ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard
verified publisher icon kubernetes

Add auth-signin-snippet annotation

Open omartin2342 opened this issue 3 years ago • 7 comments

We use the annotations nginx.ingress.kubernetes.io/auth-signin and nginx.ingress.kubernetes.io/auth-url to authorize requests.

When an unauthenticated request is detected and nginx.ingress.kubernetes.io/auth-url is called we need the possibility to include our own nginx configuration in the nginx location and return something else than “just” the 301 to the URI in nginx.ingress.kubernetes.io/auth-signin.

A concrete use case is that we want a redirect to the nginx.ingress.kubernetes.io/auth-signin URL only when an HTML page is requested (e.g. HTTP header accept: text/html is present). If an API call is made, the status code 401 should be returned instead of a redirect.

---- 8< ---- set $do401 “”; if ($http_accept ~= “text/html” ) { set $do401 “${do401}1”; } if ($request_method = GET) { set $do401 “${do401}1”; } if ($do401 == “11”) { return 401; } ---- >8 ----

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] CVE Report (Scanner found CVE and adding report)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)
  • [ ] Documentation only

Which issue/s this PR fixes

None

How Has This Been Tested?

Test environment has been setup with a vanilla Kubernetes in our datacenter. Patched ingress-nginx and a deployment of our software with a ingress resource annotated with auth-url, auth-sigin and auth-signin-snippet have been deployed. Request with browser and api client have been made. All has been as before except that XHR requests with invalid token got an 401 response instead of the unwanted 301.

Checklist:

  • [x] My change requires a change to the documentation.
  • [x] I have updated the documentation accordingly.
  • [x] I've read the CONTRIBUTION guide
  • [x] I have added unit and/or e2e tests to cover my changes.
  • [ ] All new and existing tests passed.
  • [X] Added Release Notes.
Add new annotation nginx.ingress.kubernetes.io/auth-signin-snippet for External Auth

omartin2342 avatar Sep 06 '22 13:09 omartin2342

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: omartin2342 (03e0b4b4c0ad02fe0c60330e1f2e2cf8a0a1d303)

linux-foundation-easycla[bot] avatar Sep 06 '22 13:09 linux-foundation-easycla[bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: omartin2342 Once this PR has been reviewed and has the lgtm label, please assign strongjz for approval by writing /assign @strongjz in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Sep 06 '22 13:09 k8s-ci-robot

@omartin2342: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Sep 06 '22 13:09 k8s-ci-robot

Welcome @omartin2342!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

k8s-ci-robot avatar Sep 06 '22 13:09 k8s-ci-robot

Hi @omartin2342. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Sep 06 '22 13:09 k8s-ci-robot

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: omartin2342 (193d95d5136cc5b4008441c14cb7e69b79c1be08)

linux-foundation-easycla[bot] avatar Sep 08 '22 11:09 linux-foundation-easycla[bot]

Snippets has been shown one of our biggest problems in security. I really don't want to merge any new thing with snippets, so from me is a -1 :(

Can we have whatever is needed via snippets as proper configurations/annotations? If not, I'm not willing to merge this, unless @tao12345666333 @strongjz have some different idea

rikatz avatar Sep 11 '22 22:09 rikatz

Hi

I'm interested in this feature too.

Considering your question if we can have it as proper annotation and not as snippet - how would that work. there is use case specific logic in the snippet. I'm somewhat sure that if it would be an annotation (like auth-do401-if-browser) there would be a discussion on how to correctly detect a browser.

Could you hint on what you would be willing to merge that is close to what omartin2342 tries to achieve?

kind regards

chriss-de avatar Oct 17 '22 12:10 chriss-de

We took some time to think about our options to accomplish our goal of treating api requests and users differently.

We'd be able to do that in our default backend, if we manage to route the errors of external auth there. We actually think that there is a wider usecase to be able to do that and opened #9211 to discuss our approach there

simhnna avatar Oct 24 '22 16:10 simhnna

@rikatz what do you think about the proposal in #9221. That should cover the use case presented in this mr without using any snippets

simhnna avatar Nov 21 '22 13:11 simhnna

@omartin2342: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Dec 05 '22 04:12 k8s-ci-robot

Solved with #9411

omartin2342 avatar Dec 14 '22 14:12 omartin2342