search

openfaas / faas

OpenFaaS - Serverless Functions Made Simple
https://www.openfaas.com
MIT License
25.02k stars 1.93k forks source link

Auth plugins do not receive a request body #1641

Closed zjpiazza closed 3 years ago

zjpiazza commented 3 years ago

My actions before raising this issue

Expected Behaviour

Should be able to access gateway request context via auth plugin by enabling auth_pass_body environment variable

Current Behaviour

When interacting with the OpenFaaS gateway I see the b64 encoded auth header passed to the "GET /validate" endpoint of my custom auth plugin but I do not see any details from the originating request. Here are the details I get access to via the headers from the gateway:

INFO:auth-handler:Host: custom-auth-service.openfaas:8080
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
Authorization: Basic YWRtaW46UkQ3ajNLd3FNOEp1
X-Forwarded-Proto: http
X-Request-Id: 41f49e49-9be2-4d54-98e9-26032a18c5c0
X-Envoy-Attempt-Count: 1
Content-Length: 0
X-Forwarded-Client-Cert: By=spiffe://cluster.local/ns/openfaas/sa/default;Hash=c4c7105dac5627a7f44158c33894d1c9d3cb61b263fad7535e40a59febda7c2e;Subject="";URI=spiffe://cluster.local/ns/openfaas/sa/openfaas-controller
X-B3-Traceid: f34dae52d554adfe9d980f7d0e0ef09c
X-B3-Spanid: 643e706b27f54e5b
X-B3-Parentspanid: 9d980f7d0e0ef09c
X-B3-Sampled: 0

Steps to Reproduce (for bugs)

  1. Update the auth_proxy_url environment variable using the following command: kubectl set env deployment.apps/gateway auth_proxy_url=http://custom-auth-service.openfaas:8080/validate -n openfaas
  2. Update the auth_pass_body environment variable using the following command: kubectl set env deployment.apps/gateway auth_pass_body=true -n openfaas
  3. Perform any action against the gateway API causing the auth '/validate' endpoint to be called

Context

I'm unclear what exactly the intended behavior of the environment variable "auth_pass_body" should be. There is only one sentence that I found in the documentation "whether to pass the body of the request to the auth module, the default value is false" I assume this should pass the original request along to the auth module but if that is not the case, please let me know.

Your Environment

alexellis commented 3 years ago

/set title: Auth plugins do not receive a request body

alexellis commented 3 years ago

I can confirm that the request body is not passed along by the OSS version of the gateway (just headers).

For context, you are trying to write your own version of the OpenFaaS PRO SSO / multi-tenant plugin, correct?

Alex

zjpiazza commented 3 years ago

So the auth_pass_body environment has no effect on the OSS version of the gateway, am I understanding that correctly?

alexellis commented 3 years ago

Whilst I feel conflicted about helping users to avoid paying for PRO products that support the project, I understand that you may not have budget where you are. I looked into it on Friday when you mentioned it on Slack and can confirm that's the case. If you are looking for ways to go multi-tenant, and have no budget then perhaps you could use ArgoCD or Flux, and then make Git implement your authz? That would be one way to avoid re-building what we offer to commercial users, and to still get your desired result without spending any money.

alexellis commented 3 years ago

Here's a link for a Flux tutorial - https://www.openfaas.com/blog/openfaas-flux/ - alternatively, as I understand your company may be offering OpenFaaS to many users, why not set them up their own OpenFaaS cluster or installation? OpenFaaS can be installed many times in the same cluster at the cost of slightly more management and resource usage.

zjpiazza commented 3 years ago

I will check that out. You may want to make it clear in the documentation that the 'auth_pass_body' environment variable has no effect unless you have pro features enabled: https://docs.openfaas.com/reference/authentication/#auth-plugins

alexellis commented 3 years ago

Thanks for the feedback.