auth support for paasta APIs #3985
Conversation
piax93
changed the title
paasta_tools/api/api.py
Outdated
There was a problem hiding this comment.
just curious: if we had an endpoint that was protected by this, but was being called by automation - how would that work? get_sso_service_auth_token() makes it sound like there might be a 2fa challenge/sso login, which wouldn't really be possible for something like jenkins
There was a problem hiding this comment.
That's an open question, but the current plan is to just apply this to the new remote-run endpoints which are going to be implemented to run prod sandboxes (which are supposed to be used only by human users), so anything else will remain open. That way we can collect telemetry and see if it's worth the effort to lock down more endpoints.
For the specific case of Jenkins, since we run that in k8s, if we decide to enforce authz it's most likely going to be via a service account token mounted into the pods.
* more clear access to auth response * better mocking in testing
Support for an authn/z tween in the PaaSTA API (mostly inspired by previous work).
There's nothing too surprising here. Maybe the only unusual aspect is that I picked to make "dry-run" the default rather than the other way around. It makes things easier to roll out.
For how the codebase is structured loading the token transparently could be a bit of a pain, especially if we want to maintain a bunch of un-auth endpoints, so I just added the option to set the token header in the API client. From there in the CLI implementations that need auth we can do