search

spinnaker-plugins / aws-lambda-deployment-plugin-spinnaker

Spinnaker plugin to support deployment of AWS Lambda functions via Spinnaker pipelines
Apache License 2.0
23 stars 22 forks source link

propagate user authentication to cloud-driver for account rbac #57

Closed jaredstehler closed 3 years ago

jaredstehler commented 3 years ago

Currently, this plugin is broken for Spinnaker setups which use RBAC; the requests to clouddriver are anonymous.

This replicates what the other orca clients use for clouddriver communication: https://github.com/spinnaker/kork/blob/master/kork-plugins/src/main/kotlin/com/netflix/spinnaker/kork/plugins/remote/extension/transport/http/OkHttpRemoteExtensionTransport.kt#L125-L139

For reference, here's the logs from clouddriver:

2021-02-16 02:14:43.460 DEBUG 1 --- [0.0-7002-exec-1] c.n.s.f.shared.FiatAuthenticationFilter  : Set SecurityContext to user: anonymous
2021-02-16 02:14:43.501  WARN 1 --- [0.0-7002-exec-1] c.n.s.c.orchestration.OperationsService  : No validator found for operation CreateLambdaFunctionDescription and cloud provider aws
2021-02-16 02:14:43.505  INFO 1 --- [0.0-7002-exec-1] c.n.spinnaker.fiat.shared.FiatService    : ---> HTTP GET http://spin-fiat.spinnaker:7003/authorize/anonymous
2021-02-16 02:14:43.508  INFO 1 --- [0.0-7002-exec-1] brave.Tracer                             : {"traceId":"15270ed10d754e52","id":"15270ed10d754e52","kind":"CLIENT","name":"GET","time
stamp":1613441683505701,"duration":3065,"localEndpoint":{"serviceName":"unknown"},"tags":{"http.method":"GET","http.path":"/authorize/anonymous"}}
2021-02-16 02:14:43.510  WARN 1 --- [0.0-7002-exec-1] c.n.s.okhttp.OkHttp3MetricsInterceptor   : Request GET:http://spin-fiat.spinnaker:7003/authorize/anonymous is missing [X-SPINNAKER-
USER, X-SPINNAKER-ACCOUNTS] authentication headers and will be treated as anonymous.
Request from: com.netflix.spinnaker.okhttp.MetricsInterceptor.doIntercept(MetricsInterceptor.java:98)
        at com.netflix.spinnaker.okhttp.OkHttp3MetricsInterceptor.intercept(OkHttp3MetricsInterceptor.java:36)
        at com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.lambda$getPermission$3(FiatPermissionEvaluator.java:302)
        at com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator$ExponentialBackoffRetryHandler.retry(FiatPermissionEvaluator.java:99)
        at com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.lambda$getPermission$4(FiatPermissionEvaluator.java:300)
        at com.netflix.spinnaker.security.AuthenticatedRequest.lambda$wrapCallableForPrincipal$0(AuthenticatedRequest.java:272)
        at com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.lambda$getPermission$5(FiatPermissionEvaluator.java:317)
        at com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.getPermission(FiatPermissionEvaluator.java:292)
        at com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.hasPermission(FiatPermissionEvaluator.java:238)
        at com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.hasPermission(FiatPermissionEvaluator.java:266)
        at com.netflix.spinnaker.clouddriver.deploy.DescriptionAuthorizerService.authorize(DescriptionAuthorizerService.java:111)
        at com.netflix.spinnaker.clouddriver.deploy.DescriptionAuthorizerService.authorize(DescriptionAuthorizerService.java:52)
        at com.netflix.spinnaker.clouddriver.deploy.DefaultDescriptionAuthorizer.authorize(DefaultDescriptionAuthorizer.java:31)
        at com.netflix.spinnaker.clouddriver.orchestration.OperationsService.lambda$convert$5(OperationsService.java:194)
        at com.netflix.spinnaker.clouddriver.orchestration.OperationsService.convert(OperationsService.java:223)
        at com.netflix.spinnaker.clouddriver.orchestration.OperationsService.collectAtomicOperations(OperationsService.java:107)
        at com.netflix.spinnaker.clouddriver.orchestration.OperationsService$collectAtomicOperations.call(Unknown Source)
        at com.netflix.spinnaker.clouddriver.controllers.OperationsController.cloudProviderOperation(OperationsController.groovy:102)
        at com.netflix.spinnaker.fiat.shared.FiatAuthenticationFilter.doFilter(FiatAuthenticationFilter.java:65)
        at com.netflix.spinnaker.filters.AuthenticatedRequestFilter.doFilter(AuthenticatedRequestFilter.groovy:147)
2021-02-16 02:14:43.510  INFO 1 --- [0.0-7002-exec-1] c.n.spinnaker.fiat.shared.FiatService    : <--- HTTP 200 http://spin-fiat.spinnaker:7003/authorize/anonymous (4ms)

2021-02-16 02:14:43.511 DEBUG 1 --- [0.0-7002-exec-1] c.n.s.f.shared.FiatPermissionEvaluator   : Authorization=WRITE denied to account=wna-cloud-aws-account for user permission=__unrestricted_user__, found={}

2021-02-16 02:14:43.512  WARN 1 --- [0.0-7002-exec-1] c.n.s.c.d.DescriptionAuthorizerService   : No application(s) specified for operation with account restriction (type: CreateLambdaFunctionDescription, account: wna-cloud-aws-account, hasValidationErrors: true)