Add authn/authz to OTLP endpoint, refactor dashboard endpoint creation, integration tests #2316
Conversation
src/Aspire.Dashboard/Authentication/ApiKeyAuthorizationHandler.cs
Outdated
Show resolved
Hide resolved
src/Aspire.Dashboard/Authentication/OtlpCompositeAuthenticationHandler.cs
Show resolved
Hide resolved
|
Do we need to test this with anything? |
|
Friendly reminder that this PR is assigned to the Preview 4 milestone which is snapping in a couple of hours. Please ensure it is merged by 4pm PST in order to ensure the change will be part of Preview 4. |
|
I might be blind, but I'm not seeing where we make use of these values when we launch the dashboard from the apphost? Is that going to be done separately? |
|
They're mostly for cloud providers to opt-in to using. We might add API key auth in the local environment. |
JamesNK
force-pushed
the
jamesnk/dashboard-authpocalypse
branch
from
c47e359 to
984afa0
Compare
|
I think this PR is mergable as a starting point for dashboard auth. I think there will still be changes, especially to the OTLP API key auth based on feedback, but this is a good starting point. I don't want to leave this changing around, building up merge conflicts. |
kvenkatrajan
left a comment
kvenkatrajan
left a comment
There was a problem hiding this comment.
Looks great! Thanks for providing tests.
| private const string DashboardUrlVariableName = "ASPNETCORE_URLS"; | ||
| private const string DashboardUrlDefaultValue = "http://localhost:18888"; | ||
| internal const string DashboardOtlpAuthModeVariableName = "DOTNET_DASHBOARD_OTLP_AUTH_MODE"; | ||
| internal const string DashboardOtlpApiKeyVariableName = "DOTNET_DASHBOARD_OTLP_API_KEY"; |
There was a problem hiding this comment.
Are we planning to add the keyperfile configuration/volume info here to support ACA? We can do it in a separate PR post this merge.
There was a problem hiding this comment.
Maybe. Will talk more with people to figure out exact requirements. But I don't think that blocks this PR. Merging something that isn't the final result is ok.
| case OtlpAuthMode.None: | ||
| break; | ||
| case OtlpAuthMode.ApiKey: | ||
| otlpApiKey = configuration[DashboardOtlpApiKeyVariableName]; |
There was a problem hiding this comment.
Similarly here do we to fork out logic to retreive apiKey for ACA scenario? How would we determine from the appModel whether the dashboard is hosted in ACA? Can be in a separate PR - just curious
|
One question: Has the industry adopted x-otlp-api-key as the name of the HTTP Header for the API Key? It is obviously easy to use any header when emitting the telemetry. Should the Options class in the Dashboard app allow a different key http header name to be specified as well as the key's value? |
|
I made it up. If there is a standard then let me know. I don't see a reason to make the name configurable. |
|
I have just adopted your new standard James :-) |
|
I'm still looking for someone to review this. Please review this so I don't have to keep rebasing changes to avoid merge conflicts. |
|
I'll review |
drewnoakes
left a comment
drewnoakes
left a comment
There was a problem hiding this comment.
Would be good to document the new options in the dashboard's README.md file.
Also, lots of new public types here. Can these be internal, so we aren't tied to back compat in future? I don't see why consumers would need to use these types.
| OnCertificateValidated = context => | ||
| { | ||
| var claims = new[] | ||
| { | ||
| new Claim(ClaimTypes.NameIdentifier, | ||
| context.ClientCertificate.Subject, | ||
| ClaimValueTypes.String, context.Options.ClaimsIssuer), | ||
| new Claim(ClaimTypes.Name, | ||
| context.ClientCertificate.Subject, | ||
| ClaimValueTypes.String, context.Options.ClaimsIssuer) | ||
| }; | ||
|
|
||
| context.Principal = new ClaimsPrincipal(new ClaimsIdentity(claims, context.Scheme.Name)); | ||
| context.Success(); | ||
|
|
||
| return Task.CompletedTask; | ||
| } |
There was a problem hiding this comment.
Checking my understanding here: the dashboard will accept any valid certificate here, not a pre-shared/specific one?
If that's the case, then this isn't mTLS (as I understand it), as the identity of the other party is not restricted to a given certificate. Any cert that's trusted on the machine will be accepted. Maybe we're ok with that.
There was a problem hiding this comment.
That's right. I was planning to get feedback whether more to lock down the client cert was required.
There was a problem hiding this comment.
The ability to lock down the cert should be supported (file a follow up).
src/Aspire.Dashboard/Authentication/OtlpApiKey/OtlpApiKeyAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
src/Aspire.Dashboard/Authentication/OtlpCompositeAuthenticationHandler.cs
Show resolved
Hide resolved
src/Aspire.Dashboard/Authentication/OtlpCompositeAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
JamesNK
force-pushed
the
jamesnk/dashboard-authpocalypse
branch
from
cee44ec to
995c6fa
Compare
That's the plan, but I'll wait for concensus about the changes before updating docs. |
@davidfowl I'm interested in your feedback about how I changed the configuration of endpoints. The new system allows for basic configuration using |
|
@JamesNK @davidfowl can we get this merged in please? I have more auth work to submit that'll conflict a little with this. |
| values[$"Kestrel:Endpoints:{endpointName}:Url"] = url; | ||
|
|
||
| if (protocols != null) | ||
| { | ||
| values[$"Kestrel:Endpoints:{endpointName}:Protocols"] = protocols.ToString(); | ||
| } | ||
|
|
||
| if (requiredClientCertificate) | ||
| { | ||
| values[$"Kestrel:Endpoints:{endpointName}:ClientCertificateMode"] = ClientCertificateMode.RequireCertificate.ToString(); | ||
| } | ||
| } |
There was a problem hiding this comment.
My only question (non blocking) was why do this instead of using the API to create named endpoints?
There was a problem hiding this comment.
From PR description:
- Change dashboard endpoint configuration from code to configuration + code. Allows external endpoint configuration when starting the dashboard. This gives people who want to launch the dashboard a lot more flexibility over endpoint configuration. For example, the TLS cert can be different per endpoint via configuration,
Kestrel:Endpoints:Otlp:Certification:...=xxx.
Without this, we'd need to recreate a lot of configuration infrastructure ourselves, i.e. provide a way to configure the TLS cert for each endpoint from a cert store, or from a pdf, or from a cert+key, etc.
|
Pushed a fix to resolve a simple conflict in |
JamesNK
changed the title
Lots of dashboard changes for the reasons of auth. Work in progress.
Kestrel:Endpoints:Otlp:Certification:...=xxx.Microsoft Reviewers: Open in CodeFlow