-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exclusions mechanism into jwtproxy config builder & exlude liveness probes from auth #10463
Conversation
ci-test |
@@ -77,6 +81,7 @@ | |||
|
|||
static final String JWT_PROXY_CONFIG_FOLDER = "/config"; | |||
static final String JWT_PROXY_PUBLIC_KEY_FILE = "mykey.pub"; | |||
static final String UNSECURED_PATHS_ATTRIBUTE = "unsecuredPaths"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to move this constant to https://github.com/eclipse/che/blob/efaef7e0d1a05c03a6819f240a267a015a542f05/core/che-core-api-model/src/main/java/org/eclipse/che/api/core/model/workspace/config/ServerConfig.java#L37
and document it there.
ci-test build report: |
@@ -11,15 +11,17 @@ | |||
"protocol": "http", | |||
"path" : "/process", | |||
"attributes": { | |||
"secure": "true" | |||
"secure": "true", | |||
"unsecuredPaths" : "/liveness" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove space before :
ci-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
public_key_path: /config/mykey.pub | ||
claims_verifiers: | ||
- type: static | ||
options: | ||
iss: wsmaster | ||
nonce_storage: | ||
type: void | ||
excludes: |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok
ci-test build report: |
ci-test |
ci-test build report: |
ci-test |
ci-test build report: |
ci-test |
ci-test build report: |
@mshaposhnik Will this feature be enabled by default? I mean if it enabled we should rework tests or issue #10490 should be resolved previously. |
No it will be turned off by def. |
It looks like everything except problem which described in issue #10490 is OK. But the opinion of QE team is - the issue #10490 should be resolved before the merge this PR because we do not guarantee protection from regression. And if enable the "jwt-proxy" by default in future it will lead to big regression (20 %) and possibly additional problems which related to the absence of regression checking. |
Also a very important point. If this PR merge with master it also should be checked for regression with disabled "jwt-proxy". |
It was checked with proxy feature off: https://ci.codenvycorp.com/job/che-pullrequests-test-ocp/492/Selenium_20tests_20report/ |
ci-test |
ci-test build report: |
ci-test |
ci-test build report: |
Tests which started on the assembly with disabled "jwt-proxy" didn't show any regression. |
Ok, merging now. |
What does this PR do?
/liveness
paths into excludes;What issues does this PR fix or reference?
#10400
Release Notes
N/A
Docs PR
N/A