use oauth REST endpoints instead of raw etcd #15968
Conversation
openshift-merge-robot
added
the
size/XXL
openshift-merge-robot
added
approved
pkg/oauth/apiserver/auth.go
Outdated
| return baseMux, nil | ||
| } | ||
|
|
||
| func (c *OAuthServerConfig) RegisterTokenRequestEndpoint(context genericapiserver.PostStartHookContext) error { |
There was a problem hiding this comment.
This bit is nasty. The server won't report healthy until it succeeds though. We need to decide where this should logically live, but I think this is the part where we actually depend on it.
There was a problem hiding this comment.
huh... adding a handler to the mux post-startup seems weirder than adding a handler and having it respond with errors until populated with the necessary clients post-startup
There was a problem hiding this comment.
huh... adding a handler to the mux post-startup seems weirder than adding a handler and having it respond with errors until populated with the necessary clients post-startup
If you prefer. How about I cut the links in this pull and twiddle it after. This is the big money and rest is arguing over spoils.
pkg/cmd/server/origin/master.go
Outdated
| return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain, nil | ||
| return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain, | ||
| map[string]apiserver.PostStartHookFunc{ | ||
| "oauth.openshift.io-RegisterTokenRequestEndpoint": config.RegisterTokenRequestEndpoint, |
There was a problem hiding this comment.
I wasn't expecting handler registration in post-start hooks... what requires this to be async?
There was a problem hiding this comment.
I wasn't expecting handler registration in post-start hooks... what requires this to be async?
The creation of clients needs to be a post-start hook, the handler could give failures until they exist.
| @@ -696,7 +699,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio | |||
|
|
|||
| // OAuth token | |||
| if config.OAuthConfig != nil { | |||
| oauthTokenAuthenticator, err := getEtcdTokenAuthenticator(restOptionsGetter, userGetter, groupMapper) | |||
| oauthTokenAuthenticator, err := getEtcdTokenAuthenticator(accessTokenGetter, userGetter, groupMapper) | |||
There was a problem hiding this comment.
should we be able to drop this at this point?
There was a problem hiding this comment.
should we be able to drop this at this point?
I wasn't anticipating dropping anything. I'll look back and see.
openshift-merge-robot
added
the
needs-rebase
deads2k
force-pushed
the
oauth-03-use-client
branch
from
7160376 to
6ad2935
Compare
openshift-merge-robot
removed
the
needs-rebase
deads2k
force-pushed
the
oauth-03-use-client
branch
2 times, most recently
from
25878d0 to
5583ecb
Compare
|
Comments addressed |
deads2k
force-pushed
the
oauth-03-use-client
branch
from
5583ecb to
bc1998f
Compare
|
/retest |
pkg/auth/server/grant/grant_test.go
Outdated
| auth := action.(clienttesting.UpdateAction).GetObject().(*oapi.OAuthClientAuthorization) | ||
| if !reflect.DeepEqual(testCase.ExpectUpdatedAuthScopes, auth.Scopes) { | ||
| t.Errorf("%s: expected updated scopes %v, got %v", k, testCase.ExpectUpdatedAuthScopes, auth.Scopes) | ||
| } |
pkg/auth/server/grant/grant_test.go
Outdated
| auth := action.(clienttesting.CreateAction).GetObject().(*oapi.OAuthClientAuthorization) | ||
| if !reflect.DeepEqual(testCase.ExpectCreatedAuthScopes, auth.Scopes) { | ||
| t.Errorf("%s: expected created scopes %v, got %v", k, testCase.ExpectCreatedAuthScopes, auth.Scopes) | ||
| } |
| return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain, nil | ||
| return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain, | ||
| map[string]apiserver.PostStartHookFunc{ | ||
| "oauth.openshift.io-EnsureBootstrapOAuthClients": config.EnsureBootstrapOAuthClients, |
There was a problem hiding this comment.
shouldn't this be a const?
There was a problem hiding this comment.
shouldn't this be a const?
I don't think so. We aren't really expecting these to be stable or referred to.
| osOAuthClientConfig.RedirectUrl = c.Options.MasterPublicURL + path.Join(oauthutil.OpenShiftOAuthAPIPrefix, tokenrequest.DisplayTokenEndpoint) | ||
|
|
||
| osOAuthClient, _ := osincli.NewClient(osOAuthClientConfig) | ||
| if len(*c.Options.MasterCA) > 0 { | ||
| rootCAs, err := cmdutil.CertPoolFromFile(*c.Options.MasterCA) | ||
| if err != nil { | ||
| glog.Fatal(err) | ||
| return nil, err |
| @@ -185,3 +194,42 @@ func (c *OAuthServerConfig) buildHandlerChainForOAuth(startingHandler http.Handl | |||
| handler = genericfilters.WithPanicRecovery(handler) | |||
| return handler | |||
| } | |||
|
|
|||
| // TODO, this moves to the `apiserver.go` when we have it for this group | |||
| // TODO TODO, this actually looks a lot like a controller or an add-on manager style thing. Seems like we'd want to do this outside | |||
| @@ -137,3 +137,7 @@ func Matcher(label labels.Selector, field fields.Selector) kstorage.SelectionPre | |||
| func SelectableFields(obj *oauthapi.OAuthClientAuthorization) fields.Set { | |||
| return oauthapi.OAuthClientAuthorizationToSelectableFields(obj) | |||
| } | |||
|
|
|||
| func ClientAuthorizationName(userName, clientName string) string { | |||
| @@ -99,6 +99,7 @@ var expectedIndex = []string{ | |||
| // "/healthz/poststarthook/extensions/third-party-resources", // Do not enable this controller, we do not support it | |||
| "/healthz/poststarthook/generic-apiserver-start-informers", | |||
| "/healthz/poststarthook/kube-apiserver-autoregistration", | |||
| "/healthz/poststarthook/oauth.openshift.io-EnsureBootstrapOAuthClients", | |||
There was a problem hiding this comment.
why is this camelcase while the rest is lowecase?
There was a problem hiding this comment.
why is this camelcase while the rest is lowecase?
we're working through what it should look like.
| clientStorage, err := clientetcd.NewREST(optsGetter) | ||
| if err != nil { | ||
| t.Fatalf("unexpected error: %v", err) | ||
| t.Fatal(err) |
There was a problem hiding this comment.
now we won't know this was unexpected :-)
|
just couple small nits, but the intent and how this was done LGTM /approve no-issue |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, mfojtik The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
deads2k
force-pushed
the
oauth-03-use-client
branch
from
bc1998f to
df6eccb
Compare
|
comments addressed. applying label. |
|
Automatic merge from submit-queue |
@mfojtik this is needed to remove direct etcd access which bypasses any admission checks and auditing and prevents the future separation of processes.