Add AWS remote auth login #7578
Conversation
|
♻️ PR Preview 1e5fa4c has been successfully destroyed since this PR has been closed.
🤖 By surge-preview |
E2E Test Results - DynamoDB Local - Local Block Adapter |
idanovo
added
the
include-changelog
api/authorization.yml
Outdated
| @@ -363,6 +366,15 @@ components: | |||
| items: | |||
| $ref: "#/components/schemas/ExternalPrincipal" | |||
|
|
|||
| ExternalLoginInformation: | |||
There was a problem hiding this comment.
lakeFS should not be aware of the details of the identity token details fields or params.
it should pass it to the remote authentication services.
so in other words, it should be some generic object key/value in the body that will be passed to the remote authentication service as is.
The remote service on the other hand that does the login will seriallize this object and extract specific fields to create AWS request.
pkg/api/controller.go
Outdated
| @@ -554,6 +554,40 @@ func (c *Controller) Login(w http.ResponseWriter, r *http.Request, body apigen.L | |||
| writeResponse(w, r, http.StatusOK, response) | |||
| } | |||
|
|
|||
| func (c *Controller) ExternalLogin(w http.ResponseWriter, r *http.Request, body apigen.ExternalLoginJSONRequestBody) { | |||
There was a problem hiding this comment.
let's be consistent:
| func (c *Controller) ExternalLogin(w http.ResponseWriter, r *http.Request, body apigen.ExternalLoginJSONRequestBody) { | |
| func (c *Controller) ExternalPrincipalLogin(w http.ResponseWriter, r *http.Request, body apigen.ExternalLoginJSONRequestBody) { |
pkg/api/controller.go
Outdated
| return | ||
| } | ||
|
|
||
| c.LogAction(ctx, "external_login", r, "", "", "") |
There was a problem hiding this comment.
| c.LogAction(ctx, "external_login", r, "", "", "") | |
| c.LogAction(ctx, "external_principal_login", r, "", "", "") |
pkg/auth/service.go
Outdated
| @@ -85,6 +85,7 @@ type ExternalPrincipalsService interface { | |||
| DeleteUserExternalPrincipal(ctx context.Context, userID, principalID string) error | |||
| GetExternalPrincipal(ctx context.Context, principalID string) (*model.ExternalPrincipal, error) | |||
| ListUserExternalPrincipals(ctx context.Context, userID string, params *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error) | |||
| ExternalLogin(ctx context.Context, externalLoginInfo map[string]interface{}) (string, error) | |||
There was a problem hiding this comment.
It needs to be a different authentication service.
The service doing the login is not RBAC / GIAM, it doesn't have reference to KV.
That's the part I wanted you to sync with @guy-har.
There was a problem hiding this comment.
Overall looks good, I have a few concerns regarding the service
IIUC the authService is currently in charge of authorization (that is, authorization and authentication may run on different endpoints).
Another thing I'm not sure about, is that currently lakeFS sometimes needs to validate claims (validate_id_token_claims in the configuration), are this claims required in this flow or not?
api/authorization.yml
Outdated
| /auth/external/login: | ||
| post: |
There was a problem hiding this comment.
Shouldn't this be part of the authentication API?
There was a problem hiding this comment.
It should.
I'll move it there once you merge your PR
There was a problem hiding this comment.
Thanks! Sorry for blocking 😬
pkg/api/controller.go
Outdated
| if c.handleAPIError(ctx, w, r, err) { | ||
| if errors.Is(err, ErrAuthenticatingRequest) { | ||
| writeResponse(w, r, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized)) | ||
| return | ||
| } |
There was a problem hiding this comment.
- handleAPIError already writes the response, so you just need to return
- It looks like the token generation happens only in case of error (brackets are in the wrong place I think)
…4-aws-remote-auth-login
…4-aws-remote-auth-login
pkg/authentication/service.go
Outdated
| if err != nil { | ||
| return nil, fmt.Errorf("calling authenticate user: %w", err) | ||
| } | ||
| if resp.StatusCode() != http.StatusOK || resp.JSON200 == nil { |
There was a problem hiding this comment.
If resp.JSON200 nil it's a bug and should panic.
| if resp.StatusCode() != http.StatusOK || resp.JSON200 == nil { | |
| if resp.StatusCode() != http.StatusOK { |
Closes #7574