Skip to content

Commit

Permalink
Support not creating non-existing users (#416)
Browse files Browse the repository at this point in the history 
* Support disable user creating for OAuth

* Add test cases

* Remove trailing linebreak diff

* Remove trailing linebreak diff
  • Loading branch information
@l0kix2
l0kix2 authored Jan 10, 2025
1 parent 240ae10 commit a8da302
Show file tree
Hide file tree
Showing 10 changed files with 374 additions and 9 deletions.
2 changes: 2 additions & 0 deletions api/v1/ytsaurus_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,8 @@ type OauthServiceSpec struct {
//+kubebuilder:default:=false
Secure bool `json:"secure,omitempty"`
UserInfo OauthUserInfoHandlerSpec `json:"userInfoHandler,omitempty"`
// If DisableUserCreation is set, proxies will NOT create non-existing users with OAuth authentication.
DisableUserCreation *bool `json:"disableUserCreation,omitempty"`
}

type HealthcheckProbeParams struct {
Expand Down
5 changes: 5 additions & 0 deletions api/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions config/crd/bases/cluster.ytsaurus.tech_ytsaurus.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14893,6 +14893,10 @@ spec:
type: object
oauthService:
properties:
disableUserCreation:
description: If DisableUserCreation is set, proxies will NOT create
non-existing users with O
type: boolean
host:
minLength: 1
type: string
Expand Down
1 change: 1 addition & 0 deletions docs/api.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1047,6 +1047,7 @@ _Appears in:_
| `port` _integer_ | | 80 | |
| `secure` _boolean_ | | false | |
| `userInfoHandler` _[OauthUserInfoHandlerSpec](#oauthuserinfohandlerspec)_ | | | |
| `disableUserCreation` _boolean_ | If DisableUserCreation is set, proxies will NOT create non-existing users with OAuth authentication. | | |


#### OauthUserInfoHandlerSpec
Expand Down
155 changes: 155 additions & 0 deletions pkg/ytconfig/canondata/TestGetHTTPProxyConfigDisableCreateOauthUser/test.canondata
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
{
"address_resolver"={
"enable_ipv4"=%true;
"enable_ipv6"=%false;
retries=1000;
};
"solomon_exporter"={
host="{POD_SHORT_HOSTNAME}";
"instance_tags"={
pod="{K8S_POD_NAME}";
};
};
logging={
writers={
info={
type=file;
"file_name"="/var/log/http-proxy.info.log";
format="plain_text";
"enable_system_messages"=%true;
};
stderr={
type=stderr;
format="plain_text";
"enable_system_messages"=%true;
};
};
rules=[
{
"min_level"=info;
writers=[
info;
];
family="plain_text";
};
{
"min_level"=error;
writers=[
stderr;
];
family="plain_text";
};
];
"flush_period"=3000;
};
"monitoring_port"=10016;
"rpc_port"=9016;
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"cluster_connection"={
"cluster_name"=test;
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
"discovery_connection"={
addresses=[
"ds-test-0.discovery-test.fake.svc.fake.zone:9020";
"ds-test-1.discovery-test.fake.svc.fake.zone:9020";
"ds-test-2.discovery-test.fake.svc.fake.zone:9020";
];
};
"master_cache"={
addresses=[
"msc-test-0.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-1.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-2.master-caches-test.fake.svc.fake.zone:9018";
];
"cell_id"="65726e65-ad6b7562-259-79747361";
"enable_master_cache_discovery"=%false;
};
};
"cypress_annotations"={
"k8s_node_name"="{K8S_NODE_NAME}";
"k8s_pod_name"="{K8S_POD_NAME}";
"k8s_pod_namespace"="{K8S_POD_NAMESPACE}";
"physical_host"="{K8S_NODE_NAME}";
};
port=80;
auth={
"cypress_cookie_manager"={
};
"cypress_user_manager"={
};
"cypress_token_authenticator"={
secure=%true;
};
"oauth_service"={
host="oauth-host";
port=433;
secure=%true;
"user_info_endpoint"="user-info-endpoint";
"user_info_login_field"=login;
"login_transformations"=[
{
"match_pattern"="(.*)@ytsaurus.team";
replacement="\\1";
};
];
};
"oauth_cookie_authenticator"={
"create_user_if_not_exists"=%false;
};
"oauth_token_authenticator"={
"create_user_if_not_exists"=%false;
};
"require_authentication"=%true;
};
coordinator={
enable=%true;
"default_role_filter"=default;
};
driver={
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
};
role=control;
"https_server"={
port=443;
credentials={
"cert_chain"={
"file_name"="/tls/https_secret/tls.crt";
};
"private_key"={
"file_name"="/tls/https_secret/tls.key";
};
"update_period"=60000;
};
};
}
155 changes: 155 additions & 0 deletions pkg/ytconfig/canondata/TestGetHTTPProxyConfigEnableCreateOauthUser/test.canondata
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
{
"address_resolver"={
"enable_ipv4"=%true;
"enable_ipv6"=%false;
retries=1000;
};
"solomon_exporter"={
host="{POD_SHORT_HOSTNAME}";
"instance_tags"={
pod="{K8S_POD_NAME}";
};
};
logging={
writers={
info={
type=file;
"file_name"="/var/log/http-proxy.info.log";
format="plain_text";
"enable_system_messages"=%true;
};
stderr={
type=stderr;
format="plain_text";
"enable_system_messages"=%true;
};
};
rules=[
{
"min_level"=info;
writers=[
info;
];
family="plain_text";
};
{
"min_level"=error;
writers=[
stderr;
];
family="plain_text";
};
];
"flush_period"=3000;
};
"monitoring_port"=10016;
"rpc_port"=9016;
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"cluster_connection"={
"cluster_name"=test;
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
"discovery_connection"={
addresses=[
"ds-test-0.discovery-test.fake.svc.fake.zone:9020";
"ds-test-1.discovery-test.fake.svc.fake.zone:9020";
"ds-test-2.discovery-test.fake.svc.fake.zone:9020";
];
};
"master_cache"={
addresses=[
"msc-test-0.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-1.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-2.master-caches-test.fake.svc.fake.zone:9018";
];
"cell_id"="65726e65-ad6b7562-259-79747361";
"enable_master_cache_discovery"=%false;
};
};
"cypress_annotations"={
"k8s_node_name"="{K8S_NODE_NAME}";
"k8s_pod_name"="{K8S_POD_NAME}";
"k8s_pod_namespace"="{K8S_POD_NAMESPACE}";
"physical_host"="{K8S_NODE_NAME}";
};
port=80;
auth={
"cypress_cookie_manager"={
};
"cypress_user_manager"={
};
"cypress_token_authenticator"={
secure=%true;
};
"oauth_service"={
host="oauth-host";
port=433;
secure=%true;
"user_info_endpoint"="user-info-endpoint";
"user_info_login_field"=login;
"login_transformations"=[
{
"match_pattern"="(.*)@ytsaurus.team";
replacement="\\1";
};
];
};
"oauth_cookie_authenticator"={
"create_user_if_not_exists"=%true;
};
"oauth_token_authenticator"={
"create_user_if_not_exists"=%true;
};
"require_authentication"=%true;
};
coordinator={
enable=%true;
"default_role_filter"=default;
};
driver={
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
};
role=control;
"https_server"={
port=443;
credentials={
"cert_chain"={
"file_name"="/tls/https_secret/tls.crt";
};
"private_key"={
"file_name"="/tls/https_secret/tls.key";
};
"update_period"=60000;
};
};
}
30 changes: 23 additions & 7 deletions pkg/ytconfig/generator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -495,10 +495,17 @@ func (g *Generator) getRPCProxyConfigImpl(spec *ytv1.RPCProxiesSpec) (RPCProxySe

g.fillCommonService(&c.CommonServer, &spec.InstanceSpec)

if g.ytsaurus.Spec.OauthService != nil {
c.OauthService = ptr.To(getOauthService(*g.ytsaurus.Spec.OauthService))
oauthService := g.ytsaurus.Spec.OauthService
if oauthService != nil {
c.OauthService = ptr.To(getOauthService(*oauthService))
c.CypressUserManager = CypressUserManager{}
c.OauthTokenAuthenticator = &OauthTokenAuthenticator{}
var createUserIfNotExist *bool
if oauthService.DisableUserCreation != nil {
createUserIfNotExist = ptr.To(!*oauthService.DisableUserCreation)
}
c.OauthTokenAuthenticator = &OauthTokenAuthenticator{
CreateUserIfNotExists: createUserIfNotExist,
}
c.RequireAuthentication = ptr.To(true)
}

Expand Down Expand Up @@ -670,10 +677,19 @@ func (g *Generator) getHTTPProxyConfigImpl(spec *ytv1.HTTPProxiesSpec) (HTTPProx
g.fillCommonService(&c.CommonServer, &spec.InstanceSpec)
g.fillBusServer(&c.CommonServer, spec.NativeTransport)

if g.ytsaurus.Spec.OauthService != nil {
c.Auth.OauthService = ptr.To(getOauthService(*g.ytsaurus.Spec.OauthService))
c.Auth.OauthCookieAuthenticator = &OauthCookieAuthenticator{}
c.Auth.OauthTokenAuthenticator = &OauthTokenAuthenticator{}
oauthService := g.ytsaurus.Spec.OauthService
if oauthService != nil {
c.Auth.OauthService = ptr.To(getOauthService(*oauthService))
var createUserIfNotExist *bool
if oauthService.DisableUserCreation != nil {
createUserIfNotExist = ptr.To(!*oauthService.DisableUserCreation)
}
c.Auth.OauthCookieAuthenticator = &OauthCookieAuthenticator{
CreateUserIfNotExists: createUserIfNotExist,
}
c.Auth.OauthTokenAuthenticator = &OauthTokenAuthenticator{
CreateUserIfNotExists: createUserIfNotExist,
}
}

return c, nil
Expand Down
Loading

0 comments on commit a8da302

Please sign in to comment.