bketelsen
commented
10 years ago This is a great idea. We'll noodle around some ideas on how to do auth for service updates. If you have any (or want to implement this) let us know!
Closed densone closed 10 years ago
bketelsen
commented
10 years ago This is a great idea. We'll noodle around some ideas on how to do auth for service updates. If you have any (or want to implement this) let us know!
densone
commented
10 years ago Awesome. I am kicking around some ideas today. Will try to keep it simple. Could maybe store the auth keys in raft logs too?
bketelsen
commented
10 years ago that's an idea - I was thinking etcd, but you could start the skydns service with an auth key on the command line, and the clients would need the same auth key. Either way it's a shared secret known between server and supplicants. I want to avoid having to generate keys for each new client. So if it's shared, it's going to have to be stored somewhere for config - and etcd/zk/doozer fit that bill. We intend on using etcd for many other config items long term, but I'm not yet convinced to tie skydns to a specific config store.
densone
commented
10 years ago Oh sure, that's actually simple and will work for my case. I was thinking much more complex, but this works. If the shared secret flag is an empty string, there's no auth?
bketelsen
commented
10 years ago Don't be afraid to go more complex if that's your inclination. I'm just trying to impart our vision of Skynet being very simple to deploy and use. As long as you can fit that model, go for it!
densone
commented
10 years ago I honestly think the shared key is more effective. Saved me hours of noodling.
densone
commented
10 years ago Implemented, just need to write some tests now.
With Shared Key in Auth Header: ╭─densone@derp ~ ‹› ╰─$ curl -H "Authorization: test" -X PATCH -L http://localhost:8080/skydns/services/1005 -d '{"Name":"comp","Version":"1.0.0","Environment":"Production","Region":"Test","Host":"web4.c.com","Port":9000,"TTL":1000, "secret":"test"}'
Without Shared Key:
╰─$ curl -X PATCH -L http://localhost:8080/skydns/services/1005 -d '{"Name":"comp","Version":"1.0.0","Environment":"Production","Region":"Test","Host":"web4.c.com","Port":9000,"TTL":1000, "secret":"test"}'You must authenticaticate this request ╭─densone@derp ~ ‹› ╰─$
If the -secret flag is a blank string, auth is not required.
densone
commented
10 years ago Implemented secret key auth
I was wondering if there's any ideas around securing the http api and maybe generating api keys.
For instance, imagine if you implmented service level authorization to update a service.
If this became a reality, It we be really easy for people that are maybe using your service or api's to create records and not screw everyone else.