[che-auth] - secure workspace subpath endpoints in new auth gateway

[sparkoo]

Is your task related to a problem? Please describe.

Scope: only Openshift oauth

In current state of devworkspaces, all workspace endpoints are not authenticated and anyone can access any workspace. We need to provide way how to authenticate and authorize the access to them.

Describe the solution you'd like

In the routing Gateway so we will control the access with RBAC rules where User can't set them. (This will protect so the malicious user won't allow access to victim user to attacker's namespace, and when this victim would access attacker's workspace, attacker could steal victims token.)

Technical description:

For workspace endpoints use Traefik forwardAuth into kube-rbac-proxy with proper RBAC rules to allow only one user to access the endpoint.

See openshift POC https://github.com/che-incubator/che-auth-playground/tree/master/openshift

Describe alternatives you've considered

Additional context

epic: Authentication and authorization in Eclipse Che #19182
che-server new auth: #19703
operator deploy new auth: #19705

[sparkoo]

I've created the PR that is doing proper authorization for workspace endpoints eclipse-che/che-operator#1001.

The part that is missing is to set the ClusterRole and ClusterRoleBinding for user to access his/her workspaces that looks like this:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: user5-che-ws
rules:
- nonResourceURLs: ["/user5-che"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: user5-che-ws
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: user5-che-ws
subjects:
- kind: User
  name: user5

It has to be cluster-wide, because it is not possible to create Role with nonResourceURLs (The Role "user4-che-ws" is invalid: rules[0].nonResourceURLs: Invalid value: []string{"/user4-che"}: namespaced rules cannot apply to non-resource URLs). It also does not work with ClusterRole + RoleBinding.

We have full control how we grant the access to the user. We can do it per user, per workspace, per endpoint... IMHO it is simplest to do it per user. That means that we would need to create only one CR+CRB for single user to access all his/her workspaces.

❓ QUESTION (considering per user): who and when should create the CR+CRB? I have 3 candidates:

1. new service reconciling user's resources [devworkspace-che-operator] Prototype and plan of controller that is reconciling resources in user's namespace #20219
2. che-server during namespace provisioning
3. che-operator during workspace routing

To me, 1 looks like the best place for this task. It would also be "easy" to do cleanup. However, we're only starting with that. Considering the lifecycle of CR+CRB is bound to user, I'm 60/40 for 2 for now, and include it in the planning of #20219.

Thoughs? Other Ideas ?

cc: @skabashnyuk @metlos @mshaposhnik @xbaran4

[sparkoo]

Doing some more experiments, we might not have enough permissions to set such RBAC rules... I'm looking further for more options.

[sparkoo]

I've updated the PR eclipse-che/che-operator#1001 which solves authorization in a bit different way. It is now using existing rules to user's namespace. To be more precise, it's checking whether user has access to services in his/her own namespace. see https://github.com/eclipse-che/che-operator/pull/1001/files#diff-e6bffdccf73d7187658d019e48abacae674f93bb73ac044f085089c754e6451bR445

That means that we don't have to create any extra RBAC rules and questions I've asked in previous comment are de-facto invalid 🤘🏻

[sparkoo]

fixed by eclipse-che/che-operator#1001