Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support not creating non-existing users #416

Merged
merged 4 commits into from
Jan 10, 2025
Merged

Support not creating non-existing users #416

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d322a0f
Support disable user creating for OAuth
l0kix2 Jan 10, 2025
7520706
Add test cases
l0kix2 Jan 10, 2025
33f921f
Remove trailing linebreak diff
l0kix2 Jan 10, 2025
f68809a
Remove trailing linebreak diff
l0kix2 Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions api/v1/ytsaurus_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,8 @@ type OauthServiceSpec struct {
//+kubebuilder:default:=false
Secure bool `json:"secure,omitempty"`
UserInfo OauthUserInfoHandlerSpec `json:"userInfoHandler,omitempty"`
// If DisableUserCreation is set, proxies will NOT create non-existing users with OAuth authentication.
DisableUserCreation *bool `json:"disableUserCreation,omitempty"`
}

type HealthcheckProbeParams struct {
Expand Down
5 changes: 5 additions & 0 deletions api/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions config/crd/bases/cluster.ytsaurus.tech_ytsaurus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14893,6 +14893,10 @@ spec:
type: object
oauthService:
properties:
disableUserCreation:
description: If DisableUserCreation is set, proxies will NOT create
non-existing users with O
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
non-existing users with O
non-existing users with OAuth authentication

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

weird, will check, though it is auto-generated from comment string, I can't fix it here, it will be diff next time

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see, there is a limit 80 symbols in generator and it is cut in multiple places. Will try to fix it in a separate PR

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#418

type: boolean
host:
minLength: 1
type: string
Expand Down
1 change: 1 addition & 0 deletions docs/api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1047,6 +1047,7 @@ _Appears in:_
| `port` _integer_ | | 80 | |
| `secure` _boolean_ | | false | |
| `userInfoHandler` _[OauthUserInfoHandlerSpec](#oauthuserinfohandlerspec)_ | | | |
| `disableUserCreation` _boolean_ | If DisableUserCreation is set, proxies will NOT create non-existing users with OAuth authentication. | | |


#### OauthUserInfoHandlerSpec
Expand Down
155 changes: 155 additions & 0 deletions pkg/ytconfig/canondata/TestGetHTTPProxyConfigDisableCreateOauthUser/test.canondata
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
{
"address_resolver"={
"enable_ipv4"=%true;
"enable_ipv6"=%false;
retries=1000;
};
"solomon_exporter"={
host="{POD_SHORT_HOSTNAME}";
"instance_tags"={
pod="{K8S_POD_NAME}";
};
};
logging={
writers={
info={
type=file;
"file_name"="/var/log/http-proxy.info.log";
format="plain_text";
"enable_system_messages"=%true;
};
stderr={
type=stderr;
format="plain_text";
"enable_system_messages"=%true;
};
};
rules=[
{
"min_level"=info;
writers=[
info;
];
family="plain_text";
};
{
"min_level"=error;
writers=[
stderr;
];
family="plain_text";
};
];
"flush_period"=3000;
};
"monitoring_port"=10016;
"rpc_port"=9016;
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"cluster_connection"={
"cluster_name"=test;
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
"discovery_connection"={
addresses=[
"ds-test-0.discovery-test.fake.svc.fake.zone:9020";
"ds-test-1.discovery-test.fake.svc.fake.zone:9020";
"ds-test-2.discovery-test.fake.svc.fake.zone:9020";
];
};
"master_cache"={
addresses=[
"msc-test-0.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-1.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-2.master-caches-test.fake.svc.fake.zone:9018";
];
"cell_id"="65726e65-ad6b7562-259-79747361";
"enable_master_cache_discovery"=%false;
};
};
"cypress_annotations"={
"k8s_node_name"="{K8S_NODE_NAME}";
"k8s_pod_name"="{K8S_POD_NAME}";
"k8s_pod_namespace"="{K8S_POD_NAMESPACE}";
"physical_host"="{K8S_NODE_NAME}";
};
port=80;
auth={
"cypress_cookie_manager"={
};
"cypress_user_manager"={
};
"cypress_token_authenticator"={
secure=%true;
};
"oauth_service"={
host="oauth-host";
port=433;
secure=%true;
"user_info_endpoint"="user-info-endpoint";
"user_info_login_field"=login;
"login_transformations"=[
{
"match_pattern"="(.*)@ytsaurus.team";
replacement="\\1";
};
];
};
"oauth_cookie_authenticator"={
"create_user_if_not_exists"=%false;
};
"oauth_token_authenticator"={
"create_user_if_not_exists"=%false;
};
"require_authentication"=%true;
};
coordinator={
enable=%true;
"default_role_filter"=default;
};
driver={
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
};
role=control;
"https_server"={
port=443;
credentials={
"cert_chain"={
"file_name"="/tls/https_secret/tls.crt";
};
"private_key"={
"file_name"="/tls/https_secret/tls.key";
};
"update_period"=60000;
};
};
}
155 changes: 155 additions & 0 deletions pkg/ytconfig/canondata/TestGetHTTPProxyConfigEnableCreateOauthUser/test.canondata
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
{
"address_resolver"={
"enable_ipv4"=%true;
"enable_ipv6"=%false;
retries=1000;
};
"solomon_exporter"={
host="{POD_SHORT_HOSTNAME}";
"instance_tags"={
pod="{K8S_POD_NAME}";
};
};
logging={
writers={
info={
type=file;
"file_name"="/var/log/http-proxy.info.log";
format="plain_text";
"enable_system_messages"=%true;
};
stderr={
type=stderr;
format="plain_text";
"enable_system_messages"=%true;
};
};
rules=[
{
"min_level"=info;
writers=[
info;
];
family="plain_text";
};
{
"min_level"=error;
writers=[
stderr;
];
family="plain_text";
};
];
"flush_period"=3000;
};
"monitoring_port"=10016;
"rpc_port"=9016;
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"cluster_connection"={
"cluster_name"=test;
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
"discovery_connection"={
addresses=[
"ds-test-0.discovery-test.fake.svc.fake.zone:9020";
"ds-test-1.discovery-test.fake.svc.fake.zone:9020";
"ds-test-2.discovery-test.fake.svc.fake.zone:9020";
];
};
"master_cache"={
addresses=[
"msc-test-0.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-1.master-caches-test.fake.svc.fake.zone:9018";
"msc-test-2.master-caches-test.fake.svc.fake.zone:9018";
];
"cell_id"="65726e65-ad6b7562-259-79747361";
"enable_master_cache_discovery"=%false;
};
};
"cypress_annotations"={
"k8s_node_name"="{K8S_NODE_NAME}";
"k8s_pod_name"="{K8S_POD_NAME}";
"k8s_pod_namespace"="{K8S_POD_NAMESPACE}";
"physical_host"="{K8S_NODE_NAME}";
};
port=80;
auth={
"cypress_cookie_manager"={
};
"cypress_user_manager"={
};
"cypress_token_authenticator"={
secure=%true;
};
"oauth_service"={
host="oauth-host";
port=433;
secure=%true;
"user_info_endpoint"="user-info-endpoint";
"user_info_login_field"=login;
"login_transformations"=[
{
"match_pattern"="(.*)@ytsaurus.team";
replacement="\\1";
};
];
};
"oauth_cookie_authenticator"={
"create_user_if_not_exists"=%true;
};
"oauth_token_authenticator"={
"create_user_if_not_exists"=%true;
};
"require_authentication"=%true;
};
coordinator={
enable=%true;
"default_role_filter"=default;
};
driver={
"timestamp_provider"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
};
"primary_master"={
addresses=[
"ms-test-0.masters-test.fake.svc.fake.zone:9010";
];
peers=[
{
address="ms-test-0.masters-test.fake.svc.fake.zone:9010";
voting=%true;
};
];
"cell_id"="65726e65-ad6b7562-259-79747361";
};
};
role=control;
"https_server"={
port=443;
credentials={
"cert_chain"={
"file_name"="/tls/https_secret/tls.crt";
};
"private_key"={
"file_name"="/tls/https_secret/tls.key";
};
"update_period"=60000;
};
};
}
30 changes: 23 additions & 7 deletions pkg/ytconfig/generator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,10 +495,17 @@ func (g *Generator) getRPCProxyConfigImpl(spec *ytv1.RPCProxiesSpec) (RPCProxySe

g.fillCommonService(&c.CommonServer, &spec.InstanceSpec)

if g.ytsaurus.Spec.OauthService != nil {
c.OauthService = ptr.To(getOauthService(*g.ytsaurus.Spec.OauthService))
oauthService := g.ytsaurus.Spec.OauthService
if oauthService != nil {
c.OauthService = ptr.To(getOauthService(*oauthService))
c.CypressUserManager = CypressUserManager{}
c.OauthTokenAuthenticator = &OauthTokenAuthenticator{}
var createUserIfNotExist *bool
if oauthService.DisableUserCreation != nil {
createUserIfNotExist = ptr.To(!*oauthService.DisableUserCreation)
}
c.OauthTokenAuthenticator = &OauthTokenAuthenticator{
CreateUserIfNotExists: createUserIfNotExist,
}
c.RequireAuthentication = ptr.To(true)
}

Expand Down Expand Up @@ -670,10 +677,19 @@ func (g *Generator) getHTTPProxyConfigImpl(spec *ytv1.HTTPProxiesSpec) (HTTPProx
g.fillCommonService(&c.CommonServer, &spec.InstanceSpec)
g.fillBusServer(&c.CommonServer, spec.NativeTransport)

if g.ytsaurus.Spec.OauthService != nil {
c.Auth.OauthService = ptr.To(getOauthService(*g.ytsaurus.Spec.OauthService))
c.Auth.OauthCookieAuthenticator = &OauthCookieAuthenticator{}
c.Auth.OauthTokenAuthenticator = &OauthTokenAuthenticator{}
oauthService := g.ytsaurus.Spec.OauthService
if oauthService != nil {
c.Auth.OauthService = ptr.To(getOauthService(*oauthService))
var createUserIfNotExist *bool
if oauthService.DisableUserCreation != nil {
createUserIfNotExist = ptr.To(!*oauthService.DisableUserCreation)
}
c.Auth.OauthCookieAuthenticator = &OauthCookieAuthenticator{
CreateUserIfNotExists: createUserIfNotExist,
}
c.Auth.OauthTokenAuthenticator = &OauthTokenAuthenticator{
CreateUserIfNotExists: createUserIfNotExist,
}
l0kix2 marked this conversation as resolved.
Show resolved Hide resolved
}

return c, nil
Expand Down
Loading
Loading