTP_BASIC_HTPASSWDenvironment variable containing both the username and the hash of the password, in the htpasswd format.Expect client credentials to be passed in the form of a file named
/auth/ironic-inspector/auth-config(for ironic-inspector) or/auth/ironic-rpc/auth-config(for the json-rpc interface to ironic-conductor), formatted as an ini config file setting the appropriate options (for basic auth, this is auth_strategy=http_basic, and the username and password options; however this mechanism should work unchanged for other auth strategies).