basic auth service #2262
basic auth service #2262
Conversation
|
/hold |
|
/hold cancel |
| func (s *authServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { | ||
| log.Infof("Path check, url: %v, path: %v", r.URL, r.URL.Path) | ||
| // login page open to everyone; all other path requires auth with Password or cookie | ||
| if strings.HasPrefix(r.URL.Path, "/" + LoginPagePath) || s.authCookie(r) == true { |
There was a problem hiding this comment.
Should we be doing an exact match here to path
r.URL.Path, "/" + LoginPagePath
What if by some coincedence we have a path for which this is a prefix but is not an exact match?
There was a problem hiding this comment.
Browser need access resources like "/LoginPagePath/static/..." as well.
How about do exact match "/LoginPagePath" or prefix match "/LoginPagePath/"?
There was a problem hiding this comment.
Should be safe to assume any thing behind "/LoginPagePath/" is public?
There was a problem hiding this comment.
I see. Maybe we could file an issue to follow up on this. My concern is what if some app randomly adds some prefix like
/LoginPagePath/mynotebook
Then we would match it.
Can we be more restrictive e.g.
- Exact match /LoginPagePath
- Prefix match /LoginPagePath/static
Also maybe we can add in some nonsense e.g. make
- /LoginPagePath-a12c
This way its less likely an app would have it as a prefix.
| // login page open to everyone; all other path requires auth with Password or cookie | ||
| if strings.HasPrefix(r.URL.Path, "/" + LoginPagePath) || s.authCookie(r) == true { | ||
| // Handle request from login page | ||
| if r.Header.Get(LoginPageHeader) != "" { |
There was a problem hiding this comment.
Can you explain what this if block is doing? Is it modifying the request to indicate that it should be allowed?
There was a problem hiding this comment.
This part take care of user's re-login
They already have cookie in browser, so "StatusResetContent" bring them to kubeflow central dashboard.
|
|
||
| // Default auth check service | ||
| func (s *authServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { | ||
| log.Infof("Path check, url: %v, path: %v", r.URL, r.URL.Path) |
There was a problem hiding this comment.
Can we reject non https traffic?
We don't want user logging in if they aren't using https because that would send username/password in the clear?
There was a problem hiding this comment.
Can we only access https at gclb?
There was a problem hiding this comment.
I don't think there's any way to force GCLB to only accept https traffic. You can look at what we do in click to deploy. Basically we'd want to check if the protocol is http and then redirect to https
| if len(namepw) != 2 { | ||
| return false | ||
| } | ||
| err = bcrypt.CompareHashAndPassword([]byte(s.pwhash), []byte(namepw[1])) |
There was a problem hiding this comment.
So CompareHashAndPassword returns error if they don't match?
| // auth with cookie | ||
| func (s *authServer) authCookie(r *http.Request) bool { | ||
| if cookie, err := r.Cookie(CookieName); err == nil { | ||
| if val, ok := s.cookies[cookie.Value]; ok { |
There was a problem hiding this comment.
What prevents someone from spoofing a cookie?
There was a problem hiding this comment.
SameSite: http.SameSiteStrictMode
We restrict the cookie so can only be used for same site.
Should we encrypt value as well?
There was a problem hiding this comment.
You mean with bcrypt? So we only keep track of the encrypted value?
There was a problem hiding this comment.
Yes, server side only keep encrypted password hash.
There was a problem hiding this comment.
If its not too difficult I think that would be valuable; for the same reason its valuable with the password.
| defer s.serverMux.Unlock() | ||
| // Cookie expire after 12 hours | ||
| log.Info("cookie set: set new cookie value!") | ||
| s.cookies[cookieVal] = time.Now().Add(12 * time.Hour) |
There was a problem hiding this comment.
So the cookie is stored in memory, so if the pod is restarted the cookie will no longer be valid. Will we automatically redirect user to log back in?
There was a problem hiding this comment.
Yes, all unauth access end up redirect to login.
There was a problem hiding this comment.
Might be worth a P2 issue to fix in a follow up.
|
Thanks this looks great. |
|
Will LetsEncrypt be an issue? Do we need to allow for the ACME challenge? On GCP one option would be to migrate to Managed Certificates. |
|
|
||
| }, | ||
| spec: { | ||
| replicas: 1, |
There was a problem hiding this comment.
Add a comment here explaining this should always be 1 because the cookie is stored in memory so if we use more than 1 replica we will have problems because not all replicas will have the cookie.
|
On second thought I don't think LetsEncrypt is an issue because it adds a separate path to the ingress. I had one more comment about adding a comment about number of replicas; otherwise this is good to go. |
There was a problem hiding this comment.
Reviewed 1 of 5 files at r1, 1 of 5 files at r2, 4 of 8 files at r3, 1 of 2 files at r4, 2 of 2 files at r5, 1 of 1 files at r6.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @abhi-g, @ellis-bigelow, and @kunmingg)
components/gatekeeper/auth/AuthServer.go, line 122 at r4 (raw file):
Previously, jlewi (Jeremy Lewi) wrote…
If its not too difficult I think that would be valuable; for the same reason its valuable with the password.
Created #2341 for this
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jlewi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
* [WIP] basic auth service * complete cookie setting and auth logic * fmt * add ksonnet lib; fix bugs * corrent redirect; update image * address review feedbacks * update comments
* [WIP] basic auth service * complete cookie setting and auth logic * fmt * add ksonnet lib; fix bugs * corrent redirect; update image * address review feedbacks * update comments
Backend part.
And Frontend Part is: #2316
Test passed, ready to merge.
fix #2147
fix #2148
fix #2149
This change is