remove user specification via request parameter for TSB

[gabemontero]

@openshift/devex ptal

@pmorie @staebler fyi

[gabemontero]

ah ... was about to mention @spadgett but the robot beat me to it :-)

[bparees]

/lgtm

[bparees]

/unassign @mfojtik
/assign @jim-minter

[gabemontero]

Hmm ... import verifier is flagging an import I'm not immediately seeing:

2017/09/19 15:55:31 Inspecting imports under github.com/openshift/origin/pkg/templateservicebroker...
2017/09/19 15:55:32 -- validating imports for 5 packages in the tree
2017/09/19 15:55:32 -- found unused package imports
2017/09/19 15:55:32 	github.com/openshift/origin/pkg/user/apis/user/validation

investigating ...

[gabemontero]

the user validate import we now no longer require needed to be removed from hack/import-restrictions.json ... change pushed

[bparees]

/lgtm

[gabemontero]

integration tests saw an apparent reincarnation of #14020

update / correction: with an assist from Mo, it was actually a validation error wrt the request user name no longer being there.

The error:

W0919 18:19:16.569689   31468 reflector.go:343] storage/cacher.go:/configmaps: watch of *api.ConfigMap ended with: client: etcd cluster is unavailable or misconfigured; error #0: unexpected EOF
    		--- FAIL: TestEtcd2StoragePath (45.67s)
    			etcd_storage_path_test.go:1018: failed to create stub for TemplateInstance from github.com/openshift/origin/pkg/template/apis/template/v1: &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:""}, Status:"Failure", Message:"TemplateInstance.template.openshift.io \"templateinstance1\" is invalid: spec.requester.username: Invalid value: \"system:openshift-master\": may not contain \":\"", Reason:"Invalid", Details:(*v1.StatusDetails)(0xc42a9c9260), Code:422}}
    			etcd.go:141: dumping etcd to "/tmp/openshift/test-integration/tmp-testetcd2storagepath002033552/etcd-dump-TestEtcd2StoragePath-v2.json"
    			etcd.go:114: Removing etcd dir /tmp/openshift/test-integration/tmp-testetcd2storagepath002033552/etcd640902588
    		FAIL

and in particular Message:"TemplateInstance.template.openshift.io \"templateinstance1\" is invalid: spec.requester.username: Invalid value: \"system:openshift-master\": may not contain \":\""

something is still trying to validate on the spec.requester.username .... need to investigate

[gabemontero]

@spadgett and I gave this a go and realized we didn't enable the orig id hdr feature via the new controller manager mechanism.

We didn't see a way to actually do that yet via a oc cluster up --version=latest --service-catalog path

@pmorie @staebler - are we correct in that there is not a way to do that yet? Or if there is, please provide us the details?

thanks

[staebler]

@gabemontero @spadgett You are correct that there is not currently a way to enable the feature. That was missed but has been checked in. There will be a new release of service catalog tonight that will include the flag to enabled feature gates in controller manager. When it is ready, you will be able to enable the feature with the argument --feature-gates OriginatingIdentity=true.

[gabemontero]

I believe I sorted out the integration test issue ... may not contain \":\"" is the key. Most likely we are coming in as eithersystem:authenticated or system:anonymous and the username validation has failed.

We discussed this some before during the original pull ... I believe the net was long term, those two username's are valid. Bottom line, I believe our validation should stop prior to sorting out the specifics of the username, and let the lower level auth stuff manage it.

[gabemontero]

On Tue, Sep 19, 2017 at 4:14 PM, Matthew Staebler ***@***.***> wrote: @gabemontero <https://github.com/gabemontero> @spadgett <https://github.com/spadgett> You are correct that there is not currently a way to enable the feature. That was missed but has been checked in. There will be a new release of service catalog tonight that will include the flag to enabled feature gates in controller manager. When it is ready, you will be able to enable the feature with the argument --feature-gates OriginatingIdentity=true.

Thanks for the confirmation and update @staebler.

…

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16434 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADbadKDvqUJFyNiAKiUk1g2nId_keAAFks5skCCogaJpZM4PcmQg> .

[gabemontero]

ok integration tests are now passing, but somewhere along the way since first starting with this some of the template related extended tests are now failing; need to circle back and clean that back up;

[jim-minter]

Could you remind me on what basis this is being removed? Does it affect the TSB setting the templateinstance requester on behalf of the TSB caller? If so, a test should be tripped?

[gabemontero]

Actually @jim-minter perhaps my TODO comment here was erroneous, given the test failure noted at https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/16434/test_pull_request_origin_extended_conformance_gce/8233/

Or maybe an associated change elsewhere is needed.

I've started investigating what I currently have here, and cycling through the original PR. Will report back when I have discoveries of note.

[gabemontero]

Yeah it stemmed from a discussion thread that culminated at #15719 (comment)

But upon revisit/review, I believe my conclusion was incorrect. The user obj is in fact passed into Provision, etc., based on the service catalog auth path, and set on the requester.

And hence the extended test failures I noted.

Reverting the change momentarily ... we'll see how the extended test does. I'll then pull in the requisite SMEs for final sign off.

[gabemontero]

ok ... all happy tests .... the strategy.go change was the last bit

will ask for a quick re-review in code

[gabemontero]

@liggitt @pmorie - if you all could, please re-review / take a quick peek at PrepareForCreate and see if you agree. I tried to capture in the comment above what we think is different from "typical" PrepareForCreate. Namely:

• the entry points like Provision into the TSB will provide the user.Info (as the service catalog propagates it in the orig identity header) and we set the user onto the templateInstance.Spec.Requester there
• so if it is set, we don't nil out
• if it is not set, we pull from the context

Ultimately, we test this behavior in various places, most notably our impersonation tests: https://github.com/openshift/origin/blob/master/test/extended/templates/templateinstance_impersonation.go#L288

I believe prior agreement was obtained on all this, but after some discussions with @jim-minter it seemed prudent to double-check one more time.

thanks

@bparees fyi

[gabemontero]

pending the one confirmation request to @liggitt @pmorie I'll remove the do-not-merge label once I'm able to provision a template from the console with the --feature-gates OriginatingIdentity=true option added to the service catalog template.

[liggitt]

if it is set, we don't nil out

This means we can never give access to this API to a non-superuser, right?

[jim-minter]

This means we can never give access to this API to a non-superuser, right?

Ability to set the username to anything that isn't your username should be being gated in func (s *templateInstanceStrategy) validateImpersonation.

[spadgett]

@gabemontero #16457 should enable the originating identity header

[gabemontero]

thanks @spadgett / yep I had been monitoring that PR, as well as #16440 before it

regardless, I was interested in trying it manually anyway :-)

I just rebased, and pulled down the following service catalog image:

gmontero ~/go/src/github.com/openshift/origin  (finish-tsb-group-auth)$ docker images | grep catalog
docker.io/openshift/origin-service-catalog         latest              4e745d14048f        About an hour ago   361.3 MB
gmontero ~/go/src/github.com/openshift/origin  (finish-tsb-group-auth)$ 

And manually updated the template ... here is the relevant snippet:

        - command: 
          - apiserver
          args:
          - --admission-control
          - KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceInstanceCredentialsLifecycle,ServicePlanChangeValidator
          - --storage-type
          - etcd
          - --secure-port
          - "6443"
          - --etcd-servers
          - http://localhost:2379
          - -v
          - "10"
          - --cors-allowed-origins
          - ${CORS_ALLOWED_ORIGIN}
          - --feature-gates OriginatingIdentity=true

But the service catalog reports this error:

2017-09-21T14:22:07.442603114Z E0921 14:22:07.442113       1 apiserver.go:50] server exited unexpectedly (unknown flag: --feature-gates OriginatingIdentity)

@staebler @jboyd01 @pmorie - any insight if I did something wrong? Or are there additional changes I need to wait on?

thanks

[staebler]

@gabemontero My understanding with the helm chart is that you need --feature-gates on one line and OriginatingIdentity=true on the next line.

        - command: 
          - apiserver
          args:
          - --admission-control
          - KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceInstanceCredentialsLifecycle,ServicePlanChangeValidator
          - --storage-type
          - etcd
          - --secure-port
          - "6443"
          - --etcd-servers
          - http://localhost:2379
          - -v
          - "10"
          - --cors-allowed-origins
          - ${CORS_ALLOWED_ORIGIN}
          - --feature-gates
          - OriginatingIdentity=true

[spadgett]

@gabemontero I don't think that image has the changes in 0.0.21. You need to build a new service catalog image from #16457

[gabemontero]

Thanks for the quick resposnes @staebler and @spadgett

And yep,

1. splitting --feature-gates and OriginatingIdentity=true at least allowed the svc catalog to start up
2. and without Merge Service Catalog v 0.0.21 to Origin #16457 (which I believe makes sense to me now after perusing it more closely), we get this when attempting to provision a template from the console:

Error provisioning ServiceInstance "myproject/mariadb-persistent-rldw0" of ServiceClass "mariadb-persistent" at ServiceBroker "template-service-broker": Status: 400; ErrorMessage: <nil>; Description: couldn't parse X-Broker-API-Originating-Identity header; ResponseError: <nil>

I'm going to stop here for now (move on to other to-do's) and wait for #16457 to progress vs. checking out #16457 and trying to build the service catalog image.

[staebler]

@gabemontero I think the next step that you are missing is that the OriginatingIdentity feature needs to be enabled for service-catalog apiserver as well as controller-manager. Re-reading my previous comments, I see where it can be interpreted that it is only needed for controller-manager. To clarify my previous comment, the bug in the v0.0.20 release of service-catalog was that there was no way to enable the OriginatingIdentity feature in the controller-manager. It was possible to enable it in the apiserver.

[gabemontero]

OK, I was able to do some basic provision / bind flows rebased on b3912c0

@bparees - if still inclined please re-add you good to merge tag from #16434 (comment)

[bparees]

@gabemontero has a service catalog image that provides originating identity been published to dockerhub? we can't merge this until that has happened right?

[gabemontero]

On Fri, Sep 22, 2017 at 6:15 PM Ben Parees ***@***.***> wrote: @gabemontero <https://github.com/gabemontero> has a service catalog image that provides originating identity been published to dockerhub?

Yes it has and that is what I tested with. I monitored the push-origin-images job and pulled the image once the job with the appropriate commit finished.

we can't merge this until that has happened right?

Correct but per above we are good there

…

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16434 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADbadApXYi17QM80418lFcJTMNB-g9Atks5slDFhgaJpZM4PcmQg> .

[bparees]

/lgtm

[openshift-ci-robot]

@crossonrose: changing LGTM is restricted to assignees, and only openshift org members may be assigned issues.

In response to this:

PWNED!

---

From: Ben Parees notifications@github.com
Sent: Friday, September 22, 2017 3:36:25 PM
To: openshift/origin
Cc: Subscribed
Subject: Re: [openshift/origin] remove user specification via request parameter for TSB (#16434)

/lgtm

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub#16434 (comment), or mute the threadhttps://github.com/notifications/unsubscribe-auth/AZ5z5EPv-b1Ez0qgp5iT-ipFGSsz1jeXks5slDZpgaJpZM4PcmQg.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, crossonrose, gabemontero

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• hack/OWNERS [bparees]
• pkg/OWNERS [bparees]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[openshift-merge-robot]

Automatic merge from submit-queue