support grpc auth for grpc server. #168
Conversation
morvencao
force-pushed
the
br_grpc_auth
branch
5 times, most recently
from
3a4f400 to
420b812
Compare
|
/assign @qiujian16 @clyang82 @skeeey |
morvencao
force-pushed
the
br_grpc_auth
branch
15 times, most recently
from
7d3b22e to
37489b4
Compare
|
/ok-to-test |
morvencao
force-pushed
the
br_grpc_auth
branch
7 times, most recently
from
4ade853 to
93df2b2
Compare
Signed-off-by: morvencao <lcao@redhat.com>
morvencao
force-pushed
the
br_grpc_auth
branch
from
93df2b2 to
e262f36
Compare
|
rebased the code, added document for how to configure grpc server authN and authZ. |
| e.Clients.GRPCAuthorizer = grpcauthorizer.NewMockGRPCAuthorizer() | ||
| } else { | ||
| kubeConfig, err := clientcmd.BuildConfigFromFlags("", e.Config.GRPCServer.GRPCAuthrizerConfig) | ||
| if err != nil { |
There was a problem hiding this comment.
s/GRPCAuthrizerConfig/GRPCAuthorizerConfig
cmd/maestro/server/api_server.go
Outdated
| @@ -126,7 +126,7 @@ func NewAPIServer(eventBroadcaster *event.EventBroadcaster) Server { | |||
|
|
|||
| // TODO: support authn and authz for gRPC | |||
There was a problem hiding this comment.
remove this comment since we support it.
cmd/maestro/server/grpc_server.go
Outdated
|
|
||
| // newAuthUnaryInterceptor creates a new unary interceptor that looks up the client certificate from the incoming RPC context, | ||
| // retrieves the user and groups from it and creates a new context with the user and groups before invoking the provided handler. | ||
| // otherwise, it falls back retrieving the user and groups from the access token. |
There was a problem hiding this comment.
the comment is to look up the client cert and then token. but the implement is to look up token and then client cert.
There was a problem hiding this comment.
just use --grpc-authn-type to decide that where to get the user and group.
There was a problem hiding this comment.
the original idea is even if we specify the --grpc-authn-type=token, we may still can retrieve user/group from client certificate if the token is not provided.
Anyway, I will use --grpc-authn-type to decide that how to get the user and group.
There was a problem hiding this comment.
updated this use --grpc-authn-type to decide that how to get the user and group.
| fs.StringVar(&s.TLSCertFile, "grpc-tls-cert-file", "", "The path to the tls.crt file") | ||
| fs.StringVar(&s.TLSKeyFile, "grpc-tls-key-file", "", "The path to the tls.key file") | ||
| fs.BoolVar(&s.EnableTLS, "enable-grpc-tls", false, "Enable TLS for gRPC server") | ||
| fs.StringVar(&s.GRPCAuthNType, "grpc-authn-type", "mock", "Specify the gRPC authentication type (e.g., mock, mtls or token)") |
There was a problem hiding this comment.
maybe disable grpc authn instead of using mock. using mock seems it is not ready for use.
There was a problem hiding this comment.
I want to simplify the code and make it easy for users to learn, so I'd prefer not to add another parameter for this.
| nonResourceUrl = fmt.Sprintf("/sources/%s", resource) | ||
| case "cluster": | ||
| nonResourceUrl = fmt.Sprintf("/clusters/%s", resource) | ||
| default: |
There was a problem hiding this comment.
source and cluster are not the same level concept. what do you mean cluster?
There was a problem hiding this comment.
if configure both, what is the behaviour?
There was a problem hiding this comment.
maybe we don't need cluster for now, because currently authZ is for source side, not for agent side.
There was a problem hiding this comment.
removed cluster for now.
Signed-off-by: morvencao <lcao@redhat.com>
morvencao
force-pushed
the
br_grpc_auth
branch
from
d0735fa to
c3f4f6f
Compare
Add authentication and authorization for gRPC server, using kube authorizer:
how to configure authentication and authorization doc: https://github.com/morvencao/openshift-online-maestro/blob/br_grpc_auth/docs/grpc.md#authentication-and-authorization
ref: