Feature proposal: token-based authorization mechanism for buildkitd

[rberrelleza]

Currently, buildkit only supports authorization using certificates. This is very useful, but it doesn't scale well beyond a small number of users. For Okteto, we run a shared buildkitd service that can be shared with multiple users in an organization. It would be very useful if buildkitd supported a token-based authorization mechanism.

This could work as follows:

• buildkitd receives the address of the auth endpoint as a start parameter.
• the client creates a buildkit client, using WithRPCCreds to include an auth token in the request
• buildkitd receives the request, an auth interceptor extracts the authorization header, and makes a POST request with it to the authorization endpoint
• If the request returns 200, it lets the request pass

This initial idea is just a go/no-go type of authorization. In the future this could be extended to also include quotas, rate limits, or even an 'identity context' across more bulidkit operations. A PoC of this is available here https://github.com/okteto/buildkit/commit/7c82ae09ec87471a981607106cdf68fc767b1dec

[AkihiroSuda]

NACK. This is weak against spoofing (unless it is used together with TLS).

[rberrelleza]

@AkihiroSuda yes, this should be used in addition to TLS. The way I'm thinking about it, TLS is used to guarantee the caller is talking to the expected buildkit instance, and the caller presents a token so the buildkit server can verify that the caller should have access to it.

[AkihiroSuda]

sgtm