bazel-buildfarm
bazel-buildfarm copied to clipboard
bazelbuild
Authentication story?
Right now it looks like buildfarm does some handling of the --google_credentials (although I'm not exactly sure what that's for). Is this the expected method of authentication or is the hope that this is hosted behind a company VPN?
There are a fair number of endpoints to cover with auth, and gRPC should make it pretty trivial to do so. Is covering the front door enough? Do you have an OperationQueue Worker -> Server auth story you want to fulfill? Sharded Servers also flip this and talk to Shards via gRPC as well.
The existing auth might be in place enough to support an authenticated gRPC CAS definition for a user of the StubInstance, at least with Memory instance and OperationQueue Worker.
I guess for our case we're worried about both the bazel <-> server communication as well as the server <-> worker communication. Virtually to the point where if this was running publicly, that it would not be an issue.
For bazel <-> server communication, you could use Mutual TLS to authenticate, right? But it looks like you'd have to set it up in your load balancer, even if there's only one scheduler.
Nice issue! Is there a any answers of what folks have done for remote execution auth? I'd be interested to know, especially if people have devs connecting through the edge or CDN systems.
I suspected most people have a "front door" solution: e.g. this happens outside of buildfarm practically. At the very basic case, it looks like there are multiple options. Having a bullet proof answer that we can just apply would be great: e.g. a k8s based ingress controller, envoy, or nginx integration. Does anyone have an open source suggestion or does the auth mostly piggy back on existing internal systems?
Also curious about what you have done on the client side. There are 2 common options: bazel can attach headers, or you can have a local proxy to do stuff like auth into the front door for you.
