Skip to content

Make OAuth secrets and settings configurable#1540

Merged
openshift-bot merged 1 commit intoopenshift:masterfrom
liggitt:oauth_secret_config
Apr 7, 2015
Merged

Make OAuth secrets and settings configurable#1540
openshift-bot merged 1 commit intoopenshift:masterfrom
liggitt:oauth_secret_config

Conversation

@liggitt
Copy link
Contributor

@liggitt liggitt commented Apr 1, 2015

  • Add structure and validation around session secrets
  • Switch session secret from time-based uuid to hash of random uuid
  • Generate default signing and encrypting secrets
  • Optionally externalize secrets using a file ref to a serialized SessionSecrets object
  • Update OAuth config documentation

@liggitt liggitt changed the title WIP - OAuth secret config OAuth secret config Apr 7, 2015
@liggitt
Copy link
Contributor Author

liggitt commented Apr 7, 2015

@deads2k @detiber review and critique, please

Two ways to configure session secrets:

1 - No config, default generated by --write-config. We generate a random secret on startup. A server restart invalidates any current sessions (they are only used during the actual login process). Only good for single-server deployments (multiple masters wouldn't agree on signed sessions).

oauthConfig:
  ...
  sessionConfig:
    ...
    sessionSecretsFile: ""

2 - Externalized config:

oauthConfig:
  ...
  sessionConfig:
    ...
    sessionSecretsFile: "mysecrets.yaml"

mysecrets.yaml:

apiVersion: v1
kind: SessionSecrets
secrets:
- authentication: ...
  encryption: ...
...

@liggitt liggitt mentioned this pull request Apr 7, 2015
Merged
@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 7, 2015

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_openshift3/1729/)

@liggitt
Copy link
Contributor Author

liggitt commented Apr 7, 2015

@detiber hold off on looking at this... reworking some stuff after talking with @deads2k

deads2k
deads2k reviewed Apr 7, 2015
View reviewed changes
pkg/cmd/server/api/validation/oauth.go Outdated
Copy link
Contributor

@deads2k deads2k Apr 7, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm anti-space.

Copy link
Contributor Author

@liggitt liggitt Apr 7, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reworked to produce errors like this:

oauthConfig.sessionConfig.sessionSecretsFile: invalid value 'secrets.yaml': secrets[0].encryption: invalid value '*********************************': must be 16, 24, or 32 characters long

@deads2k
Copy link
Contributor

deads2k commented Apr 7, 2015

Nits. lgtm.

@liggitt
Copy link
Contributor Author

liggitt commented Apr 7, 2015

Added integration test to make sure we can start with OAuth disabled and cert auth still works.

[merge]

@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 7, 2015

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/1500/) (Image: devenv-fedora_1226)

@liggitt
OAuth secret config
4457e6f 
Allow secrets to be filled via envvar

Default to generating session secrets on master startup
@liggitt
Copy link
Contributor Author

liggitt commented Apr 7, 2015

Spurious, re[merge]

@ncdc not sure if this is related to image changes... looks like test-cmd.sh failed around this call:

Error: error executing template '{{.status.tags.latest}}': 'template: output:1:9: executing "output" at <.status.tags.latest>: can't evaluate field latest in type interface {}'
----data----
map[apiVersion:v1beta1 metadata:map[selfLink:/osapi/v1beta1/imageStreams/wildfly-8-centos?namespace=default uid:8ab90a6a-dd5a-11e4-be42-22000a658678 resourceVersion:145 creationTimestamp:2015-04-07T19:16:07Z annotations:map[openshift.io/image.dockerRepositoryCheck:2015-04-07T19:16:11Z] name:wildfly-8-centos namespace:default] spec:map[dockerImageRepository:openshift/wildfly-8-centos] status:map[dockerImageRepository:openshift/wildfly-8-centos tags:[map[tag:latest items:[map[dockerImageReference:openshift/wildfly-8-centos:latest image:9d0e595e08eb304b0dcfacd2cf96d384c70dd94cb2d6691ff7ba96a7642593e6 created:2015-04-07T19:16:08Z]]]]] kind:ImageStream]

@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 7, 2015

Evaluated for origin up to 4457e6f

openshift-bot pushed a commit that referenced this pull request Apr 7, 2015
Merge pull request #1540 from liggitt/oauth_secret_config
ba7ec70 
Merged by openshift-bot
@openshift-bot openshift-bot merged commit ba7ec70 into openshift:master Apr 7, 2015
@liggitt liggitt deleted the oauth_secret_config branch April 8, 2015 05:27
@smarterclayton smarterclayton changed the title OAuth secret config Make OAuth secrets and settings configurable Apr 8, 2015
This was referenced Apr 9, 2015
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@liggitt @openshift-bot @deads2k @smarterclayton