Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sr: add basic auth support to the schema registry #6639

Merged
merged 14 commits into from
Oct 12, 2022
Merged

sr: add basic auth support to the schema registry #6639

merged 14 commits into from
Oct 12, 2022

Conversation

NyaliaLui
Copy link
Contributor

@NyaliaLui NyaliaLui commented Oct 5, 2022
edited by andrewhsu
Loading

Cover letter

At Redpanda there is an effort to improve security by supporting HTTP Basic Authentication on some of out services such as the Schema Registry. PR #6452 introduced HTTP Basic Authentication to the Pandaproxy but not the Schema Registry.

This PR adds Basic Auth support to all Schema Registry endpoints but it does not include support for multiple authenticated connections. That will come at a later time.

This PR includes configuration changes to enable basic auth:

The new configuration options to enable basic auth are attached to the listener in schema_registry_api:

authentication_method: string
    Optional values: none, http_basic
    Default value: none

Examples for the new authn config:

schema_registry:
  schema_registry_api:
  - address: localhost
    port: 8081
    authentication_method: none
schema_registry:
  schema_registry_api:
  - address: localhost
    port: 8081
    authentication_method: http_basic

After this PR, the leftover tasks are:

  • Add kafka client cache to the Pandaproxy endpoints /consumers
  • Address follow-up points from pp: add basic auth to /brokers #6452
  • Add ducktape tests for: 1) mTLS only 2) mTLS + Basic Auth
  • Create upgrade, scale, and feature tests in ducktape
  • Manual tests on cloud infra

Backport Required

  • not a bug fix
  • issue does not exist in previous branches
  • papercut/not impactful enough to backport
  • v22.2.x
  • v22.1.x
  • v21.11.x

UX changes

  • none

Release notes

Features

  • Adds HTTP Basic Auth to all Schema Registry endpoints

@NyaliaLui NyaliaLui self-assigned this Oct 5, 2022
BenPope
BenPope reviewed Oct 6, 2022
View reviewed changes
src/v/pandaproxy/types.h Outdated Show resolved Hide resolved
src/v/pandaproxy/schema_registry/service.cc Outdated
Comment on lines 48 to 55
if (rq.authn_method == config::rest_authn_method::http_basic) {
// Will throw 400 & 401 if auth fails
auto auth_result = rq.service().authenticator().authenticate(
*rq.req);
try {
auth_result.require_authenticated();
} catch (const ss::httpd::base_exception& ex) {
// The failure from require_authenticated() will throw 401
// instead of 403. So convert the exception to 403.
if (
ex.status() == ss::httpd::reply::status_type::unauthorized) {
throw ss::httpd::base_exception(
ex.what(), ss::httpd::reply::status_type::forbidden);
} else {
// Something else went wrong
throw;
}
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks familiar, can the code be shared?

Something like (this might be a bit out of date): e1f92a2 and e73d5b7
And then it's possible to add some nice helpers: 7d82be4
Which can simplify the handlers: eccfeed

But I'll leave it to you to figure out the best way to reduce the dupolication.

Copy link
Contributor Author

@NyaliaLui NyaliaLui Oct 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like your context server changes but I think I'll put them in #6626 after we get the initial feature PRs merged

src/v/pandaproxy/schema_registry/configuration.cc Outdated Show resolved Hide resolved
src/v/pandaproxy/schema_registry/service.cc Show resolved Hide resolved
@mmedenjak mmedenjak added kind/enhance New feature or request area/schema-registry Schema Registry service within Redpanda area/security labels Oct 6, 2022
@NyaliaLui
Copy link
Contributor Author

Things left todo on this PR:

  • factor out credential validation
  • factor out alot of the duplicate code in ducktape tests

@dotnwat
Copy link
Member

dotnwat commented Oct 7, 2022

factor out credential validation
factor out alot of the duplicate code in ducktape tests

sounds like something we might potentilally be able to do in follow-up PR(s) but it's up to you.

@NyaliaLui NyaliaLui marked this pull request as ready for review October 10, 2022 16:54
BenPope
BenPope reviewed Oct 10, 2022
View reviewed changes
Copy link
Member

@BenPope BenPope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great

src/v/pandaproxy/auth_utils.h Outdated Show resolved Hide resolved
src/v/pandaproxy/schema_registry/service.h Show resolved Hide resolved
tests/rptest/tests/schema_registry_test.py Outdated Show resolved Hide resolved
dotnwat
dotnwat reviewed Oct 10, 2022
View reviewed changes
Copy link
Member

@dotnwat dotnwat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks awesome. just a couple super minor things

src/v/config/rest_authn_endpoint.cc Outdated Show resolved Hide resolved
src/v/pandaproxy/auth_utils.h Outdated Show resolved Hide resolved
src/v/pandaproxy/auth_utils.h Outdated Show resolved Hide resolved
tests/rptest/tests/schema_registry_test.py Outdated Show resolved Hide resolved
tests/rptest/tests/schema_registry_test.py Show resolved Hide resolved
@NyaliaLui NyaliaLui mentioned this pull request Oct 10, 2022
Merged
12 tasks
BenPope
BenPope previously approved these changes Oct 10, 2022
View reviewed changes
dotnwat
dotnwat previously approved these changes Oct 10, 2022
View reviewed changes
@NyaliaLui
Copy link
Contributor Author

NyaliaLui commented Oct 11, 2022
edited
Loading

BLOCKER: TimeQueryTest.test_timequery.batch_cache=True #6685 (comment)

The failure is unrelated to this PR though since the failing test does not use:

  1. Basic Auth
  2. Schema Registry

@NyaliaLui
Copy link
Contributor Author

/ci-repeat 5

@dotnwat dotnwat mentioned this pull request Oct 11, 2022
Closed
@NyaliaLui NyaliaLui mentioned this pull request Oct 11, 2022
Closed
@NyaliaLui
Copy link
Contributor Author

Re-running CI now

@dotnwat
Copy link
Member

dotnwat commented Oct 11, 2022

I restarted CI. debug run had the TimeQuery issue whose fix is landing soon, and release build ran out of disk space :(

@dotnwat
Copy link
Member

dotnwat commented Oct 12, 2022

/ci-repeat 5

@NyaliaLui
sr: compatibility subject version basic auth test
6a29243 
This commit tests HTTP Basic Authentication on the Schema Registry
endpoint POST compatibility/subjects/{subject}/versions/{version}
@NyaliaLui
sr/tests: add delete subject basic auth test
c6dceca 
This commit tests HTTP Basic Authentication on the Schema Registry
endpoint DELETE /subjects/{subject}
@NyaliaLui
sr/tests: delete subject version basic auth test
e8e776b 
This commit tests HTTP Basic Authentication on the Schema Registry
endpoint DELETE /subjects/{subject}/versions/{version}
@NyaliaLui
sr: add subjects referenced-by basic auth test
4154a81 
This commit tests HTTP Basic Authentication on the Schema Registry
endpoint GET subjects/{subject}/versions/{version}/referencedBy
@NyaliaLui NyaliaLui dismissed stale reviews from dotnwat and BenPope via 4154a81 October 12, 2022 13:08
@dotnwat
Copy link
Member

dotnwat commented Oct 12, 2022

CI is green now and the latest force push appears to contain changes that are completely disjoint with this PR

@dotnwat dotnwat merged commit 6699047 into redpanda-data:dev Oct 12, 2022
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
97655a0 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
@RafalKorepta RafalKorepta mentioned this pull request Oct 26, 2022
Merged
6 tasks
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
4d2aecc 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
f637fb1 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
d110ff8 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
e992410 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
f5608aa 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
7ef0df8 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 26, 2022
k8s: Extend schema registry authorization method
c82ff48 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 27, 2022
k8s: Extend schema registry authorization method
1873492 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 27, 2022
k8s: Extend schema registry authorization method
e0572e1 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 27, 2022
k8s: Extend schema registry authorization method
7bee249 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 28, 2022
k8s: Extend schema registry authorization method
730ea51 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
RafalKorepta pushed a commit to RafalKorepta/redpanda that referenced this pull request Oct 30, 2022
k8s: Extend schema registry authorization method
d4bc3c8 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
@NyaliaLui NyaliaLui deleted the basic-auth-sr branch November 18, 2022 18:19
joejulian pushed a commit to joejulian/redpanda that referenced this pull request Mar 10, 2023
(split) k8s: Extend schema registry authorization method
b2902f2 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
joejulian pushed a commit to joejulian/redpanda that referenced this pull request Mar 24, 2023
operator: k8s: Extend schema registry authorization method
c4e81d0 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
joejulian pushed a commit to joejulian/redpanda that referenced this pull request Apr 12, 2023
@joejulian
k8s: Extend schema registry authorization method
709da73 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
(cherry picked from commit d4bc3c8)
joejulian pushed a commit to joejulian/redpanda that referenced this pull request Apr 12, 2023
@joejulian
k8s: Extend schema registry authorization method
569ae99 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
(cherry picked from commit d4bc3c8)
joejulian pushed a commit to joejulian/redpanda that referenced this pull request Apr 13, 2023
@joejulian
k8s: Extend schema registry authorization method
cecbebc 
With changes to authorization configuration options the CRD is updated.

REF:
redpanda-data#6639
(cherry picked from commit d4bc3c8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dotnwat dotnwat dotnwat approved these changes

@BenPope BenPope BenPope left review comments

Assignees

@NyaliaLui NyaliaLui

Labels
area/redpanda area/schema-registry Schema Registry service within Redpanda area/security kind/enhance New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@NyaliaLui @dotnwat @BenPope @mmedenjak