Skip to content
This repository was archived by the owner on Jul 2, 2020. It is now read-only.

Service account authentication for Mkube #407

Merged
merged 1 commit into from
Jun 15, 2020
Merged

Service account authentication for Mkube #407

merged 1 commit into from
Jun 15, 2020

Conversation

@Alevsk
Copy link
Contributor

@Alevsk Alevsk commented Jun 9, 2020

Currently, Mkube support only bearer token authentication for secured endpoints,
clients that wishes to access resources behind a secured endpoint will need to provide
a jwt token using the HTTP Authorization header, ie:

curl --location --request GET 'http://localhost:8787/api/v1/tenants' --header 'Authorization: Bearer eyJ...'

The provided JWT token corresponds to the Kubernetes service account that Mkube will use to run tasks on behalf of the client
ie: list, create, edit, delete tenants, etc.

For local development you can use the jwt associated to the m3-sa service account, you can get the token running
the following command in your terminal:

kubectl get secret $(kubectl get serviceaccount m3-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode

Then test the token works with curl

curl --location --request GET 'http://localhost:8787/api/v1/tenants' --header 'Authorization: Bearer eyJ...'
...
{
    "tenants": [
        {
            "creation_date": "2020-06-08 22:35:50 -0700 PDT",
            "currentState": "Ready",
            "instance_count": 4,
            "name": "minio",
            "volume_count": 16,
            "volume_size": 1099511627776,
            "zone_count": 1
        }
    ]
}

@Alevsk Alevsk self-assigned this Jun 9, 2020
dvaldivia
dvaldivia reviewed Jun 9, 2020
View reviewed changes
cesnietor
cesnietor suggested changes Jun 9, 2020
View reviewed changes
Copy link
Contributor

@cesnietor cesnietor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you please remove all related models/ that are not used anymore and also the operations/user_api since those files are not deleted by swagger generator

@Alevsk Alevsk force-pushed the sa-authentication branch 2 times, most recently from c64702c to 99eab91 Compare June 9, 2020 18:45
dvaldivia
dvaldivia suggested changes Jun 9, 2020
View reviewed changes
@Alevsk Alevsk force-pushed the sa-authentication branch from 99eab91 to 0e5225f Compare June 9, 2020 22:05
@Alevsk Alevsk requested review from cesnietor and dvaldivia June 9, 2020 22:05
dvaldivia
dvaldivia previously approved these changes Jun 9, 2020
View reviewed changes
@Alevsk Alevsk added the wip label Jun 9, 2020
@Alevsk Alevsk force-pushed the sa-authentication branch 2 times, most recently from a9fa317 to 7c88fd4 Compare June 12, 2020 04:01
@Alevsk
Service account authentication for Mkube
655d83f 
Currently, Mkube support only bearer token authentication for secured endpoints,
clients that wishes to access resources behind a secured endpoint will need to provide
a jwt token using the HTTP `Authorization` header, ie:

```
curl --location --request GET 'http://localhost:8787/api/v1/tenants' --header 'Authorization: Bearer eyJ...'
```

The provided `JWT token` corresponds to the `Kubernetes service account` that Mkube will use to run tasks on behalf of the client
ie: list, create, edit, delete tenants, etc.

For local development you can use the jwt associated to the `m3-sa` service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
```
Then test the token works with `curl`
```
curl --location --request GET 'http://localhost:8787/api/v1/tenants' --header 'Authorization: Bearer eyJ...'
...
{
    "tenants": [
        {
            "creation_date": "2020-06-08 22:35:50 -0700 PDT",
            "currentState": "Ready",
            "instance_count": 4,
            "name": "minio",
            "volume_count": 16,
            "volume_size": 1099511627776,
            "zone_count": 1
        }
    ]
}
```
@Alevsk Alevsk force-pushed the sa-authentication branch from 7c88fd4 to 655d83f Compare June 12, 2020 05:08
@Alevsk Alevsk removed the wip label Jun 12, 2020
@Alevsk Alevsk requested a review from dvaldivia June 12, 2020 16:10
@cesnietor cesnietor mentioned this pull request Jun 15, 2020
Merged
@dvaldivia dvaldivia merged commit 932cb3e into minio:master Jun 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@harshavardhana harshavardhana Awaiting requested review from harshavardhana

@bexsoft bexsoft Awaiting requested review from bexsoft

@dvaldivia dvaldivia Awaiting requested review from dvaldivia

1 more reviewer

@cesnietor cesnietor cesnietor approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Alevsk Alevsk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Alevsk @cesnietor @dvaldivia