Commit c8953312 authored by Jordan Liggitt's avatar Jordan Liggitt

Make master take authenticator.Request interface instead of tokenfile

parent 57ec3a72
...@@ -150,6 +150,11 @@ func main() { ...@@ -150,6 +150,11 @@ func main() {
n := net.IPNet(portalNet) n := net.IPNet(portalNet)
authenticator, err := apiserver.NewAuthenticatorFromTokenFile(*tokenAuthFile)
if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err)
}
authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(*authorizationMode, *authorizationPolicyFile) authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(*authorizationMode, *authorizationPolicyFile)
if err != nil { if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err) glog.Fatalf("Invalid Authorization Config: %v", err)
...@@ -167,10 +172,10 @@ func main() { ...@@ -167,10 +172,10 @@ func main() {
EnableUISupport: true, EnableUISupport: true,
APIPrefix: *apiPrefix, APIPrefix: *apiPrefix,
CorsAllowedOriginList: corsAllowedOriginList, CorsAllowedOriginList: corsAllowedOriginList,
TokenAuthFile: *tokenAuthFile,
ReadOnlyPort: *readOnlyPort, ReadOnlyPort: *readOnlyPort,
ReadWritePort: *port, ReadWritePort: *port,
PublicAddress: *publicAddressOverride, PublicAddress: *publicAddressOverride,
Authenticator: authenticator,
Authorizer: authorizer, Authorizer: authorizer,
} }
m := master.New(config) m := master.New(config)
......
/*
Copyright 2014 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package apiserver
import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator/bearertoken"
"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/token/tokenfile"
)
// NewAuthenticatorFromTokenFile returns an authenticator.Request or an error
func NewAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Request, error) {
var authenticator authenticator.Request
if len(tokenAuthFile) != 0 {
tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile)
if err != nil {
return nil, err
}
authenticator = bearertoken.New(tokenAuthenticator)
}
return authenticator, nil
}
...@@ -34,8 +34,6 @@ import ( ...@@ -34,8 +34,6 @@ import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/api/v1beta2" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/v1beta2"
"github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver" "github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator" "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator/bearertoken"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator/tokenfile"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer" "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/handlers" "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/handlers"
"github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/GoogleCloudPlatform/kubernetes/pkg/client"
...@@ -73,7 +71,7 @@ type Config struct { ...@@ -73,7 +71,7 @@ type Config struct {
EnableUISupport bool EnableUISupport bool
APIPrefix string APIPrefix string
CorsAllowedOriginList util.StringList CorsAllowedOriginList util.StringList
TokenAuthFile string Authenticator authenticator.Request
Authorizer authorizer.Authorizer Authorizer authorizer.Authorizer
// Number of masters running; all masters must be started with the // Number of masters running; all masters must be started with the
...@@ -111,7 +109,7 @@ type Master struct { ...@@ -111,7 +109,7 @@ type Master struct {
enableUISupport bool enableUISupport bool
apiPrefix string apiPrefix string
corsAllowedOriginList util.StringList corsAllowedOriginList util.StringList
tokenAuthFile string authenticator authenticator.Request
authorizer authorizer.Authorizer authorizer authorizer.Authorizer
masterCount int masterCount int
...@@ -242,7 +240,7 @@ func New(c *Config) *Master { ...@@ -242,7 +240,7 @@ func New(c *Config) *Master {
enableUISupport: c.EnableUISupport, enableUISupport: c.EnableUISupport,
apiPrefix: c.APIPrefix, apiPrefix: c.APIPrefix,
corsAllowedOriginList: c.CorsAllowedOriginList, corsAllowedOriginList: c.CorsAllowedOriginList,
tokenAuthFile: c.TokenAuthFile, authenticator: c.Authenticator,
authorizer: c.Authorizer, authorizer: c.Authorizer,
masterCount: c.MasterCount, masterCount: c.MasterCount,
...@@ -309,14 +307,7 @@ func (m *Master) init(c *Config) { ...@@ -309,14 +307,7 @@ func (m *Master) init(c *Config) {
go util.Forever(func() { podCache.UpdateAllContainers() }, time.Second*30) go util.Forever(func() { podCache.UpdateAllContainers() }, time.Second*30)
var userContexts = handlers.NewUserRequestContext() var userContexts = handlers.NewUserRequestContext()
var authenticator authenticator.Request var authenticator = c.Authenticator
if len(c.TokenAuthFile) != 0 {
tokenAuthenticator, err := tokenfile.New(c.TokenAuthFile)
if err != nil {
glog.Fatalf("Unable to load the token authentication file '%s': %v", c.TokenAuthFile, err)
}
authenticator = bearertoken.New(tokenAuthenticator)
}
// TODO: Factor out the core API registration // TODO: Factor out the core API registration
m.storage = map[string]apiserver.RESTStorage{ m.storage = map[string]apiserver.RESTStorage{
......
...@@ -29,7 +29,9 @@ type TokenAuthenticator struct { ...@@ -29,7 +29,9 @@ type TokenAuthenticator struct {
tokens map[string]*user.DefaultInfo tokens map[string]*user.DefaultInfo
} }
func New(path string) (*TokenAuthenticator, error) { // NewCSV returns a TokenAuthenticator, populated from a CSV file.
// The CSV file must contain records in the format "token,username,useruid"
func NewCSV(path string) (*TokenAuthenticator, error) {
file, err := os.Open(path) file, err := os.Open(path)
if err != nil { if err != nil {
return nil, err return nil, err
......
...@@ -109,5 +109,5 @@ func newWithContents(t *testing.T, contents string) (auth *TokenAuthenticator, e ...@@ -109,5 +109,5 @@ func newWithContents(t *testing.T, contents string) (auth *TokenAuthenticator, e
t.Fatalf("unexpected error writing tokenfile: %v", err) t.Fatalf("unexpected error writing tokenfile: %v", err)
} }
return New(f.Name()) return NewCSV(f.Name())
} }
/*
Copyright 2014 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package tokentest
import "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user"
type TokenAuthenticator struct {
Tokens map[string]*user.DefaultInfo
}
func New() *TokenAuthenticator {
return &TokenAuthenticator{
Tokens: make(map[string]*user.DefaultInfo),
}
}
func (a *TokenAuthenticator) AuthenticateToken(value string) (user.Info, bool, error) {
user, ok := a.Tokens[value]
if !ok {
return nil, false, nil
}
return user, true, nil
}
...@@ -33,10 +33,14 @@ import ( ...@@ -33,10 +33,14 @@ import (
"testing" "testing"
"github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver" "github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator/bearertoken"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer" "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer/abac" "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer/abac"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user"
"github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/GoogleCloudPlatform/kubernetes/pkg/client"
"github.com/GoogleCloudPlatform/kubernetes/pkg/master" "github.com/GoogleCloudPlatform/kubernetes/pkg/master"
"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/token/tokentest"
) )
func init() { func init() {
...@@ -47,24 +51,13 @@ const ( ...@@ -47,24 +51,13 @@ const (
AliceToken string = "abc123" // username: alice. Present in token file. AliceToken string = "abc123" // username: alice. Present in token file.
BobToken string = "xyz987" // username: bob. Present in token file. BobToken string = "xyz987" // username: bob. Present in token file.
UnknownToken string = "qwerty" // Not present in token file. UnknownToken string = "qwerty" // Not present in token file.
// Keep file in sync with above constants.
TokenfileCSV string = `
abc123,alice,1
xyz987,bob,2
`
) )
func writeTestTokenFile(t *testing.T) string { func getTestTokenAuth() authenticator.Request {
// Write a token file. tokenAuthenticator := tokentest.New()
f, err := ioutil.TempFile("", "auth_integration_test") tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"}
if err != nil { tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"}
t.Fatalf("unexpected error: %v", err) return bearertoken.New(tokenAuthenticator)
}
f.Close()
if err := ioutil.WriteFile(f.Name(), []byte(TokenfileCSV), 0700); err != nil {
t.Fatalf("unexpected error writing tokenfile: %v", err)
}
return f.Name()
} }
// TestWhoAmI passes a known Bearer Token to the master's /_whoami endpoint and checks that // TestWhoAmI passes a known Bearer Token to the master's /_whoami endpoint and checks that
...@@ -79,15 +72,13 @@ func TestWhoAmI(t *testing.T) { ...@@ -79,15 +72,13 @@ func TestWhoAmI(t *testing.T) {
t.Fatalf("unexpected error: %v", err) t.Fatalf("unexpected error: %v", err)
} }
tokenFilename := writeTestTokenFile(t)
defer os.Remove(tokenFilename)
m := master.New(&master.Config{ m := master.New(&master.Config{
EtcdHelper: helper, EtcdHelper: helper,
KubeletClient: client.FakeKubeletClient{}, KubeletClient: client.FakeKubeletClient{},
EnableLogsSupport: false, EnableLogsSupport: false,
EnableUISupport: false, EnableUISupport: false,
APIPrefix: "/api", APIPrefix: "/api",
TokenAuthFile: tokenFilename, Authenticator: getTestTokenAuth(),
Authorizer: apiserver.NewAlwaysAllowAuthorizer(), Authorizer: apiserver.NewAlwaysAllowAuthorizer(),
}) })
...@@ -467,8 +458,6 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { ...@@ -467,8 +458,6 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
deleteAllEtcdKeys() deleteAllEtcdKeys()
tokenFilename := writeTestTokenFile(t)
defer os.Remove(tokenFilename)
// This file has alice and bob in it. // This file has alice and bob in it.
// Set up a master // Set up a master
...@@ -484,7 +473,7 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { ...@@ -484,7 +473,7 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
EnableLogsSupport: false, EnableLogsSupport: false,
EnableUISupport: false, EnableUISupport: false,
APIPrefix: "/api", APIPrefix: "/api",
TokenAuthFile: tokenFilename, Authenticator: getTestTokenAuth(),
Authorizer: allowAliceAuthorizer{}, Authorizer: allowAliceAuthorizer{},
}) })
...@@ -521,8 +510,6 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { ...@@ -521,8 +510,6 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
func TestBobIsForbidden(t *testing.T) { func TestBobIsForbidden(t *testing.T) {
deleteAllEtcdKeys() deleteAllEtcdKeys()
tokenFilename := writeTestTokenFile(t)
defer os.Remove(tokenFilename)
// This file has alice and bob in it. // This file has alice and bob in it.
// Set up a master // Set up a master
...@@ -538,7 +525,7 @@ func TestBobIsForbidden(t *testing.T) { ...@@ -538,7 +525,7 @@ func TestBobIsForbidden(t *testing.T) {
EnableLogsSupport: false, EnableLogsSupport: false,
EnableUISupport: false, EnableUISupport: false,
APIPrefix: "/api", APIPrefix: "/api",
TokenAuthFile: tokenFilename, Authenticator: getTestTokenAuth(),
Authorizer: allowAliceAuthorizer{}, Authorizer: allowAliceAuthorizer{},
}) })
...@@ -577,8 +564,6 @@ func TestBobIsForbidden(t *testing.T) { ...@@ -577,8 +564,6 @@ func TestBobIsForbidden(t *testing.T) {
func TestUnknownUserIsUnauthorized(t *testing.T) { func TestUnknownUserIsUnauthorized(t *testing.T) {
deleteAllEtcdKeys() deleteAllEtcdKeys()
tokenFilename := writeTestTokenFile(t)
defer os.Remove(tokenFilename)
// This file has alice and bob in it. // This file has alice and bob in it.
// Set up a master // Set up a master
...@@ -594,7 +579,7 @@ func TestUnknownUserIsUnauthorized(t *testing.T) { ...@@ -594,7 +579,7 @@ func TestUnknownUserIsUnauthorized(t *testing.T) {
EnableLogsSupport: false, EnableLogsSupport: false,
EnableUISupport: false, EnableUISupport: false,
APIPrefix: "/api", APIPrefix: "/api",
TokenAuthFile: tokenFilename, Authenticator: getTestTokenAuth(),
Authorizer: allowAliceAuthorizer{}, Authorizer: allowAliceAuthorizer{},
}) })
...@@ -651,8 +636,6 @@ func newAuthorizerWithContents(t *testing.T, contents string) authorizer.Authori ...@@ -651,8 +636,6 @@ func newAuthorizerWithContents(t *testing.T, contents string) authorizer.Authori
func TestNamespaceAuthorization(t *testing.T) { func TestNamespaceAuthorization(t *testing.T) {
deleteAllEtcdKeys() deleteAllEtcdKeys()
tokenFilename := writeTestTokenFile(t)
defer os.Remove(tokenFilename)
// This file has alice and bob in it. // This file has alice and bob in it.
helper, err := master.NewEtcdHelper(newEtcdClient(), "v1beta1") helper, err := master.NewEtcdHelper(newEtcdClient(), "v1beta1")
...@@ -668,7 +651,7 @@ func TestNamespaceAuthorization(t *testing.T) { ...@@ -668,7 +651,7 @@ func TestNamespaceAuthorization(t *testing.T) {
EnableLogsSupport: false, EnableLogsSupport: false,
EnableUISupport: false, EnableUISupport: false,
APIPrefix: "/api", APIPrefix: "/api",
TokenAuthFile: tokenFilename, Authenticator: getTestTokenAuth(),
Authorizer: a, Authorizer: a,
}) })
...@@ -726,8 +709,6 @@ func TestNamespaceAuthorization(t *testing.T) { ...@@ -726,8 +709,6 @@ func TestNamespaceAuthorization(t *testing.T) {
func TestKindAuthorization(t *testing.T) { func TestKindAuthorization(t *testing.T) {
deleteAllEtcdKeys() deleteAllEtcdKeys()
tokenFilename := writeTestTokenFile(t)
defer os.Remove(tokenFilename)
// This file has alice and bob in it. // This file has alice and bob in it.
// Set up a master // Set up a master
...@@ -745,7 +726,7 @@ func TestKindAuthorization(t *testing.T) { ...@@ -745,7 +726,7 @@ func TestKindAuthorization(t *testing.T) {
EnableLogsSupport: false, EnableLogsSupport: false,
EnableUISupport: false, EnableUISupport: false,
APIPrefix: "/api", APIPrefix: "/api",
TokenAuthFile: tokenFilename, Authenticator: getTestTokenAuth(),
Authorizer: a, Authorizer: a,
}) })
...@@ -797,8 +778,6 @@ func TestKindAuthorization(t *testing.T) { ...@@ -797,8 +778,6 @@ func TestKindAuthorization(t *testing.T) {
func TestReadOnlyAuthorization(t *testing.T) { func TestReadOnlyAuthorization(t *testing.T) {
deleteAllEtcdKeys() deleteAllEtcdKeys()
tokenFilename := writeTestTokenFile(t)
defer os.Remove(tokenFilename)
// This file has alice and bob in it. // This file has alice and bob in it.
// Set up a master // Set up a master
...@@ -816,7 +795,7 @@ func TestReadOnlyAuthorization(t *testing.T) { ...@@ -816,7 +795,7 @@ func TestReadOnlyAuthorization(t *testing.T) {
EnableLogsSupport: false, EnableLogsSupport: false,
EnableUISupport: false, EnableUISupport: false,
APIPrefix: "/api", APIPrefix: "/api",
TokenAuthFile: tokenFilename, Authenticator: getTestTokenAuth(),
Authorizer: a, Authorizer: a,
}) })
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment