Authentication modes : rename and clarify (#272)

InseeFrLab · Oct 9, 2023 · 872319f · 872319f
1 parent c7bf65f
commit 872319f
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 18 deletions.
diff --git a/docs/region-configuration.md b/docs/region-configuration.md
@@ -54,7 +54,7 @@ Users can work on Onyxia as a User or as a Group to which they belong. Each user
 | `groupNamespacePrefix` | "projet-" | User in a group groupId can access the namespace groupeNamespacePrefix + groupId. This prefix is also used for the Vault group directory. | |
 | `usernamePrefix` | | If set, the Kubernetes user corresponding to the Onyxia user is named usernamePrefix + userId on impersonation mode, otherwise it is identified only as userId | "user-" |
 | `groupPrefix` | | not used | |
-| `authenticationMode` | IMPERSONATE | IMPERSONATE or ADMIN: on ADMIN mode Onyxia uses its admin account on the services provider, with IMPERSONATE mode Onyxia request the API as the user (helm option `--kube-as-user`) but is only available if the helm version used is above 3.4.0 | |
+| `authenticationMode` | serviceAccount | serviceAccount, impersonate or tokenPassthrough : on serviceAccount mode Onyxia API uses its own serviceAccount (by default admin or cluster-admin), with impersonate mode Onyxia requests the API with user's permissions (helm option `--kube-as-user`). With tokenPassthrough, the authentication token is passed to the API server. | |
 | `expose` | | When users request to expose their service, only subdomain of this object domain are allowed | See [Expose properties](#expose-properties) |
 | `monitoring` | | Define the URL pattern of the monitoring service that is to be launched with each service. Only for client purposes. | {URLPattern: "https://$NAMESPACE-$INSTANCE.mymonitoring.sspcloud.fr"} |
 | `cloudshell` | | Define the catalog and package name where to fetch the cloudshell in the helm catalog. | {catalogId: "inseefrlab-helm-charts-datascience", packageName: "cloudshell"} |

diff --git a/...ia-api/src/main/java/fr/insee/onyxia/api/configuration/kubernetes/HelmClientProvider.java b/...ia-api/src/main/java/fr/insee/onyxia/api/configuration/kubernetes/HelmClientProvider.java
@@ -52,7 +52,7 @@ public HelmConfiguration getConfiguration(Region region, User user) {
         }
 
         if (region.getServices().getAuthenticationMode()
-                == Region.Services.AuthenticationMode.USER) {
+                == Region.Services.AuthenticationMode.TOKEN_PASSTHROUGH) {
             helmConfiguration.setKubeToken((String) user.getAttributes().get("access_token"));
         }
 

diff --git a/.../src/main/java/fr/insee/onyxia/api/configuration/kubernetes/KubernetesClientProvider.java b/.../src/main/java/fr/insee/onyxia/api/configuration/kubernetes/KubernetesClientProvider.java
@@ -46,7 +46,7 @@ public KubernetesClient getUserClient(Region region, User user) {
         }
 
         if (region.getServices().getAuthenticationMode()
-                == Region.Services.AuthenticationMode.USER) {
+                == Region.Services.AuthenticationMode.TOKEN_PASSTHROUGH) {
             config.setOauthToken((String) user.getAttributes().get("access_token"));
         }
 

diff --git a/...-api/src/main/java/fr/insee/onyxia/api/configuration/properties/RegionsConfiguration.java b/...-api/src/main/java/fr/insee/onyxia/api/configuration/properties/RegionsConfiguration.java
@@ -29,14 +29,11 @@
 @ConfigurationProperties
 public class RegionsConfiguration {
 
+    private static Logger LOGGER = LoggerFactory.getLogger(RegionsConfiguration.class);
     private String regions;
-
     private List<Region> resolvedRegions;
-
     @Autowired private ObjectMapper mapper;
 
-    private static Logger LOGGER = LoggerFactory.getLogger(RegionsConfiguration.class);
-
     @PostConstruct
     public void load() throws Exception {
         resolvedRegions = Arrays.asList(mapper.readValue(regions, Region[].class));
@@ -45,11 +42,11 @@ public void load() throws Exception {
                     if (region.getServices().getType().equals(Service.ServiceType.KUBERNETES)) {
                         if (region.getServices()
                                 .getAuthenticationMode()
-                                .equals(Region.Services.AuthenticationMode.ADMIN)) {
+                                .equals(Region.Services.AuthenticationMode.SERVICEACCOUNT)) {
                             LOGGER.warn(
-                                    "Using admin authentication for region "
+                                    "Using serviceAccount authentication for region "
                                             + region.getId()
-                                            + ". This may cause a security risk.");
+                                            + ". Onyxia will deploy services using it's own global permissions, this may be a security issue.");
                         }
 
                         if (region.getServices()
@@ -58,7 +55,16 @@ public void load() throws Exception {
                             LOGGER.info(
                                     "Using impersonation authentication for region "
                                             + region.getId()
-                                            + ". Make sure you are using helm version 3.4.0+.");
+                                            + ".");
+                        }
+
+                        if (region.getServices()
+                                .getAuthenticationMode()
+                                .equals(Region.Services.AuthenticationMode.TOKEN_PASSTHROUGH)) {
+                            LOGGER.info(
+                                    "Using token passthrough authentication for region "
+                                            + region.getId()
+                                            + ". User token will be used by Onyxia to interact with the API Server.");
                         }
                     }
                 });

diff --git a/onyxia-api/src/main/resources/regions.json b/onyxia-api/src/main/resources/regions.json
@@ -14,7 +14,7 @@
         "namespacePrefix": "user-",
         "usernamePrefix": "oidc-",
         "groupNamespacePrefix": "projet-",
-        "authenticationMode" : "admin",
+        "authenticationMode": "serviceAccount",
         "quotas": {
           "allowUserModification": true,
           "enabled": false,
@@ -67,7 +67,6 @@
         }
       },
       "data": {
-
       },
       "auth": {
         "type": "openidconnect"

diff --git a/onyxia-model/src/main/java/fr/insee/onyxia/model/region/Region.java b/onyxia-model/src/main/java/fr/insee/onyxia/model/region/Region.java
@@ -1,5 +1,6 @@
 package fr.insee.onyxia.model.region;
 
+import com.fasterxml.jackson.annotation.JsonAlias;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import fr.insee.onyxia.model.service.Service;
@@ -183,7 +184,7 @@ public static class Services {
         private String groupNamespacePrefix = "projet-";
         private String usernamePrefix;
         private String groupPrefix;
-        private AuthenticationMode authenticationMode = AuthenticationMode.IMPERSONATE;
+        private AuthenticationMode authenticationMode = AuthenticationMode.SERVICEACCOUNT;
         private Expose expose;
         private Server server;
         private Monitoring monitoring;
@@ -366,10 +367,12 @@ public void setQuotas(Quotas quotas) {
         public static enum AuthenticationMode {
             @JsonProperty("impersonate")
             IMPERSONATE,
-            @JsonProperty("admin")
-            ADMIN,
-            @JsonProperty("user")
-            USER
+            @JsonProperty("serviceAccount")
+            @JsonAlias("admin")
+            SERVICEACCOUNT,
+
+            @JsonProperty("tokenPassthrough")
+            TOKEN_PASSTHROUGH
         }
 
         public static class DefaultConfiguration {