Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticate method improvements #15734

Merged
merged 4 commits into from
Jan 10, 2023
Merged

Authenticate method improvements #15734

merged 4 commits into from
Jan 10, 2023

Conversation

tgross
Copy link
Member

@tgross tgross commented Jan 9, 2023
edited
Loading

This changeset covers a sidebar discussion that @schmichael and I had around the
design for pre-forwarding auth. This includes some changes extracted out of
#15513 to make it easier to review both and leave a clean history.

  • Remove fast path for NodeID: Previously-connected clients will have a NodeID
    set on the context, and because this is a large portion of the RPCs sent we
    fast-pathed it at the top of the Authenticate method. But the context is
    shared for all yamux streams over the same yamux session (and TCP
    connection). This lets an authenticated HTTP request to a client use the NodeID
    for authentication, which is a privilege escalation. Remove the fast path and
    annotate it so that we don't break it again.

  • Add context to decisions. The Authenticate method taken on its own looks
    like it wants to return an acl.ACL that folds over all the various identity
    types (creating an ephemeral ACL on the fly if neccessary). But keeping these
    fields idependent allows RPC handlers to differentiate between internal and
    external origins so we most likely want to avoid this. Leave some docstrings as
    a warning as to why this is built the way it is.

  • Mutate the request rather than returning a value. When reviewing implement pre-forwarding auth on select RPCs #15513 we
    decided that forcing the request handler to call SetIdentity was repetitive
    and error prone. Instead, the Authenticate method mutates the request by
    setting its AuthenticatedIdentity.

I'm marking folks other than @schmichael for review on this as he's discussed these changes with me already but isn't going to be available for a review this week, so spreading the design decisions around seems like a good idea.

tgross added 2 commits January 9, 2023 14:53
@tgross
authenticate: remove fast path for NodeID
c09af84 
Previously-connected clients will have a NodeID set on the context, and because
this is a large portion of the RPCs sent we fast-pathed it at the top of the
`Authenticate` method. But the context is shared for all yamux streams over the
same yamux session (and TCP connection). This lets an authenticated HTTP request
to a client use the NodeID for authentication, which is a privilege
escalation. Remove the fast path and annotate it so that we don't break it
again.
@tgross
authenticate: add context to decisions around AuthenticatedIdentity
4813785 
The `Authenticate` method taken on its own looks like it wants to return an
`acl.ACL` that folds over all the various identity types (creating an ephemeral
ACL on the fly if neccessary). But keeping these fields idependent allows RPC
handlers to differentiate between internal and external origins so we most
likely want to avoid this. Leave some docstrings as a warning as to why this is
built the way it is.
@tgross tgross requested a review from jrasell January 9, 2023 20:26
@tgross tgross requested a review from shoenig January 9, 2023 20:26
@tgross tgross added this to the 1.5.0 milestone Jan 9, 2023
@tgross tgross mentioned this pull request Jan 9, 2023
Merged
@tgross
authenticate: mutate the request rather than returning
f763920 
When reviewing #15513 we decided that forcing the request handler to call
`SetIdentity` was repetitive and error prone. Instead, the `Authenticate` method
mutates the request by setting its `AuthenticatedIdentity`.
@tgross tgross force-pushed the f-authenticate-identity branch from 5a9c2ef to f763920 Compare January 9, 2023 20:54
shoenig
shoenig approved these changes Jan 9, 2023
View reviewed changes
Copy link
Contributor

@shoenig shoenig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jrasell
jrasell approved these changes Jan 10, 2023
View reviewed changes
Copy link
Member

@jrasell jrasell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

nomad/acl.go Outdated Show resolved Hide resolved
@tgross @jrasell
Update nomad/acl.go
05ced09 
Co-authored-by: James Rasell <[email protected]>
@tgross tgross merged commit cab35b3 into main Jan 10, 2023
@tgross tgross deleted the f-authenticate-identity branch January 10, 2023 14:46
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@shoenig shoenig shoenig approved these changes

@jrasell jrasell jrasell approved these changes

Assignees
No one assigned
Labels
theme/auth
Projects
None yet
Milestone
1.5.0
Development

Successfully merging this pull request may close these issues.
3 participants
@tgross @shoenig @jrasell