Enforce authz(n) on controller

Give the controller the profiler endpoints and put it behind a remote
authn|z story. Move the node authenticator to a reusable spot. Set a
small cache size.

Author: smarterclayton

pkg/cmd/server/authenticator/remote.go

@@ -0,0 +1,66 @@
+package authenticator
+
+import (
+	"crypto/x509"
+	"time"
+
+	"k8s.io/kubernetes/pkg/auth/authenticator"
+	unversionedauthentication "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authentication/internalversion"
+
+	oauthenticator "github.com/openshift/origin/pkg/auth/authenticator"
+	"github.com/openshift/origin/pkg/auth/authenticator/anonymous"
+	"github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken"
+	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"
+	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"
+	authncache "github.com/openshift/origin/pkg/auth/authenticator/token/cache"
+	authnremote "github.com/openshift/origin/pkg/auth/authenticator/token/remotetokenreview"
+	"github.com/openshift/origin/pkg/auth/group"
+	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
+)
+
+// NewRemoteAuthenticator creates an authenticator that checks the provided remote endpoint for tokens, allows any linked clientCAs to be checked, and caches
+// responses as indicated.  If no authentication is possible, the user will be system:anonymous.
+func NewRemoteAuthenticator(authenticationClient unversionedauthentication.TokenReviewsGetter, clientCAs *x509.CertPool, cacheTTL time.Duration, cacheSize int) (authenticator.Request, error) {
+	authenticators := []oauthenticator.Request{}
+
+	// API token auth
+	var (
+		tokenAuthenticator oauthenticator.Token
+		err                error
+	)
+	// Authenticate against the remote master
+	tokenAuthenticator, err = authnremote.NewAuthenticator(authenticationClient)
+	if err != nil {
+		return nil, err
+	}
+	// Cache results
+	if cacheTTL > 0 && cacheSize > 0 {
+		tokenAuthenticator, err = authncache.NewAuthenticator(tokenAuthenticator, cacheTTL, cacheSize)
+		if err != nil {
+			return nil, err
+		}
+	}
+	authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true))
+
+	// Client-cert auth
+	if clientCAs != nil {
+		opts := x509request.DefaultVerifyOptions()
+		opts.Roots = clientCAs
+		certauth := x509request.New(opts, x509request.SubjectToUserConversion)
+		authenticators = append(authenticators, certauth)
+	}
+
+	ret := &unionrequest.Authenticator{
+		// Anonymous requests will pass the token and cert checks without errors
+		// Bad tokens or bad certs will produce errors, in which case we should not continue to authenticate them as "system:anonymous"
+		FailOnError: true,
+		Handlers: []oauthenticator.Request{
+			// Add the "system:authenticated" group to users that pass token/cert authentication
+			group.NewGroupAdder(unionrequest.NewUnionAuthentication(authenticators...), []string{bootstrappolicy.AuthenticatedGroup}),
+			// Fall back to the "system:anonymous" user
+			anonymous.NewAuthenticator(),
+		},
+	}
+
+	return ret, nil
+}

pkg/cmd/server/handlers/authorization.go

@@ -13,10 +13,32 @@ import (
 	kapierrors "k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/util/sets"
 
 	"github.com/openshift/origin/pkg/authorization/authorizer"
 )
 
+type bypassAuthorizer struct {
+	paths      sets.String
+	authorizer authorizer.Authorizer
+}
+
+// NewBypassAuthorizer creates an Authorizer that always allows the exact paths described, and delegates to the nested
+// authorizer for everything else.
+func NewBypassAuthorizer(auth authorizer.Authorizer, paths ...string) authorizer.Authorizer {
+	return bypassAuthorizer{paths: sets.NewString(paths...), authorizer: auth}
+}
+
+func (a bypassAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Action) (allowed bool, reason string, err error) {
+	if attributes.IsNonResourceURL() && a.paths.Has(attributes.GetURL()) {
+		return true, "always allowed", nil
+	}
+	return a.authorizer.Authorize(ctx, attributes)
+}
+func (a bypassAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) {
+	return a.authorizer.GetAllowedSubjects(ctx, attributes)
+}
+
 // AuthorizationFilter imposes normal authorization rules
 func AuthorizationFilter(handler http.Handler, authorizer authorizer.Authorizer, authorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder, contextMapper kapi.RequestContextMapper) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

pkg/cmd/server/kubernetes/node_auth.go

@@ -1,80 +1,23 @@
 package kubernetes
 
 import (
-	"crypto/x509"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/golang/glog"
 
-	"k8s.io/kubernetes/pkg/auth/authenticator"
 	kauthorizer "k8s.io/kubernetes/pkg/auth/authorizer"
 	"k8s.io/kubernetes/pkg/auth/user"
-	unversionedauthentication "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authentication/internalversion"
-
-	oauthenticator "github.com/openshift/origin/pkg/auth/authenticator"
-	"github.com/openshift/origin/pkg/auth/authenticator/anonymous"
-	"github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken"
-	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"
-	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"
-	authncache "github.com/openshift/origin/pkg/auth/authenticator/token/cache"
-	authnremote "github.com/openshift/origin/pkg/auth/authenticator/token/remotetokenreview"
-	"github.com/openshift/origin/pkg/auth/group"
+
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	oauthorizer "github.com/openshift/origin/pkg/authorization/authorizer"
 	authzadapter "github.com/openshift/origin/pkg/authorization/authorizer/adapter"
 	authzcache "github.com/openshift/origin/pkg/authorization/authorizer/cache"
 	authzremote "github.com/openshift/origin/pkg/authorization/authorizer/remote"
 	oclient "github.com/openshift/origin/pkg/client"
-	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 )
 
-func newAuthenticator(authenticationClient unversionedauthentication.TokenReviewsGetter, clientCAs *x509.CertPool, cacheTTL time.Duration, cacheSize int) (authenticator.Request, error) {
-	authenticators := []oauthenticator.Request{}
-
-	// API token auth
-	var (
-		tokenAuthenticator oauthenticator.Token
-		err                error
-	)
-	// Authenticate against the remote master
-	tokenAuthenticator, err = authnremote.NewAuthenticator(authenticationClient)
-	if err != nil {
-		return nil, err
-	}
-	// Cache results
-	if cacheTTL > 0 && cacheSize > 0 {
-		tokenAuthenticator, err = authncache.NewAuthenticator(tokenAuthenticator, cacheTTL, cacheSize)
-		if err != nil {
-			return nil, err
-		}
-	}
-	authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true))
-
-	// Client-cert auth
-	if clientCAs != nil {
-		opts := x509request.DefaultVerifyOptions()
-		opts.Roots = clientCAs
-		certauth := x509request.New(opts, x509request.SubjectToUserConversion)
-		authenticators = append(authenticators, certauth)
-	}
-
-	ret := &unionrequest.Authenticator{
-		// Anonymous requests will pass the token and cert checks without errors
-		// Bad tokens or bad certs will produce errors, in which case we should not continue to authenticate them as "system:anonymous"
-		FailOnError: true,
-		Handlers: []oauthenticator.Request{
-			// Add the "system:authenticated" group to users that pass token/cert authentication
-			group.NewGroupAdder(unionrequest.NewUnionAuthentication(authenticators...), []string{bootstrappolicy.AuthenticatedGroup}),
-			// Fall back to the "system:anonymous" user
-			anonymous.NewAuthenticator(),
-		},
-	}
-
-	return ret, nil
-}
-
 func newAuthorizerAttributesGetter(nodeName string) (kauthorizer.RequestAttributesGetter, error) {
 	return NodeAuthorizerAttributesGetter{nodeName}, nil
 }

pkg/cmd/server/kubernetes/node_config.go

@@ -32,6 +32,7 @@ import (
 
 	osclient "github.com/openshift/origin/pkg/client"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	serverauthenticator "github.com/openshift/origin/pkg/cmd/server/authenticator"
 	"github.com/openshift/origin/pkg/cmd/server/crypto"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	cmdflags "github.com/openshift/origin/pkg/cmd/util/flags"
@@ -237,7 +238,7 @@ func BuildKubernetesNodeConfig(options configapi.NodeConfig, enableProxy, enable
 	if err != nil {
 		return nil, err
 	}
-	authn, err := newAuthenticator(kubeClient.Authentication(), clientCAs, authnTTL, options.AuthConfig.AuthenticationCacheSize)
+	authn, err := serverauthenticator.NewRemoteAuthenticator(kubeClient.Authentication(), clientCAs, authnTTL, options.AuthConfig.AuthenticationCacheSize)
 	if err != nil {
 		return nil, err
 	}

pkg/cmd/server/origin/master.go

@@ -39,6 +39,8 @@ import (
 	"k8s.io/kubernetes/pkg/util/sets"
 	utilwait "k8s.io/kubernetes/pkg/util/wait"
 
+	authzcache "github.com/openshift/origin/pkg/authorization/authorizer/cache"
+	authzremote "github.com/openshift/origin/pkg/authorization/authorizer/remote"
 	buildclient "github.com/openshift/origin/pkg/build/client"
 	buildgenerator "github.com/openshift/origin/pkg/build/generator"
 	buildregistry "github.com/openshift/origin/pkg/build/registry/build"
@@ -49,6 +51,7 @@ import (
 	"github.com/openshift/origin/pkg/build/webhook"
 	"github.com/openshift/origin/pkg/build/webhook/generic"
 	"github.com/openshift/origin/pkg/build/webhook/github"
+	serverauthenticator "github.com/openshift/origin/pkg/cmd/server/authenticator"
 	"github.com/openshift/origin/pkg/cmd/server/crypto"
 	serverhandlers "github.com/openshift/origin/pkg/cmd/server/handlers"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
@@ -328,14 +331,38 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha
 	}, messages, nil
 }
 
-func (c *MasterConfig) RunHealth() {
+func (c *MasterConfig) RunHealth() error {
 	apiContainer := genericmux.NewAPIContainer(http.NewServeMux(), kapi.Codecs)
 
 	healthz.InstallHandler(&apiContainer.NonSwaggerRoutes, healthz.PingHealthz)
 	initReadinessCheckRoute(apiContainer, "/healthz/ready", func() bool { return true })
-	initMetricsRoute(apiContainer, "/metrics")
+	genericroutes.Profiling{}.Install(apiContainer)
+	genericroutes.MetricsWithReset{}.Install(apiContainer)
 
-	c.serve(apiContainer.ServeMux, []string{"Started health checks at %s"})
+	// TODO: replace me with a service account for controller manager
+	authn, err := serverauthenticator.NewRemoteAuthenticator(c.PrivilegedLoopbackKubernetesClientset.Authentication(), c.APIClientCAs, 5*time.Minute, 10)
+	if err != nil {
+		return err
+	}
+	authz, err := authzremote.NewAuthorizer(c.PrivilegedLoopbackOpenShiftClient)
+	if err != nil {
+		return err
+	}
+	authz, err = authzcache.NewAuthorizer(authz, 5*time.Minute, 10)
+	if err != nil {
+		return err
+	}
+	// we use direct bypass to allow readiness and health to work regardless of the master health
+	authz = serverhandlers.NewBypassAuthorizer(authz, "/healthz", "/healthz/ready")
+	contextMapper := c.getRequestContextMapper()
+	handler := serverhandlers.AuthorizationFilter(apiContainer.ServeMux, authz, c.AuthorizationAttributeBuilder, contextMapper)
+	handler = serverhandlers.AuthenticationHandlerFilter(handler, authn, contextMapper)
+	handler = kgenericfilters.WithPanicRecovery(handler, contextMapper)
+	handler = kapiserverfilters.WithRequestInfo(handler, genericapiserver.NewRequestInfoResolver(&genericapiserver.Config{}), contextMapper)
+	handler = kapi.WithRequestContext(handler, contextMapper)
+
+	c.serve(handler, []string{"Started health checks at %s"})
+	return nil
 }
 
 // serve starts serving the provided http.Handler using security settings derived from the MasterConfig

pkg/cmd/server/start/start_master.go

@@ -450,8 +450,7 @@ func (m *Master) Start() error {
 }
 
 func startHealth(openshiftConfig *origin.MasterConfig) error {
-	openshiftConfig.RunHealth()
-	return nil
+	return openshiftConfig.RunHealth()
 }
 
 // StartAPI starts the components of the master that are considered part of the API - the Kubernetes

test/cmd/authentication.sh

@@ -12,6 +12,7 @@ fi
 (
   set +e
   oc delete oauthaccesstokens --all
+  oadm policy remove-cluster-role-from-user cluster-debugger user3
   exit 0
 ) &>/dev/null
 
@@ -78,7 +79,23 @@ os::cmd::expect_success_and_text "oc policy can-i create pods --token='${accesst
 os::cmd::expect_success_and_text "oc policy can-i --list --token='${accesstoken}' -n '${project}' --scopes='role:admin:*'" 'get.*pods'
 os::cmd::expect_success_and_not_text "oc policy can-i --list --token='${accesstoken}' -n '${project}'" 'get.*pods'
 
+os::test::junit::declare_suite_end
 
+os::test::junit::declare_suite_start "cmd/authentication/debugging"
+os::cmd::expect_success_and_text 'oc login -u user3 -p pw' 'Login successful'
+os::cmd::expect_success 'oc login -u system:admin'
+os::cmd::expect_failure_and_text 'oc get --raw /debug/pprof/ --as=user3' 'Forbidden'
+os::cmd::expect_failure_and_text 'oc get --raw /metrics --as=user3' 'Forbidden'
+os::cmd::expect_success_and_text 'oc get --raw /healthz --as=user3' 'ok'
+os::cmd::expect_success 'oadm policy add-cluster-role-to-user cluster-debugger user3'
+os::cmd::try_until_text 'oc get --raw /debug/pprof/ --as=user3' 'full goroutine stack dump'
+os::cmd::expect_success_and_text 'oc get --raw /debug/pprof/ --as=user3' 'full goroutine stack dump'
+os::cmd::expect_success_and_text 'oc get --raw /metrics --as=user3' 'apiserver_request_latencies'
+os::cmd::expect_success_and_text 'oc get --raw /healthz --as=user3' 'ok'
+# TODO validate controller
 os::test::junit::declare_suite_end
 
+os::test::junit::declare_suite_start "cmd/authentication/scopedtokens"
+
+
 os::test::junit::declare_suite_end