installer icon indicating copy to clipboard operation
installer copied to clipboard
verified publisher icon fermyon

Fermyon Platform Authz approach for Quick-Start

Open vdice opened this issue 3 years ago • 6 comments

As of https://github.com/fermyon/nomad-aws-demo/pull/1 the quick start example launches an EC2 instance to host Nomad and the Fermyon Platform and then runs Traefik to route traffic for the Bindle server and Hippo (in addition to any deployed Spin apps...)

Currently, both the Bindle server and Hippo have tls courtesy Let's Encrypt, via their public CA. So, the URLs are out there for any amount of public access.

We'd like to restrict access to these Fermyon Platform services as much as possible.

A few (not necessarily mutually-exclusive) approaches we can look into:

  1. Adding Basic Auth middleware at the Traefik level, to be applied to either/both Bindle and Hippo. This would require any/all traffic to these services to present the auth token on requests.

  2. Adding account creation to Hippo into the Terraform automation such that a username and password is provided as Terraform outputs after terraform apply. The idea is Hippo would be running in 'master account-only' mode, meaning the generated account is the only valid/possible account in the system. This would require support in Hippo (see https://github.com/deislabs/hippo/issues/546)

Other?

vdice avatar May 23 '22 18:05 vdice

Hippo auth (default admin-mode) added in https://github.com/fermyon/nomad-aws-demo/pull/8

vdice avatar May 27 '22 18:05 vdice

We'll need a follow-up to add Bindle auth once Hippo supports it (or, we can see if bindle basic auth at the server level -- as opposed to the Traefik/reverse proxy level -- is suitable, as it does currently support anonymous GETs)

vdice avatar May 27 '22 18:05 vdice

Quick update here that Hippo does support basic bindle auth via the connection string. We don't pass those values into the nomad job when we spawn an app, but we could.

https://github.com/deislabs/bindle-dotnet/blob/main/tests/Bindle.UnitTests/ConnectionInfoTests.cs

https://github.com/deislabs/hippo/blob/ddc1f859c2eb27739cc1674c7fba7db7bfda9f0c/src/Infrastructure/Services/NomadJobService.cs#L172-L187

bacongobbler avatar Jun 13 '22 20:06 bacongobbler

Thanks @bacongobbler; I think we'll want to add that (configure basic auth on bindle -- via bindle itself or via traefik middlware, and pass values through so hippo can talk to bindle). Once added, we can close this one out.

vdice avatar Jun 13 '22 21:06 vdice

@bacongobbler I started work to add bindle basic auth on a branch. One detail I want to double-check that I have right: the connection string to bindle for Hippo. Does something like the following look right?

ConnectionStrings__Bindle = "server=${var.bindle_url};username=${var.bindle_auth_username};password=${var.bindle_auth_password}"

vdice avatar Jun 28 '22 00:06 vdice

Looks correct to me!

source: https://github.com/deislabs/bindle-dotnet/blob/main/src/Bindle/ConnectionInfo.cs

bacongobbler avatar Jun 28 '22 02:06 bacongobbler