Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dashboard: support token #1188

Merged
merged 52 commits into from
Dec 4, 2020
Merged

dashboard: support token #1188

merged 52 commits into from
Dec 4, 2020

Conversation

WangXiangUSTC
Copy link
Contributor

@WangXiangUSTC WangXiangUSTC commented Nov 19, 2020
edited by g1eny0ung
Loading

What problem does this PR solve?

RFC: https://github.com/chaos-mesh/rfcs/blob/main/text/2020-10-22-authn-and-authz-on-chaos-dashboard.md

Resolve #1092

Chaos can be created and deleted by anyone who has access to the dashboard, and the authority of the dashboard is very high, which means the Dashboard is a big security hazard.

The dashboard should use the k8s client with a token to visit the k8s cluster, and the token is provided by the user in the dashboard frontend. Users can only do chaos which is allowed by the token generated by the service account.

What is changed and how does it work?

  • Add a k8s client pool implement by LRU, and it will save several clients in the cache.
  • HTTP API will extract the token and get k8s client from the client pool.
  • The dashboard will be prompt you to add a token when first open.
  • Support token switching in the dashboard.
  • Support namespace switching in the dashboard.

Checklist

Tests

  • Unit test
  • E2E test
  • Manual test (add detailed scripts or steps below)
  • No code

Side effects

  • Breaking backward compatibility

Related changes

  • Need to update the documentation

Does this PR introduce a user-facing change?

image

image

WangXiangUSTC and others added 30 commits October 27, 2020 18:25
@WangXiangUSTC
test
592c2fd 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
add k8s client pool
c987106 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
add unit test
69ae74d 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
minor update
c2daaa9 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
minor update
e174618 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
Merge branch 'master' into xiang/dashboard
a022253
@WangXiangUSTC
fix test
2b333ce 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
fix check
8be46db 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
update ci
0acefdf 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
fix check
b78e216 
Signed-off-by: xiang <[email protected]>
feat: add token support
f87600a 
Signed-off-by: wanyoulc <[email protected]>
@WangXiangUSTC
use k8s client with token
3601352 
Signed-off-by: xiang <[email protected]>
Merge branch 'add-auth-in-dashboard' into dashboard_token_test
7b83c48
@WangXiangUSTC
use local k8s client for list namespace
88617c9 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
add scheme for k8s client
402e080 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
return no cluster privilege
6af3d9f 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
minor fix
d54de84 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
Revert "minor fix"
096f9cc 
This reverts commit d54de84.
@WangXiangUSTC
set tls Insecure: true
7966fae 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
minor fix
f379b1d 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
add parameter namespace in /experiments/state
4851c2f 
Signed-off-by: xiang <[email protected]>
feat: allow user to select privileged namespace
c04d2e5 
Signed-off-by: wanyoulc <[email protected]>
@WangXiangUSTC
minor update
1075dd2 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
add error ErrNoNamespacePrivilege
5ed8c00 
Signed-off-by: xiang <[email protected]>
chore: add support for no_namespace_privilege error code
dc11ab0 
Signed-off-by: wanyoulc <[email protected]>
chore: delete unused code
a4ba917 
Signed-off-by: wanyoulc <[email protected]>
chore: delete unused code
0b73575 
Signed-off-by: wanyoulc <[email protected]>
fix: add axios interceptor for specified URL
b5d6d7d 
Signed-off-by: wanyoulc <[email protected]>
@g1eny0ung @ti-srebot @WangXiangUSTC
fix: missing experiment status (#1144)
0175582 
* fix: experiment status

Signed-off-by: Yue Yang <[email protected]>

* chore: use in.Status directly

Signed-off-by: Yue Yang <[email protected]>

* chore: address comments

Signed-off-by: Yue Yang <[email protected]>

Co-authored-by: ti-srebot <[email protected]>
@g1eny0ung
chore: allow close namespace dialog temporarily
4908b52 
Signed-off-by: Yue Yang <[email protected]>
STRRL
STRRL requested changes Dec 1, 2020
View reviewed changes
Copy link
Member

@STRRL STRRL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rest LGTM

pkg/clientpool/client.go Outdated Show resolved Hide resolved
pkg/collector/server.go Outdated Show resolved Hide resolved
@WangXiangUSTC
address comment
3fe6988 
Signed-off-by: xiang <[email protected]>
@WangXiangUSTC
Copy link
Contributor Author

@STRRL all comment addressed, PTAL again

STRRL
STRRL previously approved these changes Dec 1, 2020
View reviewed changes
Copy link
Member

@STRRL STRRL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fewdan
Copy link
Member

fewdan commented Dec 2, 2020

It looks like you need to deal with the conflict.

@WangXiangUSTC
Copy link
Contributor Author

It looks like you need to deal with the conflict.

conflict resolved, PTAL again @fewdan

fewdan
fewdan previously approved these changes Dec 3, 2020
View reviewed changes
Copy link
Member

@fewdan fewdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@WangXiangUSTC
remove debug code
e30abf9 
Signed-off-by: xiang <[email protected]>
STRRL
STRRL reviewed Dec 4, 2020
View reviewed changes
pkg/collector/collector.go Outdated Show resolved Hide resolved
STRRL
STRRL approved these changes Dec 4, 2020
View reviewed changes
Copy link
Member

@STRRL STRRL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

fewdan
fewdan approved these changes Dec 4, 2020
View reviewed changes
Copy link
Member

@fewdan fewdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@WangXiangUSTC
Copy link
Contributor Author

/merge

@ti-srebot
Copy link
Contributor

Your auto merge job has been accepted, waiting for:

  • 1236
  • 1236

@ti-srebot
Copy link
Contributor

/run-all-tests

@ti-srebot
Copy link
Contributor

@WangXiangUSTC merge failed.

@WangXiangUSTC WangXiangUSTC merged commit 379631f into master Dec 4, 2020
@WangXiangUSTC WangXiangUSTC deleted the dashboard_token_test branch December 4, 2020 03:50
@WangXiangUSTC WangXiangUSTC mentioned this pull request Dec 4, 2020
Closed
STRRL pushed a commit to STRRL/chaos-mesh that referenced this pull request Dec 15, 2020
@WangXiangUSTC @STRRL
dashboard: support token (chaos-mesh#1188)
c470295 
Signed-off-by: xiang <[email protected]>

Signed-off-by: wanyoulc <[email protected]>

Signed-off-by: Yue Yang <[email protected]>
Signed-off-by: STRRL <[email protected]>
@dcalvin dcalvin mentioned this pull request Feb 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fewdan fewdan fewdan approved these changes

@STRRL STRRL STRRL approved these changes

Assignees
No one assigned
Labels
component/dashboard status/can-merge status/LGT2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

dashboard support authority management
6 participants
@WangXiangUSTC @codecov-io @fewdan @ti-srebot @STRRL @g1eny0ung