Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

credentials validation #1156

Merged
merged 2 commits into from
Feb 14, 2019
Merged

credentials validation #1156

merged 2 commits into from
Feb 14, 2019

Conversation

joelddiaz
Copy link
Contributor

do a pre-flight check of permissions using cloud-credentials-operator validation to do a check on the creds being used for installation

the initial list of permissions that gathers the AWS actions needed to perform an installation are taken verbatim from the IAM group permissions the hive team has been using to perform installation/uninstallation with (there absolutely could be some excess actions that used to be needed, but may no longer be needed)

note that the permissions checks are done with the assumption of IAM policies consisting of 'Resource: "*"'. so a list of ["ec2:CreateRoute", "ec2:CreateSubnet"] is evaluated as whether we can peform

{
    "Statement": [
        {
            "Action": [
                "ec2:CreateRoute",
                "ec2:CreateSubnet"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jan 30, 2019
@joelddiaz joelddiaz force-pushed the creds-validation branch 2 times, most recently from cc3089f to 85eb699 Compare January 31, 2019 13:48
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 31, 2019
@joelddiaz
Copy link
Contributor Author

@abhinavdahiya @wking this is the direction i'm heading with this credential validation work. what do you think?
also, that static list of aws actions is probably worth a review with someone familiar with the installer's needs

wking
wking reviewed Jan 31, 2019
View reviewed changes
Copy link
Member

@wking wking left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach looks good to me. I've left a few minor nits inline.

Gopkg.lock Show resolved Hide resolved
pkg/asset/installconfig/platformcredscheck.go Outdated Show resolved Hide resolved
pkg/asset/installconfig/platformcredscheck.go Outdated
// EC2 related perms
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ugh :p. I think annotating our calls with something like 2658145 would be a more sustainable approach towards maintaining this slice. But hard-coding is fine in the short-term.

pkg/asset/installconfig/platformcredscheck.go Outdated Show resolved Hide resolved
pkg/asset/installconfig/platformcredscheck.go Outdated Show resolved Hide resolved
pkg/asset/installconfig/platformcredscheck.go Outdated Show resolved Hide resolved
pkg/asset/installconfig/platformcredscheck.go Outdated
logger := logrus.New()
awsClient, err := ccaws.NewClient([]byte(creds.AccessKeyID), []byte(creds.SecretAccessKey))
if err != nil {
return fmt.Errorf("error building aws client to check credentials against: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we generally use errors.Errorf instead of fmt.Errorf.

pkg/asset/installconfig/platformcredscheck.go Outdated
return fmt.Errorf("error checking whether we have enough permissions to install: %v", err)
}
if !canInstall {
return fmt.Errorf("current credentials insufficient for performing cluster installation")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this doesn't need string formatting, so it should use errors.New.

pkg/asset/installconfig/platformcredscheck.go Outdated
}

logger := logrus.New()
awsClient, err := ccaws.NewClient([]byte(creds.AccessKeyID), []byte(creds.SecretAccessKey))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: client is probably sufficiently unique for validateAWSCreds.

@joelddiaz
Copy link
Contributor Author

@wking broke out the vendor into its own commit, and addressed the feedback

staebler
staebler reviewed Feb 4, 2019
View reviewed changes
pkg/asset/installconfig/platformcredscheck.go Outdated
@@ -36,6 +36,7 @@ func (a *PlatformCredsCheck) Generate(dependencies asset.Parents) error {
switch platform {
case aws.Name:
_, err = awsconfig.GetSession()
err = awsconfig.ValidateAWSCreds()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will swallow any error from the call to awsconfig.GetSession.

pkg/asset/installconfig/aws/permissions.go Outdated
)

var installPermissionsAWS = []string{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AWS part of installPermissionsAWS is redundant with the package.

pkg/asset/installconfig/aws/permissions.go Outdated
// are sufficient to perform an installation, and that they can be used for cluster runtime
// as either capable of creating new credentials for components that interact with the cloud or
// being able to be passed through as-is to the components that need cloud credentials
func ValidateAWSCreds() error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AWS part of ValidateAWSCreds is redundant with the package.

pkg/asset/installconfig/aws/permissions.go Outdated
// as either capable of creating new credentials for components that interact with the cloud or
// being able to be passed through as-is to the components that need cloud credentials
func ValidateAWSCreds() error {
ssn, err := GetSession()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should pass in the session as a parameter to ValidateAWSCreds. This will (1) fit in better with the long-term plans of getting the session from an asset in the store and (2) consolidate the 2 calls to GetSession in PlatformCredsChecker.Generate into a single call.

@joelddiaz
Copy link
Contributor Author

@staebler thanks for the review. i've fixed the swallowing of the err and made the other changes as requested

wking
wking reviewed Feb 4, 2019
View reviewed changes
pkg/asset/installconfig/aws/permissions.go Outdated

client, err := ccaws.NewClient([]byte(creds.AccessKeyID), []byte(creds.SecretAccessKey))
if err != nil {
return fmt.Errorf("error building aws client to check credentials against: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be errors.Errorf, and once you make that change you can drop the fmt import.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, no, you're adding context to an existing error. It should be:

return errors.Wrap(err, "initialize cloud-credentials client")

The "to check credentials" bit should be addressed at the call-site in platformcredscheck.go, with something like:

ssn, err := awsconfig.GetSession()
if err != nil {
  return err
}
err = awsconfig.ValidateCreds(ssn)
if err != nil {
  return errors.Wrap(err, "validate AWS credentials")
}

wking
wking reviewed Feb 4, 2019
View reviewed changes
pkg/asset/installconfig/aws/permissions.go Outdated
logger := logrus.New()
canInstall, err := credvalidator.CheckPermissionsAgainstActions(client, installPermissions, logger)
if err != nil {
return errors.Errorf("error checking whether we have enough permissions to install: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for my poor earlier advice. When you have an error, you should use errors.Wrap (or Wrapf), not Errorf). See here. This applies to some of your other error-handling blocks as well.

staebler
staebler reviewed Feb 4, 2019
View reviewed changes
pkg/asset/installconfig/platformcredscheck.go
if err != nil {
return err
}
err = awsconfig.ValidateCreds(ssn)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sets the err variable local to this case and not the err variable that is returned from the Generate function. In other words, errors from awsconfig.ValidateCreds will be ignored.

Personally, I would much rather see each of these cases check err and return when there is an error within the case block rather than fill out a shared err variable that is returned at the end of the function.

@joelddiaz
Copy link
Contributor Author

@wking now using the errors.Wrap() where appropriate (tricky behavior when err is actually nil!!)

@staebler fixed the silly error assignment issue with the most recent push

staebler
staebler reviewed Feb 5, 2019
View reviewed changes
pkg/asset/installconfig/aws/permissions.go Outdated
func ValidateCreds(ssn *session.Session) error {
creds, err := ssn.Config.Credentials.Get()
if err != nil {
return err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrap this error, too.

pkg/asset/installconfig/platformcredscheck.go Outdated
_, err = awsconfig.GetSession()
ssn, err := awsconfig.GetSession()
if err != nil {
return err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrap this error, too, while we're here.

@joelddiaz joelddiaz force-pushed the creds-validation branch 2 times, most recently from 008dc44 to f80230b Compare February 5, 2019 20:01
@joelddiaz
Copy link
Contributor Author

/retest

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 6, 2019
edited
Loading

@joelddiaz: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
ci/prow/e2e-libvirt 170d41d link /test e2e-libvirt
ci/prow/e2e-openstack 170d41d link /test e2e-openstack
ci/prow/launch-aws 170d41d link /test launch-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 9, 2019
@joelddiaz
Copy link
Contributor Author

/test e2e-aws

@openshift-ci-robot openshift-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Feb 11, 2019
@joelddiaz
Copy link
Contributor Author

@wking @staebler what's the next step for this PR (besides un-WIP)?

@staebler
Copy link
Contributor

@wking @staebler what's the next step for this PR (besides un-WIP)?

The works looks good to me. Does this need a feature exception?

@joelddiaz joelddiaz changed the title WIP: credentials validation credentials validation Feb 13, 2019
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 13, 2019
@joelddiaz
Copy link
Contributor Author

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 14, 2019
@joelddiaz
Copy link
Contributor Author

@staebler @wking we've got the exception request +1d now

Joel Diaz added 2 commits February 14, 2019 14:51
vendor openshift/cloud-credential-operator
c108005 
will use pieces from the repo for credential validation

put some dummy imports in pkg/asset/installconfig/aws/permissions.go

then run: dep ensure (version 0.5.0)
add credential validation
818b350 
do a pre-flight check of permissions using cloud-credentials-operator validation to do a check on the creds being used for installation

the initial list of permissions that gathers the AWS actions needed to perform an installation are taken verbatim from the IAM group permissions the hive team has been using to perform installation/uninstallation with (there absolutely could be some excess actions that used to be needed, but may no longer be needed)

note that the permissions checks are done with the assumption of IAM policies consisting of 'Resource: "*"'. so a list of ["ec2:CreateRoute", "ec2:CreateSubnet"] is evaluated as whether we can peform

`
{
    "Statement": [
        {
            "Action": [
                "ec2:CreateRoute",
                "ec2:CreateSubnet"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
`
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 14, 2019
@staebler
Copy link
Contributor

/hold cancel
/lgtm

@openshift-ci-robot openshift-ci-robot added lgtm Indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Feb 14, 2019
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joelddiaz, staebler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 14, 2019
@openshift-merge-robot openshift-merge-robot merged commit 628cb94 into openshift:master Feb 14, 2019
@joelddiaz joelddiaz mentioned this pull request Apr 4, 2019
Closed
@joelddiaz joelddiaz deleted the creds-validation branch January 6, 2020 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wking wking wking left review comments

@staebler staebler staebler left review comments

@aaronlevy aaronlevy Awaiting requested review from aaronlevy

@flaper87 flaper87 Awaiting requested review from flaper87

Assignees

@staebler staebler

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@joelddiaz @openshift-ci-robot @staebler @wking @openshift-merge-robot