Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HTTP Basic Auth support #96

Merged
merged 5 commits into from Jul 30, 2020
Merged

Add HTTP Basic Auth support #96

merged 5 commits into from Jul 30, 2020

Commits on Jul 30, 2020

  1. Add http_basic auth support 

    This commit adds the support to run ironic using `http_basic`.
To enable that is necessary to set USE_HTTP_BASIC to true, and also
specify values for the following enviroment variables:
-IRONIC_HTTP_BASIC_USERNAME
-IRONIC_HTTP_BASIC_PASSWORD

(cherry picked from commit a7ee6b6)
    @iurygregory @zaneb
    iurygregory authored and zaneb committed Jul 30, 2020
    Copy the full SHA
    1f6ad7d View commit details
    Browse the repository at this point in the history

  2. Limit unauthenticated json-rpc to localhost interface 

    By default, ironic-conductor currently binds to any IP address, so it is
accessible outside of the pod. When no authentication method is used for
json-rpc, bind only to localhost so that only other containers in the
same pod can connect to the json-rpc server.

This will break any deployments that put ironic-conductor and ironic-api
in separate pods but do not specify basic_auth. This is probably a good
thing.

(cherry picked from commit 5392a56)
    @zaneb
    zaneb committed Jul 30, 2020
    Copy the full SHA
    241fe15 View commit details
    Browse the repository at this point in the history

  3. Add ability to configure ironic-inspector basic_auth creds 

    (cherry picked from commit 8d9a1c4)
    @zaneb
    zaneb committed Jul 30, 2020
    Copy the full SHA
    c94d80d View commit details
    Browse the repository at this point in the history

  4. Simplify HTTP basic auth configuration 

    * Allow basic_auth to be configured independently on different
  interfaces, based on the presence of the required configuration data,
  rather than using a single global USE_HTTP_BASIC environment variable.

* Expect all server credentials to be passed in the form of an
  HTTP_BASIC_HTPASSWD environment variable containing both the username
  and the *hash* of the password, in the htpasswd format. This is more
  secure, as it allows containers not to hold a copy of the password
  when they don't need it purely for authenticating connections.

* Keep server auth user files locally rather than on the /shared volume, so
  that different servers can have different credentials.

* Expect client credentials to be passed in the form of a file named
  /auth/ironic-inspector/auth-config (for ironic-inspector) or
  /auth/ironic-rpc/auth-config (for the json-rpc interface to
  ironic-conductor), formatted as an ini config file setting the
  appropriate options (for basic auth, this is auth_strategy=http_basic,
  and the username and password options; however this mechanism should
  work unchanged for other auth strategies). This is more secure because
  in k8s the password is never passed as an environment variable nor
  written to disk, but remains in a tmpfs filesystem.

(cherry picked from commit a6bfc7b)
    @zaneb
    zaneb committed Jul 30, 2020
    Copy the full SHA
    4cb049a View commit details
    Browse the repository at this point in the history

  5. Fix typo 

    (cherry picked from commit 4aec25c)
    @zaneb
    zaneb committed Jul 30, 2020
    Copy the full SHA
    d866e0e View commit details
    Browse the repository at this point in the history