Comments (7)
@EdSchouten: I'd like to give this a try but would like to agree on a few things with you before writing any code.
Here is the list of task I can think of:
- Add support for TLS connections.
- Introduce an authentication check mechanism.
- Implement JWT token validation and caching.
For task 1, we'll need to decide how we want to specify the server key/cert file pair. Should we add CLI options?
For task 2, in Go, there seems to be two options: either use metadata.FromIncomingContext
in every RPC method handler or use global interceptors. I think using interceptor is a neat way of handling this but I'd be happy to take your opinion on this. The "github.com/grpc-ecosystem/go-grpc-middleware"
package provides helpers for auth. Are you find depending on it?
For task 3, we'll have to introduce a new dependency on a JWT library I believe and thus have to decide on which one as there seem to be multiple available options. A popular choice seems to be "github.com/dgrijalva/jwt-go"
: MIT License, looks active. Any other option you'd prefer to use? We'll also need some configuration for the encryption type and decoding secret. Could be CLI options also, environment variables...
from bb-storage.
Hi Martin,
For task 1, we'll need to decide how we want to specify the server key/cert file pair. Should we add CLI options?
Yes, that sounds like a good idea. For client-side TLS configuration, it might make more sense to configure that through Protobuf based configuration files. For example, for the grpc
backend in blobstore.conf, we could add string/bytes fields to hold a client key/certificate.
For task 2, in Go, there seems to be two options: either use
metadata.FromIncomingContext
in every RPC method handler or use global interceptors. I think using interceptor is a neat way of handling this but I'd be happy to take your opinion on this. The"github.com/grpc-ecosystem/go-grpc-middleware"
package provides helpers for auth. Are you find depending on it?
I'm fine with that. The Prometheus interceptors we use also come from that project. Those interceptors are only for authentication, not authorization, right? For authorization we likely want to be able to apply policies on a per-instance level as well (e.g., only allowing workers for instance=foo to write into the AC for that specific instance).
For task 3, we'll have to introduce a new dependency on a JWT library I believe and thus have to decide on which one as there seem to be multiple available options. A popular choice seems to be
"github.com/dgrijalva/jwt-go"
: MIT License, looks active. Any other option you'd prefer to use? We'll also need some configuration for the encryption type and decoding secret. Could be CLI options also, environment variables...
That's an interesting question. In your case you want to actually use OIDC ID tokens, hence the use of JWTs, right? Do we actually need OIDC, or would plain OAuth2 access tokens be sufficient? In case we need OIDC, the library you linked seems like a good candidate. In case we only need OAuth2, I presume golang.org/x/oauth2
is sufficient?
from bb-storage.
For client-side TLS configuration, it might make more sense to configure that through Protobuf based configuration files. For example, for the grpc backend in blobstore.conf, we could add string/bytes fields to hold a client key/certificate.
Makes sense, let's do that.
The Prometheus interceptors we use also come from that project. Those interceptors are only for authentication, not authorization, right?
Correct, I'm working on submitting something for authentication first. I think authorization needs some discussion/thinking and maybe some standardisation if we want inter-operability.
In your case you want to actually use OIDC ID tokens, hence the use of JWTs, right?
The OpenID Connect access tokens are either JWT token or custom formats with extra claims standardised by the OpenID Connect specification. Regular OAuth supports the same: either JWT or custom formats. Hence the need for JWT.
For now, I'm thinking on implementing only the basic: accept/reject gRPC calls based on access token validity (so nothing specific to OIDC). I'd leave the processing of authentication data (if OIDC) and authorization for later PR if that's fine by you.
In case we only need OAuth2, I presume golang.org/x/oauth2 is sufficient?
It seems like this only has support for the client side workflow and does not comes with a JWT encoder/decoder.
from bb-storage.
Thanks for clarifying. Sounds perfect!
from bb-storage.
Cool. Dev. branch is here by the way. I'll submit WIP PR once basics are implemented.
from bb-storage.
It should be possible to add custom authentication plugins now by patching up this Proto:
https://github.com/buildbarn/bb-storage/blob/master/pkg/proto/configuration/grpc/grpc.proto
And adding a corresponding Authenticator type here:
https://github.com/buildbarn/bb-storage/tree/master/pkg/grpc
from bb-storage.
Further issues/PRs should be filed to add support for specific authentication mechanisms (e.g., JWT). Marking this as closed.
from bb-storage.
Related Issues (20)
- Revisit deprecation of GCS storage backend HOT 12
- Documentation needed for allowing cache access from different types of bazel clients HOT 1
- Missing shell in bb-storage docker image HOT 1
- Support for compression from buildbarn HOT 5
- Panic in local blockstore write HOT 3
- Doc Update: ISCC / AC storages are only compatible with local replicator HOT 1
- gRPC Client Certificate Refresh Interval is not respected
- Filesystem errors in bb-storage are recorded as "Unknown" in prometheus
- Feature request: Support RSA signed JWTs
- Feature request: Support JWKS for specifying JWT public keys HOT 4
- Failed to fetch file errors in "builds without the bytes" builds in a sharded setup HOT 7
- Failed to create authorization header parser for JWT authentication policy: Unsupported public key type HOT 3
- Cannot open raw block device provisioned by kubernetes when running as non root user HOT 3
- Support connection draining in kubernetes environments HOT 2
- Tunable LogLevels? HOT 3
- Is there any detailed description about config? HOT 6
- Creating buildbarn storage image doesn't work on bazel 7 HOT 2
- JWT: support ALB token format HOT 5
- Load server CA certificates from files for client configuration
- Publish images with arm64 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bb-storage.