-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Extension] Authentication Backend for JIT Token Validation #2619
Comments
[Triage] This is part of the Extensions project. |
Hi @cwperks, I have transferred the doc into this issue. Feel free to leave some thoughts. |
Hi @RyanL1997, thank you for adding the diagrams for this issue! These are good visualizations for what we've been discussing about creating the tokens in core/security plugin to pass to an extension and then what happens on the core/security plugin side of things if the extension uses the token to make a request to the cluster. Some of the diagrams on here may be subject to change based on the discussion on this issue: #2587 This comment in particular (#2587 (comment)) talks about how the mapping would work from the extension + user -> set of role/policies that would be used for privilege evaluation. In short, the idea is to add a new
For the diagrams, I would update anywhere you show user roles to a different hypothetical example (userA mapped to role1, role2, role3 - you can keep these abstracted, they represent any roles the user is mapped to) It looks like the set of user permissions used in the example was a set of permissions for AD service account:
Service account / service account token is different than the just-in-time tokens that this issue discusses because for a service account token, the extension is not acting on behalf of another user. In this case, the extension is interacting with the cluster using its service account token and privilege evaluation would be the same as normal user privilege evaluation where there is no service gate. |
Hi @RyanL1997, thank you for putting together these great diagrams. What you are looking at seems like a good option for handling our use scenario. One thing I wanted to clarify was our terminology. In the past, I have seen posts discussing both "On-behalf-of" and "just-in-time" tokens. Are these the same thing in the model you are proposing? I only know about "just-in-time" tokens from this post, but I have seen a fair bit about "on-behalf-of" tokens that would appear to overlap. Are these the same thing? |
Hi @scrawfor99, thanks for bringing this up. Yes, they are the same thing. I think the term "on-behalf" is focusing on the functionality sides of this token. In other word, we would like to use this token do some of the validations of both user and extensions, so that the extension can perform some actions like the user does nowadays. For the term "just-in-time", it is more related to its time-sensitive feature. For some traditional JWT token, you can always modify the |
Problem:
To accomplish the objective of enabling extensions to act on behalf of a user, we have devised a just-in-time (JIT) Token to manage incoming request authentication. This JIT Token will be transmitted to the extension and subsequently returned to the security plugin for privilege validation concerning both the user and the extension. Consequently, it is necessary to develop an authentication backend to efficiently handle these validation processes.
Design
Here is a graph of how user requests processed through the security-extension feature [graph1]:
If we zoom up to step 4. & 5 in [graph1] then we get [graph2] as following:
This graph shows that during the creation of the JIT Token, the user's roles will be encrypted (see: #2620 ) and combined with other claims. Subsequently, this JIT Token will be sent to the extension for further processing.
Once the extension sends back this token to security plugin, which is step 6 in [graph1] then we get [graph3] as following:
Once the security plugin receives the JIT Token back, it will be forwarded into the authentication backend. The following tasks will be initiated:
roles
/backend_role
Appendix
[WIP] I will put link this section to some of the issues with more concepts of
roles.yml
.The text was updated successfully, but these errors were encountered: