Tsb userinfo groups #15719
Tsb userinfo groups #15719
Conversation
openshift-merge-robot
added
the
size/XXL
gabemontero
force-pushed
the
tsb-userinfo-groups
branch
2 times, most recently
from
ee04154 to
97d2322
Compare
|
made some minor updates to the validation code around still allowing the username request paramter, as well as some tweaks to the test scripts to more easily align with those were a precursor to updating the cluster up extended tests to validate the flow |
|
/unassign @jim-minter |
| return &user.DefaultInfo{}, nil | ||
| } | ||
| parts := strings.SplitN(identity, " ", 2) | ||
| if parts[0] != api.OriginatingIdentitySchemeKubernetes || len(parts) != 2 { |
There was a problem hiding this comment.
please double check if you should be checking against kubernetes or Kubernetes, or do a strings.ToLower
There was a problem hiding this comment.
yep, it is lower case ....I'll update the constant in types.go
There was a problem hiding this comment.
think strings.ToLower is best
There was a problem hiding this comment.
I'll do both ... golang needs an equalsIgnoreCase like java :-)
There was a problem hiding this comment.
There was a problem hiding this comment.
cool ... never heard the term "case-folding" ... thanks.
|
pushed the clusterup extended test |
pkg/template/apis/template/types.go
Outdated
| @@ -108,10 +108,24 @@ type TemplateInstanceSpec struct { | |||
| // TemplateInstanceRequester holds the identity of an agent requesting a | |||
| // template instantiation. | |||
| type TemplateInstanceRequester struct { | |||
| // Username is the username of the agent requesting a template instantiation. | |||
| // The name that uniquely identifies this user among all active users. | |||
There was a problem hiding this comment.
I think convention here is to start with a lower case character, and I got it wrong previously in this file. Please can you fix up the ones you're changing/adding and we can table the rest for some other time?
There was a problem hiding this comment.
I'm not so sure .... look at https://github.com/kubernetes-incubator/service-catalog/pull/939/files ... the names are capitalized for example .... or can you clarify the convention you are referring to
There was a problem hiding this comment.
sorry, it's the comments that I'm referring to which should start with lower case. Of course the field names must be capitalised.
| @@ -127,8 +129,28 @@ type TemplateInstanceSpec struct { | |||
| // TemplateInstanceRequester holds the identity of an agent requesting a | |||
| // template instantiation. | |||
| type TemplateInstanceRequester struct { | |||
| // username is the username of the agent requesting a template instantiation. | |||
| Username string `json:"username" protobuf:"bytes,1,opt,name=username"` | |||
| // The name that uniquely identifies this user among all active users. | |||
| if strings.HasPrefix(group, "system:") { | ||
| continue | ||
| } | ||
| for idx, msg := range oapi.GetNameValidationFunc(uservalidation.ValidateGroupName)(group, false) { |
There was a problem hiding this comment.
@deads2k on what basis do Validate{User,Group}Name reject names containing :? Is there a mechanism by which names containing : may be accepted?
There was a problem hiding this comment.
i think it system defined groups can have : and user defined cannot
There was a problem hiding this comment.
@gabemontero yes, I suppose so; I'm wondering on what basis we reject system defined users, hence the question to David
There was a problem hiding this comment.
There was a problem hiding this comment.
I would simply capture the data from the user info and not validate it here
There was a problem hiding this comment.
ok ... I'm reading @liggitt 's comment as a call to remove both the group validation I added, as well as the preexisting username validation.
Of course advise if I've misinterpreted. Thanks.
| @@ -389,6 +430,7 @@ func TestValidateTemplateInstance(t *testing.T) { | |||
| } | |||
|
|
|||
| func TestValidateTemplateInstanceUpdate(t *testing.T) { | |||
|
|
|||
There was a problem hiding this comment.
you mean the blank line and not the function, correct?
| templateInstance.Spec.Requester = &templateapi.TemplateInstanceRequester{ | ||
| Username: user.GetName(), | ||
| user, ok := apirequest.UserFrom(ctx) | ||
| if ok { |
There was a problem hiding this comment.
if !ok , it's absolutely necessary to bail at this point.
There was a problem hiding this comment.
that occurred to me too, but how to do it was not obvious ... PrepareForCreate does not return err or and ErrorList.
I do see that the Context interface has an Err() method and my preliminary searches are finding hits around canceling the context. Perhaps that is what should be done, but I'm still looking for a precise example for guidance. Of course any pointers to save me search time are appreciated.
There was a problem hiding this comment.
actually, I think the Validate() method for this same struct catches the error ... checking for ok is probably redundant here (and perhaps is why it wasn't there in the previous version ?)
There was a problem hiding this comment.
follow the example at https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/certificates/certificates/strategy.go#L53-L77
ensure that if no user info is present, the fields are empty. the controller should refuse to act on a resource that is missing info about the requesting user (or validate should prevent it from being persisted)
There was a problem hiding this comment.
optimistically thinking I'm correct here, I'm removing the check and adding a comment explaining the Validate connection
There was a problem hiding this comment.
Follow up question: is it valid for the user name to be empty/anonymous, but have groups set?
There was a problem hiding this comment.
is it valid for the user name to be empty/anonymous, but have groups set?
empty != anonymous, and no
There was a problem hiding this comment.
ok good thx for the confirm ... per your earlier comment, the controller is refusing to act on the resource missing requesting user info
There was a problem hiding this comment.
Alas, in all the various threads here, I forgot the crucial state of affairs wrt all this ... until the upstream service catalog changes arrive where it actually authenticates and the user is properly set, we'll fail on the the actual instantiate as we'll come in with the wrong user.
That's where all the provision/bind request paramater map username setting came into play.
Hence the TSB extended tests failed all over the place once I "ensure that if no user info is present, the fields are empty" in PrepareForCreate
I'll add another //TODO once upstream pull comment sections, put this code in.
There was a problem hiding this comment.
It will essentially be like what the PR originally contained. Per @jim-minter 's original question, we still check ok, but don't take any overt action if !ok.
Also, I think @liggitt 's comment #15719 (comment) lines up with my #15719 (comment)
Again, we'll just remote the requester == nil conditional once the upstream SC update arrives and we can depend on user.Info.
| return api.Forbidden(err) | ||
| } | ||
| } | ||
|
|
||
| templateInstance, err := b.templateclient.TemplateInstances(brokerTemplateInstance.Spec.TemplateInstance.Namespace).Get(brokerTemplateInstance.Spec.TemplateInstance.Name, metav1.GetOptions{}) |
There was a problem hiding this comment.
please can you do a replace brokerTemplateInstance.Spec.TemplateInstance.Namespace -> namespace here and wherever else you can in this package?
There was a problem hiding this comment.
yep ... can we assume the secret namespaces and template namespaces are the same?
| } | ||
| */ | ||
| // with groups in the user.Info vs. the username only form of auth, we can SAR for get access on template resources | ||
| if err := util.Authorize(b.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ |
There was a problem hiding this comment.
I don't think this section can be enabled until the requester-username parameter is dead and gone
There was a problem hiding this comment.
actually I think this is the SAR that might have failed until I gave the user the view role on the openshift namespace.
There was a problem hiding this comment.
but then it passed when I did
There was a problem hiding this comment.
OK, I have confirmed that this SAR will pass when I explicitly use add-role-to-user for the openshift namespace in the extended tests. Removing those calls, and this SAR fails.
I've added comments detailing this around this call, as well as the add-role-to-user calls in the extended tests.
At this point, I think we should leave this as is until the service catalog changes arrive, and it is actually authenticating, and we are using the user.Info from the api.Context instead of the bind/provision request parameter map. At that time, when all these //TODO workaround comments are cleaned up, we remove the add-role-to-user calls in the extended tests, and verify this SAR still passes / fails as appropriate.
There was a problem hiding this comment.
bear in mind that merging this as is, then, will mean that the "oc cluster up" approach will be broken for using the TSB until the SC is passing the full user info in, right?
I'm not necessarily saying that's a blocker for merging it, but it might mean we just want to see where the SC is at so we can minimize the hoop jumping as well as being in a temporarily broken state.
There was a problem hiding this comment.
on further reflection (and the lack of evidence that SC passing user info is imminent) i'm inclined to say we should comment this out for now w/ another "TODO - uncomment when SC is passing user info headers" (same PR as the others i guess). But since this isn't going to merge for another week (when the next sprint starts) I guess we can wait and see.
There was a problem hiding this comment.
Sounds practical / reasonable ... we'll see how next week unfolds and go from there.
| @@ -2,8 +2,9 @@ | |||
|
|
|||
| . shared.sh | |||
|
|
|||
| serviceUUID=${serviceUUID-$(oc get template cakephp-mysql-example -n openshift -o template --template '{{.metadata.uid}}')} | |||
| serviceUUID=${serviceUUID-$(oc get template jenkins-ephemeral -n openshift -o template --template '{{.metadata.uid}}')} | |||
There was a problem hiding this comment.
cakephp-mysql-example is not one of the default templates in the openshift namespace when bringing up via oc cluster up... I picked one that was
There was a problem hiding this comment.
please can you reset the change here and export serviceUUID to something else in the oc cluster up script?
There was a problem hiding this comment.
reverted with next push
| @@ -16,6 +17,7 @@ curl \ | |||
| -X PUT \ | |||
| -H 'X-Broker-API-Version: 2.9' \ | |||
There was a problem hiding this comment.
Please check if sending X-Broker-API-Originating-Identity implies sending an X-Broker-API-Version > 2.9 and change across the board if required
There was a problem hiding this comment.
Looks like it is currently targeted for 2.12; hopefully this link renders to the right line in spec.md of the servicebroker pull: https://github.com/openservicebrokerapi/servicebroker/pull/222/files#diff-958e7270f96f5407d7d980f500805b1bR105
good catch / will switch
|
|
||
| echo "GGM requester is ${requesterUsername}" |
| @@ -6,5 +6,5 @@ bindingUUID=${bindingUUID-dde0226b-ff95-4f9d-af51-2e9ec06b1f02} | |||
|
|
|||
| endpoint=${endpoint-https://localhost:8443/brokers/template.openshift.io} | |||
| curlargs=${curlargs--k} | |||
| namespace=${namespace-demo} | |||
| namespace=${namespace-myproject} | |||
There was a problem hiding this comment.
sorry, again, the default of myproject is what is in play when bringing up via oc cluster up ... where is demo coming from ?
There was a problem hiding this comment.
I guess this one can stay
| allErrs = append(allErrs, field.Invalid(field.NewPath("parameters", key), key, fmt.Sprintf("does not match %v", templatevalidation.ParameterNameRegexp))) | ||
| } | ||
| } | ||
|
|
||
| allErrs = append(allErrs, validateParameter(templateapi.RequesterUsernameParameterKey, preq.Parameters[templateapi.RequesterUsernameParameterKey], uservalidation.ValidateUserName)...) |
There was a problem hiding this comment.
I think it's too early to remove this - not until the parameter has gone
There was a problem hiding this comment.
i do some validation in provision.go/bind.go instead ... it concentrated/contained this temporary code at least a little bit
There was a problem hiding this comment.
surely it's preferable to concentrate all the validation in one place as it was.
There was a problem hiding this comment.
well now I'm concentrating the use of the field as a back up and its validation all in one place
There was a problem hiding this comment.
if it's going away either way(as it is) it's probably not worth worrying too much about where it lives in the short term.
| @@ -113,7 +164,12 @@ func provision(b api.Broker, req *restful.Request) *api.Response { | |||
| return api.NewResponse(http.StatusUnprocessableEntity, &api.AsyncRequired, nil) | |||
| } | |||
|
|
|||
| return b.Provision(instanceID, &preq) | |||
| u, err := getUser(req) | |||
There was a problem hiding this comment.
for sanity, on provision and bind, is it possible to validate that either X-Broker-API-Originating-Identity is set, or the parameter is set, but not both?
There was a problem hiding this comment.
return bad req error if both are set with upcoming push
| @@ -158,6 +158,21 @@ function os::test::extended::clusterup::hostdirs () { | |||
| BASE_DIR="${base_dir}" os::test::extended::clusterup::internal::hostdirs | |||
| } | |||
|
|
|||
| # Tests bringing up the service catalog and provisioning a template | |||
| function os::test::extended::clusterup::service_catalog() { | |||
There was a problem hiding this comment.
what's the purpose of this? is it WIP?
There was a problem hiding this comment.
stems from an IRC comment from @bparees ... mentioned that no ext testing of oc cluster up --service-catalog existed today, and he was thinking I might be able to add some
this is my foray into that
Is it WIP ? .... not sure how much more or less it is compared to the other aspects of the PR, and the pending upstream SC/SB dependencies we have.
I guess the first question is whether this was the type of ext testing @bparees was referring to.
There was a problem hiding this comment.
talked to @bparees about this during scrum ... obtained agreement to leave these clusterup.sh changes in
There was a problem hiding this comment.
yeah, this was what i had in mind. Just keep in mind that currently nothing is running these tests today and there's not even a /test command that will run them right now. (we need to get one added).
| @@ -72,6 +75,10 @@ var _ = g.Describe("[templates] templateservicebroker end-to-end test", func() { | |||
| }) | |||
| o.Expect(err).NotTo(o.HaveOccurred()) | |||
|
|
|||
| // give test user access to the openshift project's templates ... now needed with provision's SAR for get on templates (previously commented out) | |||
| err = cli.AsAdmin().Run("policy").Args("add-role-to-user", "edit", cli.Username(), "-n", "openshift").Execute() | |||
There was a problem hiding this comment.
this can't be right - edit shouldn't be required, and view should already be granted. What goes wrong when this is removed?
There was a problem hiding this comment.
its been interesting ... I needed to explicitly add view (I had changed this to just view but must not have committed it) when running the extended test locally. If I did not, I got the permission error the comment alluded to.
And when running similar tests from from the command line, I had to given developer view.
But when I run the clusterup.sh extended tests, I did not need this.
There was a problem hiding this comment.
OK, I have confirmed that this add-role-to-user for the openshift namespace in the extended tests is needed for the SAR on gets for templates in the provision path to work.. Removing these calls, and that SAR fails.
I've added comments detailing this around this call, as the SAR in question in provision.go.
At this point, I think we should leave this as is until the service catalog changes arrive, and it is actually authenticating, and we are using the user.Info from the api.Context instead of the bind/provision request parameter map. At that time, when all these //TODO workaround comments are cleaned up, we remove the add-role-to-user calls in the extended tests, and verify this SAR still passes / fails as appropriate.
| @@ -68,7 +69,15 @@ var _ = g.Describe("[templates] templateservicebroker security test", func() { | |||
| brokercli = client.NewClient(&http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}, adminClientConfig.Host+templateapi.ServiceBrokerRoot) | |||
|
|
|||
| viewuser = createUser(cli, "viewuser", bootstrappolicy.ViewRoleName) | |||
| // give test user access to the openshift project's templates ... now needed with provision's SAR for get on templates (previously commented out) | |||
| err = cli.AsAdmin().Run("policy").Args("add-role-to-user", "view", viewuser.Name, "-n", "openshift").Execute() | |||
There was a problem hiding this comment.
am concerned that none of these should be needed (see above)
There was a problem hiding this comment.
understood ... see experience from dev/unit test noted above.
There was a problem hiding this comment.
attempted to clarify need in comments here and in comments in provision.go wrt the SAR on getting templates that is now in
| @@ -100,32 +109,36 @@ var _ = g.Describe("[templates] templateservicebroker security test", func() { | |||
|
|
|||
| provision := func(username string) error { | |||
| g.By("provisioning a service") | |||
| _, err := brokercli.Provision(context.Background(), instanceID, &api.ProvisionRequest{ | |||
| _, err := brokercli.Provision(context.Background(), &user.DefaultInfo{Name: username}, instanceID, &api.ProvisionRequest{ | |||
There was a problem hiding this comment.
I wonder whether you'll need to include the group "system:authenticated" on all of these - will add a follow-up question
There was a problem hiding this comment.
I see, so yeah along these same lines, you should just add the proper groups to the user you're passing, rather than granting the user new permissions. Then we'd also be testing the group-based SAR checks.
|
@deads2k @liggitt questions on the security model of passing a user.Info from the service catalog to the broker. Am I right in thinking we trust the catalog to the extent where it can manufacture any user.Info it likes, but that this is effectively intersected with the TSB service account permissions to avoid breakout? Do we expect the SC to pass in the "system:authenticated" group membership, or is there some process of group enrichment that should take place on the TSB side to add in this group membership? Without it, in principle it's not possible to read objects from the openshift namespace, which is why I ask. |
|
ok, comment in clusterup.sh added, monitoring things for the get templates SAR, squashed the commits |
|
opened flake #15874 for the extended_conformance_install_update failure quick reminder, all tests passed last go around; only change was this time around was adding the comment to oc cluster up extended test case script clusterup.sh |
gabemontero
force-pushed
the
tsb-userinfo-groups
branch
from
ee26a26 to
6a619b2
Compare
gabemontero
force-pushed
the
tsb-userinfo-groups
branch
from
6a619b2 to
d8a8473
Compare
Thanks, rebased. |
openshift-merge-robot
added
the
needs-rebase
gabemontero
force-pushed
the
tsb-userinfo-groups
branch
from
d8a8473 to
5151f7b
Compare
openshift-merge-robot
removed
the
needs-rebase
|
rebase for test/extended/templates/templateinstance_impersonation.go conflict pushed ... @deads2k FYI |
|
@openshift/api-review if there are api concerns we'll chase them in a follow up given the dance @deads2k is already doing to get this PR in. /lgtm |
openshift-merge-robot
added
the
approved
gabemontero
force-pushed
the
tsb-userinfo-groups
branch
from
5151f7b to
93dca0c
Compare
openshift-merge-robot
removed
the
lgtm
|
rebase required a regen of the swagger spec as well ... changes from |
|
@bparees please repost the igtm label at your convenience |
|
/lgtm
…On Sun, Aug 27, 2017 at 10:46 PM, Gabe Montero ***@***.***> wrote:
@bparees <https://github.com/bparees> please repost the igtm label at
your convenience
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#15719 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEvl3svIYV6ZU7RYHmEqyW9IfCYdxrWtks5scin6gaJpZM4OyrcO>
.
--
Ben Parees | OpenShift
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bparees, gabemontero The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
@gabemontero: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 15719, 15761) |
@openshift/devex PR for https://trello.com/c/EXHlyops/1230-5-use-groups-extra-information-for-authorization-in-template-service-broker-templatebroker
A few notes:
the current set of test changes include an initial foray from @jim-minter plus ones I have added/changed to the set of unit tests and extended tests for the template service broker; I've started looking at updating the cluster up extended tests to somehow leverage @jim-minter 's test scripts to vet things out at that level, but I decided to not hold up the PR review on that, as its possibility is still TBD in my mind until I can do more work with it
there was a foray into using user.Info in the requester object, but you can't do protobufs on interfaces
per an exchange with @pmorie , the use of the requester username param was added back in for now, given the state of some related upstream activity in this space; it was changed to be a back up option to the new form, and not required; I've tried to clearly label with TODO comments what blocks should go away, what we are waiting for, etc.