Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

salt/auth: Add groups support for bearer auth #2068

Merged
merged 3 commits into from
Nov 29, 2019
Merged

salt/auth: Add groups support for bearer auth #2068

merged 3 commits into from
Nov 29, 2019

Conversation

TeddyAndrieux
Copy link
Collaborator

Component:

'salt', 'tests'

Context:

Currently we have no permissions when using bearer token auth

Summary:

add a groups function to authenticate bearer auth using the same approach as
the basic auth for the moment
Also update test accordingly

@TeddyAndrieux TeddyAndrieux requested a review from a team November 22, 2019 15:39
@bert-e
Copy link
Contributor

bert-e commented Nov 22, 2019

Hello teddyandrieux,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Status report is not available.

@bert-e
Copy link
Contributor

bert-e commented Nov 22, 2019

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • one peer

Peer approvals must include at least 1 approval from the following list:

gdemonet
gdemonet suggested changes Nov 22, 2019
View reviewed changes
tests/post/features/salt_api.feature Outdated Show resolved Hide resolved
salt/_auth/kubernetes_rbac.py Outdated Show resolved Hide resolved
@bert-e
Copy link
Contributor

bert-e commented Nov 22, 2019

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • one peer

Peer approvals must include at least 1 approval from the following list:

The following reviewers are expecting changes from the author, or must review again:

NicolasT
NicolasT reviewed Nov 25, 2019
View reviewed changes
tests/post/features/salt_api.feature
@@ -12,7 +12,10 @@ Feature: SaltAPI
Scenario: Login to SaltAPI using a ServiceAccount
Given the Kubernetes API is available
When we login to SaltAPI with the ServiceAccount 'storage-operator'
Then we can invoke '["disk.dump", "state.sls"]' on '*'
Then we can ping all minions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically, the fact that this test requires changes shows that there's an issue somewhere in the implementation. This test should remain as-is.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw this test do not require change but since storage-opeator is able to do a * on nodes he also have this perms.

Basically storage-operator perms in this PR are:

        "perms": [
            {
                "*": [
                    "disk.dump", 
                    "state.sls"
                ]
            }, 
            "@jobs", 
            {
                "*": [
                    ".*"
                ]
            }, 
            "@wheel", 
            "@runner", 
            "@jobs"
        ],

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it shouldn't have those perms?!? https://github.com/scality/metalk8s/blob/development/2.4/storage-operator/deploy/role.yaml

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As the cluster role say that he can do * on nodes the check we do for groups is approved so we add node-admin groups thats why but if we dont want that the storage operator can do this then we need to either change the check from groups function or changes the rule of his cluster role

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, I read the Role too fast. Then that would be a bug I guess, we shouldn't give that many permissions to storage-operator.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From this issue, it seems we should not have kept the default ClusterRole that gets created when the project is initialized with operator-sdk new. Since operator-sdk generate k8s doesn't generate this file, it would make sense to update it to match our needs and commit it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #2084

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then it's not part of this PR, because we may want to fix it also in 2.4

@TeddyAndrieux TeddyAndrieux force-pushed the improvement/add-groups-support-for-bearer-auth-saltapi branch from 1d4b15a to 4859253 Compare November 27, 2019 13:54
gdemonet
gdemonet previously approved these changes Nov 27, 2019
View reviewed changes
salt/_auth/kubernetes_rbac.py Outdated Show resolved Hide resolved
@bert-e
Copy link
Contributor

bert-e commented Nov 27, 2019

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • one peer

Peer approvals must include at least 1 approval from the following list:

@TeddyAndrieux
salt/auth: Add groups support for bearer auth
ba68911 
Currently we have no permissions when using bearer token auth, add a
groups function to authenticate bearer auth using the same approach as
the basic auth for the moment
@TeddyAndrieux TeddyAndrieux force-pushed the improvement/add-groups-support-for-bearer-auth-saltapi branch 6 times, most recently from d90f001 to 9d7e63d Compare November 28, 2019 15:01
@TeddyAndrieux
tests: Add Admin ServiceAccount fixture
c2d62ac 
Add a fixture to create an Admin ServiceAccount for test purpose.
This fixture create a ServiceAccount and a ClusterRoleBinding to bind
this new ServiceAccount to `cluster-admin` ClusterRole
@TeddyAndrieux
tests: Add salt-api test for Bearer token of Admin SA
9d7e63d 
Add test that a ServiceAccount bind to `cluster-admin` ClusterRole is
able to everything with salt-api
@TeddyAndrieux
Copy link
Collaborator Author

/approve

@bert-e
Copy link
Contributor

bert-e commented Nov 29, 2019

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • one peer

Peer approvals must include at least 1 approval from the following list:

The following options are set: approve

@bert-e
Copy link
Contributor

bert-e commented Nov 29, 2019

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

  • ✔️ development/2.5

The following branches will NOT be impacted:

  • development/1.0
  • development/1.1
  • development/1.2
  • development/1.3
  • development/2.0
  • development/2.1
  • development/2.2
  • development/2.3
  • development/2.4

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

  • Any commit you add on the source branch will trigger a new cycle after the
    current queue is merged.
  • Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve

@bert-e
Copy link
Contributor

bert-e commented Nov 29, 2019

I have successfully merged the changeset of this pull request
into targetted development branches:

  • ✔️ development/2.5

The following branches have NOT changed:

  • development/1.0
  • development/1.1
  • development/1.2
  • development/1.3
  • development/2.0
  • development/2.1
  • development/2.2
  • development/2.3
  • development/2.4

Please check the status of the associated issue None.

Goodbye teddyandrieux.

@bert-e bert-e merged commit 9d7e63d into development/2.5 Nov 29, 2019
@bert-e bert-e deleted the improvement/add-groups-support-for-bearer-auth-saltapi branch November 29, 2019 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlito-scality carlito-scality carlito-scality approved these changes

@NicolasT NicolasT Awaiting requested review from NicolasT

@gdemonet gdemonet Awaiting requested review from gdemonet

@slaperche-scality slaperche-scality Awaiting requested review from slaperche-scality

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@TeddyAndrieux @bert-e @NicolasT @slaperche-scality @gdemonet @carlito-scality