Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DEPRECATED] LDAP authentication #341

Closed
wants to merge 62 commits into from
Closed

[DEPRECATED] LDAP authentication #341

wants to merge 62 commits into from

Conversation

vsupalov
Copy link
Contributor

@vsupalov vsupalov commented Nov 14, 2022
edited
Loading

Description

Implementing LDAP according to #144

Trying a few things in the process: (UPDATE: the first two were dropped after teaming up)

Overview of PR Scope and Choices

The PR implements LDAP authentication, leaving TLS-authenticated LDAP as an exercise for the reader for a later PR, as it would clash with existing functionality. We decided to first finish the non-TLS LDAP functionality here, as it is a good scope for a single PR when it comes to reviewer-friendliness.

Tradeoff made in this PR: secrets related to LDAP are written in plain-text into the druid runtime.properties config. Unfortunately, the druid features which were supposed to be able to read ENV variables which are referenced in runtime.properties simply refused to work.

Most obvious possible follow-up tasks for future work packages:

  • Implement TLS-enabled LDAP communication.
  • The LDAP feature will interfere with TLS config, basically disabling the auth part. Fixing it is is not straightforward. (see below).
  • We might file a bug reports with the Druid project, so we can find out how to reference secrets from env vars instead of writing them to config files.

LDAP vs TLS Auth

The PR contains a commented-out test for TLS while LDAP is enabled. It's failing at the moment, but could prove as a useful starting point if the topic warrants more attention.

Review Checklist

  • Code contains useful comments
  • CRD change approved (or not applicable)
  • (Integration-)Test cases added (or not applicable)
  • Documentation added (or not applicable)
  • Changelog updated (or not applicable)
  • Cargo.toml only contains references to git tags (not specific commits or branches)
  • Helm chart can be installed and deployed operator works (or not applicable)

Once the review is done, comment bors r+ (or bors merge) to merge. Further information

@vsupalov vsupalov force-pushed the feature/144-ldap-authentication branch 4 times, most recently from 97e4200 to b6412d7 Compare November 16, 2022 14:16
Vladislav Supalov added 3 commits November 28, 2022 11:05
docs: add to CHANGELOG
9cb1e4f 
# Conflicts:
#	CHANGELOG.md

# Conflicts:
#	CHANGELOG.md
docs(todo): describe LDAP usage
d50eeb4 
refer to https://github.com/stackabletech/nifi-operator/pull/303/files#diff-ff1c06cfbfb2d6a67f8e0a1e5bd2b2d55f2e8e2704e360f73509318fa9d645bc
test: add green ldap + opa integration test
c467de4 
Squashed commit of the following:

commit 5ba0132
Author: Razvan-Daniel Mihai <[email protected]>
Date:   Fri Nov 18 17:33:47 2022 +0100

    Updates and cleanups.

commit 2e7cd7a
Author: Razvan-Daniel Mihai <[email protected]>
Date:   Fri Nov 18 16:58:10 2022 +0100

    Remove OPA and update autocheck.py.

commit 5f3aa96
Author: Razvan-Daniel Mihai <[email protected]>
Date:   Fri Nov 18 14:33:06 2022 +0100

    Add leftover from previous comit and experiment with autocheck.py

commit 71b9c43
Author: Razvan-Daniel Mihai <[email protected]>
Date:   Fri Nov 18 11:59:11 2022 +0100

    Install openldap in the kuttl test namespace.

commit 5e0e594
Author: Razvan-Daniel Mihai <[email protected]>
Date:   Thu Nov 17 17:47:39 2022 +0100

    Almost working kuttl test (missing ldap users).
@vsupalov vsupalov force-pushed the feature/144-ldap-authentication branch from 3ce21f5 to c467de4 Compare November 28, 2022 10:07
Vladislav Supalov and others added 22 commits November 28, 2022 12:57
test(ldap): remove config overrides
884c10b
test(ldap): add secrets and configs yaml draft
cf62eb7
feat: add ldap yaml authentication block parsing test and config field
58d1736
@razvan
Decided on auth structure
b0738c3
@razvan
Merge branch 'main' into feature/144-ldap-authentication
d46b847
wip: test and next step
444b62f
@razvan
Cleanup get rid of redundant enum
d3d89a3
@razvan
A bit more cleanup and encapsulation.
c3bac8f
wip: add hard-coded ldap configs to runtime properties
0fcb4b3
wip: clean up confusing temlate snippet
a391a00
wip: ldap handling mod
94d4284
@razvan
wip: build ldap settings from resolved structs.
f800e11
wip: change ldap func call, reference real values
bbd61ab
wip: set secret values via env vars
c2c4418
@razvan
Update test auth resources and make regenerate-charts
ff1e198
@razvan
Fix test yaml and remove newlines from raw string.
8831078
@razvan
wip: try out password provider
8b00cde
wip: read secret values from a secret
16a990d
throwaway: speed up test
de92049
@razvan
major success
a5029f7
wip: try passing passwords with env vars
e50555f
@razvan
Revert "wip: try passing passwords with env vars"
7a47900 
This reverts commit e50555f.
Vladislav Supalov and others added 16 commits December 8, 2022 16:16
fix: add missing variable interpolation
1098608
@razvan
Update docs/modules/ROOT/pages/usage.adoc
7338dd7 
Co-authored-by: Razvan-Daniel Mihai <[email protected]>
@razvan
merge main
a73717c
fix: re-apply workaround to sometimes-irrelevant bash command
f053057
wip: add notes on ldap/tls clash resolution attempts
ceaf692
test: add failing tls/ldap-auth-combined test
be0ae8f
Merge branch 'feature/144-ldap-authentication' of github.com:stackabl…
77d8854 
…etech/druid-operator into feature/144-ldap-authentication
test: add failing test definition
efcd0a6
docs: fix example snippet
5fd3bfb
docs: newline to please the linter
b5fda85
docs: fix ldap/tls wording
e428033
refactor: extract some repetitive, noisy parts
6f4b3ab
style: consistent lower-case error strings
8d16ac4
style: consistent lower-case error strings
fdf500b
cleanup: remove outdated comment
d8b3e4b
style: newline to please the linter
f0c60fb
@vsupalov vsupalov marked this pull request as ready for review December 12, 2022 14:30
@vsupalov
Copy link
Contributor Author

test https://ci.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/druid-operator-it-custom/58/

@vsupalov vsupalov changed the title LDAP authentication [DEPRECATED] LDAP authentication Jan 5, 2023
@vsupalov vsupalov marked this pull request as draft January 5, 2023 09:47
This was referenced Jan 5, 2023
Closed
Closed
@vsupalov vsupalov closed this Jan 10, 2023
@vsupalov vsupalov deleted the feature/144-ldap-authentication branch January 19, 2023 14:01
bors bot pushed a commit that referenced this pull request Jan 30, 2023
LDAP authentication (#374)
a158c7b 
# Description

This will resolve part of #144
The ticket can be merged once the stretch goals are reached as well.

A new iteration on the changes prototyped in #341

This iteration will include:

* A closer resemblance to the ticket requirements - using a list of authenticators
* Non-usage of LDAP for inter-node authentication (basic authentication instead)
* Erroring out if both TLS auth and LDAP auth are configured

## Follow-up Work

* Interconnection with an OPA authorization config, if provided (former stretch goal)
* Adding ldaps:// support (former stretch goal)
* Druid does not like anonymous LDAP access (without bind credentials). I have not found a way to configure it. This however, seems to be a usecase we want to support generally.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@razvan razvan razvan left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vsupalov @razvan