github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 23:37:01 +00:00
Code Issues Projects Releases Wiki Activity

Use websocket protocol authenticator in apiserver

Browse Source
This commit is contained in:
Jordan Liggitt 2017-06-19 14:38:55 -04:00
parent e2a03bcf2a
commit 6a872c09eb
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
4 changed files with 19 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubeapiserver/authenticator/BUILD
View File

@ -21,6 +21,7 @@ go_library(
"//vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/union:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/union:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/websocket:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/keystone:go_default_library", "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/keystone:go_default_library",

29
pkg/kubeapiserver/authenticator/config.go
View File

@ -28,6 +28,7 @@ import (
"k8s.io/apiserver/pkg/authentication/request/bearertoken" "k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest" "k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/union" "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/websocket"
"k8s.io/apiserver/pkg/authentication/request/x509" "k8s.io/apiserver/pkg/authentication/request/x509"
"k8s.io/apiserver/pkg/authentication/token/tokenfile" "k8s.io/apiserver/pkg/authentication/token/tokenfile"
"k8s.io/apiserver/plugin/pkg/authenticator/password/keystone" "k8s.io/apiserver/plugin/pkg/authenticator/password/keystone"
@ -126,7 +127,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
authenticators = append(authenticators, tokenAuth) authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth))
hasTokenAuth = true hasTokenAuth = true
} }
if len(config.ServiceAccountKeyFiles) > 0 { if len(config.ServiceAccountKeyFiles) > 0 {
@ -134,13 +135,13 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
authenticators = append(authenticators, serviceAccountAuth) authenticators = append(authenticators, bearertoken.New(serviceAccountAuth), websocket.NewProtocolAuthenticator(serviceAccountAuth))
hasTokenAuth = true hasTokenAuth = true
} }
if config.BootstrapToken { if config.BootstrapToken {
if config.BootstrapTokenAuthenticator != nil { if config.BootstrapTokenAuthenticator != nil {
// TODO: This can sometimes be nil because of // TODO: This can sometimes be nil because of
authenticators = append(authenticators, bearertoken.New(config.BootstrapTokenAuthenticator)) authenticators = append(authenticators, bearertoken.New(config.BootstrapTokenAuthenticator), websocket.NewProtocolAuthenticator(config.BootstrapTokenAuthenticator))
hasTokenAuth = true hasTokenAuth = true
} }
} }
@ -155,7 +156,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
authenticators = append(authenticators, oidcAuth) authenticators = append(authenticators, bearertoken.New(oidcAuth), websocket.NewProtocolAuthenticator(oidcAuth))
hasTokenAuth = true hasTokenAuth = true
} }
if len(config.WebhookTokenAuthnConfigFile) > 0 { if len(config.WebhookTokenAuthnConfigFile) > 0 {
@ -163,13 +164,13 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
authenticators = append(authenticators, webhookTokenAuth) authenticators = append(authenticators, bearertoken.New(webhookTokenAuth), websocket.NewProtocolAuthenticator(webhookTokenAuth))
hasTokenAuth = true hasTokenAuth = true
} }
// always add anytoken last, so that every other token authenticator gets to try first // always add anytoken last, so that every other token authenticator gets to try first
if config.AnyToken { if config.AnyToken {
authenticators = append(authenticators, bearertoken.New(anytoken.AnyTokenAuthenticator{})) authenticators = append(authenticators, bearertoken.New(anytoken.AnyTokenAuthenticator{}), websocket.NewProtocolAuthenticator(anytoken.AnyTokenAuthenticator{}))
hasTokenAuth = true hasTokenAuth = true
} }
@ -234,17 +235,17 @@ func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Requ
} }
// newAuthenticatorFromTokenFile returns an authenticator.Request or an error // newAuthenticatorFromTokenFile returns an authenticator.Request or an error
func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Request, error) { func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, error) {
tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile) tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return bearertoken.New(tokenAuthenticator), nil return tokenAuthenticator, nil
} }
// newAuthenticatorFromOIDCIssuerURL returns an authenticator.Request or an error. // newAuthenticatorFromOIDCIssuerURL returns an authenticator.Request or an error.
func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (authenticator.Request, error) { func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (authenticator.Token, error) {
tokenAuthenticator, err := oidc.New(oidc.OIDCOptions{ tokenAuthenticator, err := oidc.New(oidc.OIDCOptions{
IssuerURL: issuerURL, IssuerURL: issuerURL,
ClientID: clientID, ClientID: clientID,
@ -256,11 +257,11 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai
return nil, err return nil, err
} }
return bearertoken.New(tokenAuthenticator), nil return tokenAuthenticator, nil
} }
// newServiceAccountAuthenticator returns an authenticator.Request or an error // newServiceAccountAuthenticator returns an authenticator.Request or an error
func newServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Request, error) { func newServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
allPublicKeys := []interface{}{} allPublicKeys := []interface{}{}
for _, keyfile := range keyfiles { for _, keyfile := range keyfiles {
publicKeys, err := serviceaccount.ReadPublicKeys(keyfile) publicKeys, err := serviceaccount.ReadPublicKeys(keyfile)
@ -271,7 +272,7 @@ func newServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccou
} }
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(allPublicKeys, lookup, serviceAccountGetter) tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(allPublicKeys, lookup, serviceAccountGetter)
return bearertoken.New(tokenAuthenticator), nil return tokenAuthenticator, nil
} }
// newAuthenticatorFromClientCAFile returns an authenticator.Request or an error // newAuthenticatorFromClientCAFile returns an authenticator.Request or an error
@ -297,11 +298,11 @@ func newAuthenticatorFromKeystoneURL(keystoneURL string, keystoneCAFile string)
return basicauth.New(keystoneAuthenticator), nil return basicauth.New(keystoneAuthenticator), nil
} }
func newWebhookTokenAuthenticator(webhookConfigFile string, ttl time.Duration) (authenticator.Request, error) { func newWebhookTokenAuthenticator(webhookConfigFile string, ttl time.Duration) (authenticator.Token, error) {
webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, ttl) webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, ttl)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return bearertoken.New(webhookTokenAuthenticator), nil return webhookTokenAuthenticator, nil
} }

1
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/BUILD
View File

@ -23,6 +23,7 @@ go_library(
"//vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/union:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/union:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/websocket:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",

3
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
View File

@ -29,6 +29,7 @@ import (
"k8s.io/apiserver/pkg/authentication/request/bearertoken" "k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest" "k8s.io/apiserver/pkg/authentication/request/headerrequest"
unionauth "k8s.io/apiserver/pkg/authentication/request/union" unionauth "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/websocket"
"k8s.io/apiserver/pkg/authentication/request/x509" "k8s.io/apiserver/pkg/authentication/request/x509"
webhooktoken "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" webhooktoken "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1" authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
@ -87,7 +88,7 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
authenticators = append(authenticators, bearertoken.New(tokenAuth)) authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth))
securityDefinitions["BearerToken"] = &spec.SecurityScheme{ securityDefinitions["BearerToken"] = &spec.SecurityScheme{
SecuritySchemeProps: spec.SecuritySchemeProps{ SecuritySchemeProps: spec.SecuritySchemeProps{