Authentication Support about bb-storage HOT 7 CLOSED

@EdSchouten: I'd like to give this a try but would like to agree on a few things with you before writing any code.

Here is the list of task I can think of:

1. Add support for TLS connections.
2. Introduce an authentication check mechanism.
3. Implement JWT token validation and caching.

For task 1, we'll need to decide how we want to specify the server key/cert file pair. Should we add CLI options?

For task 2, in Go, there seems to be two options: either use metadata.FromIncomingContext in every RPC method handler or use global interceptors. I think using interceptor is a neat way of handling this but I'd be happy to take your opinion on this. The "github.com/grpc-ecosystem/go-grpc-middleware" package provides helpers for auth. Are you find depending on it?

For task 3, we'll have to introduce a new dependency on a JWT library I believe and thus have to decide on which one as there seem to be multiple available options. A popular choice seems to be "github.com/dgrijalva/jwt-go": MIT License, looks active. Any other option you'd prefer to use? We'll also need some configuration for the encryption type and decoding secret. Could be CLI options also, environment variables...

from bb-storage.

Hi Martin,

For task 1, we'll need to decide how we want to specify the server key/cert file pair. Should we add CLI options?

Yes, that sounds like a good idea. For client-side TLS configuration, it might make more sense to configure that through Protobuf based configuration files. For example, for the grpc backend in blobstore.conf, we could add string/bytes fields to hold a client key/certificate.

For task 2, in Go, there seems to be two options: either use metadata.FromIncomingContext in every RPC method handler or use global interceptors. I think using interceptor is a neat way of handling this but I'd be happy to take your opinion on this. The "github.com/grpc-ecosystem/go-grpc-middleware" package provides helpers for auth. Are you find depending on it?

I'm fine with that. The Prometheus interceptors we use also come from that project. Those interceptors are only for authentication, not authorization, right? For authorization we likely want to be able to apply policies on a per-instance level as well (e.g., only allowing workers for instance=foo to write into the AC for that specific instance).

For task 3, we'll have to introduce a new dependency on a JWT library I believe and thus have to decide on which one as there seem to be multiple available options. A popular choice seems to be "github.com/dgrijalva/jwt-go": MIT License, looks active. Any other option you'd prefer to use? We'll also need some configuration for the encryption type and decoding secret. Could be CLI options also, environment variables...

That's an interesting question. In your case you want to actually use OIDC ID tokens, hence the use of JWTs, right? Do we actually need OIDC, or would plain OAuth2 access tokens be sufficient? In case we need OIDC, the library you linked seems like a good candidate. In case we only need OAuth2, I presume golang.org/x/oauth2 is sufficient?

from bb-storage.

For client-side TLS configuration, it might make more sense to configure that through Protobuf based configuration files. For example, for the grpc backend in blobstore.conf, we could add string/bytes fields to hold a client key/certificate.

Makes sense, let's do that.

The Prometheus interceptors we use also come from that project. Those interceptors are only for authentication, not authorization, right?

Correct, I'm working on submitting something for authentication first. I think authorization needs some discussion/thinking and maybe some standardisation if we want inter-operability.

In your case you want to actually use OIDC ID tokens, hence the use of JWTs, right?

The OpenID Connect access tokens are either JWT token or custom formats with extra claims standardised by the OpenID Connect specification. Regular OAuth supports the same: either JWT or custom formats. Hence the need for JWT.

For now, I'm thinking on implementing only the basic: accept/reject gRPC calls based on access token validity (so nothing specific to OIDC). I'd leave the processing of authentication data (if OIDC) and authorization for later PR if that's fine by you.

In case we only need OAuth2, I presume golang.org/x/oauth2 is sufficient?

It seems like this only has support for the client side workflow and does not comes with a JWT encoder/decoder.

from bb-storage.

Thanks for clarifying. Sounds perfect!

from bb-storage.

Cool. Dev. branch is here by the way. I'll submit WIP PR once basics are implemented.

from bb-storage.

It should be possible to add custom authentication plugins now by patching up this Proto:

https://github.com/buildbarn/bb-storage/blob/master/pkg/proto/configuration/grpc/grpc.proto

And adding a corresponding Authenticator type here:

https://github.com/buildbarn/bb-storage/tree/master/pkg/grpc

from bb-storage.

Further issues/PRs should be filed to add support for specific authentication mechanisms (e.g., JWT). Marking this as closed.

from bb-storage.