scoped tokens #8393
scoped tokens #8393
Conversation
|
Aren't there scope names defined in oauth that we have to support as well? On Wed, Apr 6, 2016 at 4:05 PM, David Eads [email protected] wrote:
|
|
Also, Peter the Great is not amused. On Wed, Apr 6, 2016 at 4:48 PM, Clayton Coleman [email protected] wrote:
|
|
There are standard scopes in OIDC (https://openid.net/specs/openid-connect-basic-1_0.html#Scopes) |
|
I'll need to reread the openid bits. I thought those were used by a client to request certain claims be provided. The user was still asked, but the token held the information, not any lasting access. If the access does have to be provided, chances are we need new endpoints to match the spec format, right? |
| func (a *scopeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.AuthorizationAttributes) (bool, string, error) { | ||
| user, exists := kapi.UserFrom(ctx) | ||
| if !exists { | ||
| return false, "", fmt.Errorf("no user") |
There was a problem hiding this comment.
Suggest a more descriptive error message here if there's any risk of it ending up at an API caller.
|
@deads2k The main use case that registry users needed is a long lived token that they can plug into 'docker login'. That is, not have to run a docker login command with a new token every 24 hours. Would we need the registry container need to be modified to do a special access check? CC @aweiteka I believe this is about the long lived tokens you wanted earlier. |
This would allow a user to provide a token that is only good for manipulating images instead of trusting the registry with all their access, including things like modifying group membership as an example. This is also something we'd want for a user created token flow, but doesn't provide one in and of itself. |
Yeah, we don't need to add those yet. This structure doesn't preclude them from working, but for now we aren't close to being an openID provider. If we want to be, that should be a separate objective. |
The docker push/pull API commands are ultimately what I'm looking for supporting so this subset of permissions or access control sounds like it could satisfy that. |
|
@openshift/api-review this is on my next list. Do we like the shape of these? It's basically, |
|
If we supported OIDC in the future - those would be category-less? |
|
|
||
| tokens := strings.SplitN(scope, ":", 2) | ||
| if len(tokens) != 2 { | ||
| return nil, fmt.Errorf("bad format for %v", scope) |
There was a problem hiding this comment.
"bad format for scope %v" so I can find it when I have to debug it
|
comments addressed, upstream pick update, tests written. This is ready for review. @liggitt you or a delegating victim? |
|
[test] |
|
what happens if you login using a long lived token when you have openid connect provider enabled? |
The cluster-admin determines the maximum token lifespan, so they determine long-livedness. Right now, there is no re-authentication check required for the lifespan of the token. I think its 24 hours by default. This pull doesn't make the problem any better or worse. |
|
@smarterclayton this blocks oauth exposure. How's the API? |
|
I've seen worse. Approved. |
I feel like I should find the movie review translating tool they use for commercials. :) @pweil- got a reviewer in mind? |
|
@liggitt and @sgallagher PTAL and give a 👍 or 👎 |
| // API discovery/negotiation | ||
| "/api", "/api/*", | ||
| "/apis", "/apis/*", | ||
| "/oapi", "/oapi/*", |
There was a problem hiding this comment.
Can we make constants out of it, there's a TODO in master.go to have that prefix being configurable.
There was a problem hiding this comment.
Can we make constants out of it, there's a TODO in master.go to have that prefix being configurable.
done
| SpecialIndicator = "special:" | ||
| ClusterRoleIndicator = "clusterrole:" | ||
| ClusterWideIndicator = "clusterwide:" | ||
| NamespaceWideIndicator = "namespace:" |
There was a problem hiding this comment.
need to make sure we limit ourselves to valid characters for scopes (these are fine, just pointing it out)
- no quote, no backslash, no space
- colon, alphanumeric characters, comma is ok (full list of allowed chars is %x21 / %x23-5B / %x5D-7E)
openshift-bot
added
the
needs-rebase
|
So if I make a constant and eliminate the "special:" prefix (I still think we're likely to regret that some day. Unscoped things always cause problems eventually.), I'll get a merge? |
|
I'm ok with the approach. possible name adjustments: specific scopes: parameterized scopes: eventually: followups:
|
Ok, those look fine. @sgallagher all comments so far are minor and I'll take care of them tomorrow. Do you have anything structural? |
|
comments address [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5860/) (Image: devenv-rhel7_4149) |
openshift-bot
removed
the
needs-rebase
|
Evaluated for origin test up to a85a7c6 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3704/) |
|
Evaluated for origin merge up to a85a7c6 |
This demonstrates how scopes could be attached to a user token and then filtered by an authorizer that wraps our existing authorizer. It creates:
special:whoami- call users/~ to prove identityspecial:access-check- call self-SARs to check access of the user (not the token)clusterrole:<clusterrole name>:<namespace to allow the cluster role, * means all>- allows access based on cluster role rules, but only within the specified namespace. (I might make that a comma-delimited list.)If we like the general approach, I can finish off the list:
And do the followups:
remove *, secrets, oauthtokens, oauthauthorizationtokens, etc Prevent escalating resource access by default #8818
@pweil- @liggitt @smarterclayton
@jwforres @jimmidyson @stefwalter you guys knew people who were looking to get openshift API tokens to perform actions for a user, right?