-
Spike
-
Resolution: Done
-
Undefined
-
None
-
openshift-4.12
-
None
-
None
-
False
-
-
False
-
OCPSTRAT-713 - Add Authorization to internal Components of Agent Installer
This is a spike that will inform the implementation of this epic.
Requirements
- Allow only agents booted from the same ISO to register with the assisted-service and use the agent endpoints
- Agents already know the InfraEnv ID, so if read access requires authentication then that is sufficient in some existing auth schemes.
- Prevent access to write endpoints except by the internal systemd services
- Use some kind of authentication for read endpoints
- Ideally use existing credentials - admin-kubeconfig client cert and/or kubeadmin-password
- (Future) Allow UI access in interactive mode only
Are there any requirements specific to the auth token?
- Ephemeral
- Limited to one cluster
Reuse the existing admin-kubeconfig client cert
Actors:
- Agent Installer: example wait-for
- Internal systemd: configurations, create cluster infraenv, etc
- UI: interactive user
- User: advanced automation user (not supported yet)
Do we need more than one auth scheme?
Agent-admin – agent-read-write
Agent-user – agent-read
Implementation Options
- New authn scheme in assisted-service
- Reverse proxy in front of assisted-service API
- Use an existing auth scheme in assisted-service
Definition of done:
- List of API endpoints for agent based installation (Automated and Interactive)
- Decision on what credentials to use for this auth scheme
- Decision on which implementation option (1,2 or 3)
- blocks
-
AGENT-148 Update assisted-service swagger with new scheme (Add new auth scheme)
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
AGENT-146 Enhancement for Agent Installer Internal Authorization
-
- Closed
-