-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support function authentication with OpenFaaS IAM #158
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
alexellis
reviewed
May 9, 2024
welteki
force-pushed
the
jwt-permissions-auth
branch
from
May 14, 2024 11:22
973c5e1
to
fdb1f4f
Compare
Compare the auth permissions in the function claim with the function name and namespace the verify if the provided JWT token is authorized to invoke the function. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
Read the function namespace from the OPENFAAS_NAMESPACE env variable. Fallback to getting the nemsapce from the service account if the variable is not present. Required setting the namespace when running functions locally with jwt_auth. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
welteki
force-pushed
the
jwt-permissions-auth
branch
from
May 16, 2024 10:45
fdb1f4f
to
7645ca4
Compare
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
welteki
force-pushed
the
jwt-permissions-auth
branch
2 times, most recently
from
May 29, 2024 08:42
2219821
to
a6e9140
Compare
alexellis
reviewed
Jun 17, 2024
@@ -474,3 +495,26 @@ func (nc *WriterCounter) Write(p []byte) (int, error) { | |||
nc.bytes += int64(n) | |||
return n, err | |||
} | |||
|
|||
func getFnName() (string, error) { | |||
name, ok := os.LookupEnv("OPENFAAS_NAME") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should faas-cli local-run
inject this variable then? I don't think it does presently.
cc @rgee0
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
welteki
force-pushed
the
jwt-permissions-auth
branch
from
June 17, 2024 09:31
a6e9140
to
d283e2d
Compare
alexellis
approved these changes
Jun 17, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
If JWT authentication is enabled by setting the env variable
jwt_auth: true
in thestack.yml
file the watchdog requires an OpenFaaS function token for request authentication.Authentication tokens can be optioned through OpenFaaS IAM.
The watchdog verifies the token is valid and checks of an actor is authorized to invoke the function by looking at the
function
claim in the token and validating the permissions.Motivation and Context
Support IAM authentication for functions.
How Has This Been Tested?
Unit tests were added.
Changes have been tested by running the watchdog locally and invoking it with and without a function token.
During these test the
OPENFAAS_NAME
andOPENFAAS_NAMESPACE
env variable were changed to simulate different functions in multiple namespaces.Changes have been tested E2E in cluster with the updated oidc-provider.
Types of changes
Checklist:
git commit -s