Skip to content
/ uhc-auth-proxy Public
forked from RedHatInsights/uhc-auth-proxy

uhc-auth-proxy is a service that utilizes uhc auth to identify an OCP 4 cluster

License

Apache-2.0 license
0 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

casey-williams-rh/uhc-auth-proxy

BranchesTags
 
 

Repository files navigation

UHC Auth Proxy

uhc-auth-proxy is a service for authenticating Openshift 4 clusters. It does so by handling the various API calls required to authenticate a cluster_id and authorization_token with UHC services.

The cluster_id and authorization_token are two pieces of data that are stored with each deployment of an Openshift 4 cluster. They are issued when the cluster is provisioned.

This service provides an alternative way to authenticate and authorize requests without requiring a customer to store their SSO credentials somewhere within their cluster. This, in turn, enables the insights-operator to send data with no additional configuration required.

Image

How it works

  1. A request is made containing the cluster_id and authorization_token from a cluster
  2. The auth proxy forms an authorization header from the provided cluster_id and authorization_token for a request to the OpenShift API account_management endpoint
  3. Using the data returned from the OpenShift API, an identification document is built and returned.

An identification document should look something like this:

{
     "account_number": "123456",
     "type": "System",
     "internal": {
         "org_id": "1234567"
     }
}

Integration with current API broker

In practice, a request is made of the API broker from the insights-operator with the following headers:

User-agent: insights-operator/<git hash> cluster/<cluster id>
Authentication: Bearer <authorization_token>

Because the header indicates the call came from the insights-operator the uhc-auth-proxy is delegated to for authentication.

Configuration

The following API will need to be accessed:

GET https://api.openshift.com/api/accounts_mgmt/v1/current_account

The API returns something like:

{
    "id": "string",
    "kind": "Account",
    "href": "/api/accounts_mgmt/v1/accounts/:account_id",
    "first_name": "string",
    "last_name": "string",
    "username": "string",
    "email": "string",
    "banned": false,
    "created_at": "timestamp",
    "updated_at": "timestamp",
    "organization": {
        "id": "string",
        "kind": "Organization",
        "href": "/api/accounts_mgmt/v1/organizations/:org_id",
        "name": "Organization Name"
    }
}

CLI

You can try all the calls via the cli. To get started run go install from the root of the project.

This will build and install the uhc-auth-proxy command. You can request an identity document like this:

$ uhc-auth-proxy --oat $OFFLINE_AUTH_TOKEN --cluster-id $CLUSTER_ID --authorization-token $AUTHORIZATION_TOKEN

Local Development

This will start the service on port 8080:

$ uhc-auth-proxy start

Any changes to code will require running go install to rebuild.

Tests

To run tests locally:

$ go test -v ./...

About

uhc-auth-proxy is a service that utilizes uhc auth to identify an OCP 4 cluster

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 87.5%
  • Shell 6.6%
  • Python 3.5%
  • Dockerfile 2.4%