Closed vishaldevgire closed 5 years ago
If you're thinking about the API, I'd consider the POST / PUT taking a request body in which it has something like:
"permissions": "all"
or
"permissions": [
{
"/go/api/*": true
}
]
... something like that. To make it easier to get people used to possible changes around granular auth tokens. However, since we will have versioning, maybe it's ok not to. Thinking out loud here.
Probably best to not bother about it now, and let versioning help us out later?
@rahulpargaonkar to test this feature.
@maheshp, @rajiesh and I had a discussion about this and here's what we came up with:
Just to be clear. Feel free to tell us our assumptions are wrong.
This is at a user level.
This is for API requests only (so /go/api/*
). Not for anything else. [Edit: Feb 18, 2019 - /go/cctray.xml
needs to be allowed too]
The idea is to have GoCD authenticate (using the token) but have the plugin from which the token was created, do the authorization (provide mapping to roles).
Auth tokens are unique across the system (GUIDs).
You can only create a token for the plugin that your authentication has happened on. Anything other than this (log in using file based authentication and try to create access token for GitHub auth plugin) is fraught with danger.
How does GoCD know that they're not allowed to access the API? Does authorization call fail?
group1
.This bug is not specific to auth tokens. Happens with normal browser sessions too. This is because the store which has the user to role mapping is keyed by username, and not my (username + plugin ID)
combination. This happens when the username is the same across multiple authorization configurations (usually across plugins).
We considered whether (username + plugin ID)
is enough. There are possible corner case bugs, but it's good enough. Better than what we have now.
With auth tokens, this problem can become worse. Especially with auth tokens with more granular permissions.
@maheshp's estimation is that this change is very widespread and we're ok with not doing this right now. Could do it when doing more work around granular permissions.
If we reuse a session (based on username), then any authentication token previously stored in the session will get overwritten, causing problems for reauth (you'd lose the GitHub reauth token, for instance).
So, API token requests should have their own session. But, it can be thrown away after the request. It probably doesn't even need to be alive for 5 minutes, like other API sessions are today.
Might have to keep track of when roles were removed from the store, when revoke happens, so that a reauth can happen for the token which is not revoked.
We tried to think of usecases for this, and saw if there was anything missing. We thought of:
/cc @maheshp @rajiesh - Please feel free to add anything else I missed from our conversation.
Some of what is mentioned in the comment above is based on https://github.com/gocd/gocd/issues/5354.
@gocd/committers -- Here is the gist of all the things we've discussed:
Currently, we dont support deletion of auth tokens for auditing purposes.
That means, "You can only revoke, but not delete auth tokens". Right? The reason is "auditing" (to be able to show that a token existed). I wonder how any auditing can use that, but I think it's fine.
Will the token be generated only to use with the APIs? Or can it be used in /go/auth/login
as one of the authentication means?
@varshavaradarajan Only for APIs. At least that's what is mentioned here: https://github.com/gocd/gocd/issues/5321#issuecomment-437297399
Pending
@kritika-singh3
Issue Type
Summary
Currently GoCD APIs support basic authentication, this issue is about adding support for access token-based authentication to GoCD APIs.
For 19.2.0
Bugs
Can be done post-release
Next release
Won't Fix