Support function authentication with OpenFaaS IAM #158
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
alexellis
reviewed
May 9, 2024
welteki
force-pushed
the
jwt-permissions-auth
branch
from
973c5e1
to
fdb1f4f
Compare
Compare the auth permissions in the function claim with the function name and namespace the verify if the provided JWT token is authorized to invoke the function. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
Read the function namespace from the OPENFAAS_NAMESPACE env variable. Fallback to getting the nemsapce from the service account if the variable is not present. Required setting the namespace when running functions locally with jwt_auth. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
welteki
force-pushed
the
jwt-permissions-auth
branch
from
fdb1f4f
to
7645ca4
Compare
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
welteki
force-pushed
the
jwt-permissions-auth
branch
2 times, most recently
from
2219821
to
a6e9140
Compare
alexellis
reviewed
Jun 17, 2024
| @@ -474,3 +495,26 @@ func (nc *WriterCounter) Write(p []byte) (int, error) { | |||
| nc.bytes += int64(n) | |||
| return n, err | |||
| } | |||
|
|
|||
| func getFnName() (string, error) { | |||
| name, ok := os.LookupEnv("OPENFAAS_NAME") | |||
There was a problem hiding this comment.
Should faas-cli local-run inject this variable then? I don't think it does presently.
cc @rgee0
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
welteki
force-pushed
the
jwt-permissions-auth
branch
from
a6e9140
to
d283e2d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
If JWT authentication is enabled by setting the env variable
jwt_auth: truein thestack.ymlfile the watchdog requires an OpenFaaS function token for request authentication.Authentication tokens can be optioned through OpenFaaS IAM.
The watchdog verifies the token is valid and checks of an actor is authorized to invoke the function by looking at the
functionclaim in the token and validating the permissions.Motivation and Context
Support IAM authentication for functions.
How Has This Been Tested?
Unit tests were added.
Changes have been tested by running the watchdog locally and invoking it with and without a function token.
During these test the
OPENFAAS_NAMEandOPENFAAS_NAMESPACEenv variable were changed to simulate different functions in multiple namespaces.Changes have been tested E2E in cluster with the updated oidc-provider.
Types of changes
Checklist:
git commit -s