Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WI: allow workloads to use RPCs associated with HTTP API #15870

Merged
merged 26 commits into from
Jan 25, 2023
Merged

WI: allow workloads to use RPCs associated with HTTP API #15870

merged 26 commits into from
Jan 25, 2023

Conversation

tgross
Copy link
Member

@tgross tgross commented Jan 25, 2023
edited
Loading

This changeset allows Workload Identities to authenticate to all the RPCs that
support HTTP API endpoints, for use with PR #15864.

  • Extends the work done for pre-forwarding authentication to all RPCs that
    support a HTTP API endpoint.
  • Consolidates the auth helpers used by the CSI, Service Registration, and Node
    endpoints that are currently used to support both tokens and client secrets.

Intentionally excluded from this changeset:

  • The Variables endpoint still has custom handling because of the implicit
    policies. Ideally we'll figure out an efficient way to resolve those into real
    policies and then we can get rid of that custom handling.
  • The RPCs that don't currently support auth tokens (i.e. those that don't
    support HTTP endpoints) have not been updated with the new pre-forwarding auth
    We'll be doing this under a separate PR to support RPC rate metrics.

tgross added 20 commits January 25, 2023 10:14
@tgross
WI: update ResolveACL to take AuthenticatedIdentity
b0ca24a
@tgross
WI: allow workloads to use RPCs for Alloc API
2e70f10
@tgross
WI: allow workloads to use RPCs for Deployment API
5df83e3
@tgross
WI: allow workloads to use RPCs for Eval API
8573e2e
@tgross
WI: allow workloads to use RPCs for Job API
6e12913
@tgross
WI: allow workloads to use RPCs for Keyring API
d5091f1
@tgross
WI: allow workloads to use RPCs for Namespace API
4502120
@tgross
WI: allow workloads to use RPCs for System API
772eeb0
@tgross
WI: allow workloads to use RPCs for Status API
7f88732
@tgross
WI: allow workloads to use RPCs for Search API
e6e9194
@tgross
WI: allow workloads to use RPCs for Scaling API
485c8a1
@tgross
WI: allow workloads to use RPCs for Periodic API
d2fe7f5
@tgross
WI: allow workloads to use RPCs for Operator API
b7712c0
@tgross
WI: allow workloads to use RPCs for Service Registration API
1bc35c7
@tgross
WI: allow workloads to use RPCs for CSI API
1c2a98b 
Also wires up pre-forwarding authentication for RPCs that don't support the API,
so that we can reuse the shared `ResolveACLorClient` method here.
@tgross
WI: allow workloads to use RPCs for Node API
fb8c073
@tgross
update Variables to resolve token, not full ACL, as needed
da91937
@tgross
WI: allow workloads to use RPCs for Agent/Client APIs
4335576
@tgross
WI: allow workloads to use RPCs for Event API
7439230
@tgross
changelog entry
18f5cec
@tgross tgross force-pushed the auth-with-wi-claims branch from e402842 to 18f5cec Compare January 25, 2023 16:34
schmichael
schmichael reviewed Jan 25, 2023
View reviewed changes
Copy link
Member

@schmichael schmichael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for jumping on this. I'll give it a +1 once you move it out of draft.

nomad/acl.go Show resolved Hide resolved
@tgross tgross mentioned this pull request Jan 25, 2023
Closed
@tgross tgross marked this pull request as ready for review January 25, 2023 19:05
@tgross
Copy link
Member Author

tgross commented Jan 25, 2023

In addition to running the unit tests I've tested this out by spinning up a 3 server cluster along with a client, and verified that the job deployment workflow is running, that client APIs (ex. alloc fs) are working, that CSI plugins can register, and that the event stream works. Tested all those with no ACLs, with ACLs, and with mTLS.

@tgross tgross added this to the 1.5.0 milestone Jan 25, 2023
@tgross tgross mentioned this pull request Jan 25, 2023
Closed
schmichael
schmichael approved these changes Jan 25, 2023
View reviewed changes
nomad/node_endpoint.go
@@ -890,7 +898,7 @@ func (n *Node) GetNode(args *structs.NodeSpecificRequest,
if err != nil {
return err
}
if !aclObj.AllowNodeRead() {
if aclObj != nil && !aclObj.AllowNodeRead() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Huh, how did this sneak by? I would think it would panic on nomad node status ... for everyone with ACLs disabled?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that burned me here... the old ResolveToken code returns nil, nil in that case, so we just skip over the AllowNodeRead check. Fortunately we have good unit test coverage of non-ACLs vs with-ACLs and that caught it.

@tgross tgross mentioned this pull request Jan 25, 2023
Closed
@tgross tgross merged commit 11af125 into main Jan 25, 2023
@tgross tgross deleted the auth-with-wi-claims branch January 25, 2023 19:33
@tgross tgross mentioned this pull request Jan 25, 2023
Merged
tgross added a commit that referenced this pull request Jan 25, 2023
@tgross
metrics: measure rate of RPC requests that serve API
6365f92 
This changeset configures the RPC rate metrics that were added in #15515 to all
the RPCs that support authenticated HTTP API requests. These endpoints already
configured with pre-forwarding authentication in #15870, and a handful of others
were done already as part of the proof-of-concept work. So this changeset is
entirely copy-and-pasting one method call into a whole mess of handlers.

Upcoming PRs will wire up pre-forwarding auth and rate metrics for the remaining
set of RPCs that have no API consumers or aren't authenticated, in smaller
chunks that can be more thoughtfully reviewed.
tgross added a commit that referenced this pull request Jan 25, 2023
@tgross
metrics: measure rate of RPC requests that serve API (#15876)
187f0b8 
This changeset configures the RPC rate metrics that were added in #15515 to all
the RPCs that support authenticated HTTP API requests. These endpoints already
configured with pre-forwarding authentication in #15870, and a handful of others
were done already as part of the proof-of-concept work. So this changeset is
entirely copy-and-pasting one method call into a whole mess of handlers.

Upcoming PRs will wire up pre-forwarding auth and rate metrics for the remaining
set of RPCs that have no API consumers or aren't authenticated, in smaller
chunks that can be more thoughtfully reviewed.
@tgross tgross mentioned this pull request Apr 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schmichael schmichael schmichael approved these changes

Assignees
No one assigned
Labels
theme/auth type/enhancement
Projects
None yet
Milestone
1.5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@tgross @schmichael