Capture information about the user that created an instance or binding #939
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
pmorie
changed the title
|
Thanks for linking to precedent. |
|
Np, this is yet another thing that i would like to get written up |
|
Related: #934 |
|
Curious how this maps when the "user" is a service account? |
duglin
added
the
needs-rebase
|
rebase needed but beyond that, is this supposed to be merged or it is a WIP? If so, can you add WIP to the title and some label to indicate its not ready? |
|
This is still WIP but basically representative of the scope I would like for this PR; labeling as in-progress. |
pmorie
removed
the
needs-rebase
MHBauer
added
the
needs-rebase
|
Here's an example of what the authenticator yields on a local-up cluster under system:admin: $ k get instances -n test-ns ups-instance -o yaml
apiVersion: servicecatalog.k8s.io/v1alpha1
kind: Instance
metadata:
creationTimestamp: 2017-08-09T02:34:54Z
finalizers:
- kubernetes-incubator/service-catalog
name: ups-instance
namespace: test-ns
resourceVersion: "6"
selfLink: /apis/servicecatalog.k8s.io/v1alpha1/namespaces/test-ns/instances/ups-instance
uid: 53dddacd-7cab-11e7-b0f6-0242ac110005
spec:
user:
groups:
- system:masters
- system:authenticated
uid: ""
username: system:admin
externalID: 239cec20-c123-49c4-9ffb-41e6472cf254
parameters:
credentials:
name: root
password: letmein
planName: default
serviceClassName: user-provided-service
status:
asyncOpInProgress: false
checksum: 349cd95f4d7e6d3ca360b1a8b5e2626763c230e52c6fd2e15b34be55864b381a
conditions:
- lastTransitionTime: 2017-08-09T02:34:54Z
message: The instance was provisioned successfully
reason: ProvisionedSuccessfully
status: "True"
type: Ready$ k get bindings.v1alpha1.servicecatalog.k8s.io -n test-ns ups-binding -o yaml
apiVersion: servicecatalog.k8s.io/v1alpha1
kind: Binding
metadata:
creationTimestamp: 2017-08-09T02:39:13Z
finalizers:
- kubernetes-incubator/service-catalog
name: ups-binding
namespace: test-ns
resourceVersion: "9"
selfLink: /apis/servicecatalog.k8s.io/v1alpha1/namespaces/test-ns/bindings/ups-binding
uid: edf8ed73-7cab-11e7-b0f6-0242ac110005
spec:
user:
groups:
- system:masters
- system:authenticated
uid: ""
username: system:admin
externalID: fada0ada-31bf-4c6a-bdca-ae613fe2f4b3
instanceRef:
name: ups-instance
secretName: ups-binding
status:
checksum: 304390737544622e98c1609494ebdaaa3828ba941c3cef6d56d5302f843593c8
conditions:
- lastTransitionTime: 2017-08-09T02:39:13Z
message: Injected bind result
reason: InjectedBindResult
status: "True"
type: Ready |
pmorie
removed
the
needs-rebase
|
Why do we need this info? Is it just for auditing purposes? Is there not some other auditing info kept (perhaps at the apiserver level) of who did what to which resource? |
|
I disagree. Whether we're updating a plan or deleting a binding, they're both OSB actions. It would be a bit odd if we had totally different solutions for them. Besides, I think what I proposed above works for both. |
Did we have a mismatch? I thought you were referring to the 'generic actions' proposal contained in openservicebrokerapi/servicebroker#114. |
|
yea, I mis-typed when I put "updating a plan", I meant backing-up a service. Either way, we'll see how the talks go and we'll work it out... |
|
I think we should put this in as an alpha field with the semantics I suggested earlier. There are many reasons to make this available and no reason that I can think of not to, especially if we qualify the field as alpha and let users know that it's subject to change. |
arschles
removed
the
needs-rebase
|
Let's add this to the design session today |
| // AlphaUser contains information about the user that created this | ||
| // instance. This field is set by the API server and not settable by the | ||
| // end-user. User-provided values for this field are not saved. | ||
| AlphaUser AlphaUserInfo `json:"alphaUserInfo,omitempty"` |
There was a problem hiding this comment.
I would strongly recommend against naming the field with an alpha name. Doing so requires breaking all users of the field when the field progresses to stable status. See discussion in kubernetes/community#869
There was a problem hiding this comment.
If you want to position field as alpha, and require a feature gate to enable it in the server, that can work. Also, if the thing you are capturing is the creating user's info, I'd name the field to reflect that
|
My proposal:
|
|
|
It sounds to me like we have consensus on the approach in this issue, based on the Tues, Aug 15th call. |
|
re: maps - that's interesting and a bit unclear. I understand the recommendation of using properties when the "keys" are well-defined and known in advance. But then the text goes on to talk about the valid cases where maps are ok - like labels. So, does that mean that for cases where we don't know the keys in advance maps are ok? |
|
On yesterday's call I was asked to provide more background on the need for the OriginatingIdentity header and how it might be used, here we go.... Cases we've mentioned before:
Some additional cases:
The notion of having proxy brokers isn't new or unique to our needs. I believe we've even talked about how there may be aggregation brokers that sit between the platform and the "real" brokers that act as intermediaries - and so providing them with the user info may be critical for them to get their job done. |
|
Plane about to take off.
I don't see anything in a quick scan that means we shouldn't merge the
current approach. We can easily deprecate the field later and add a new set
of fields if necessary to encompass more complex semantics that capture
updates. In this case the current field what not be settable on new
resources. Older resources would continue to work correctly, newer
resources could use a new set of fields.
Adding mutability adds a ton of complexity. The current approach will allow
us to move the ball forward and get feedback from users.
As I have said before, I would also appreciate the opportunity to be
present for these design discussions.
…On Wed, Aug 16, 2017 at 2:39 PM Doug Davis ***@***.***> wrote:
On yesterday's call I was asked to provide more background on the need for
the OriginatingIdentity header and how it might be used, here we go....
Cases we've mentioned before:
- brokers may need the info for auditing purposes to track who did what
- brokers may need talk to the platform to provision additional
resources on the user's behalf
Some additional cases:
- we need the user performing the current action because the person
who created the resource might not be valid any more (they might have left
the company)
- due to limitations in platforms we've found the need to create
"proxy brokers". These sit between the platform and the broker, and are
actually the ones registered with the platform. In order for these proxies
to do their job they need the info provided by the Header. These proxy
brokers serve several purposes... (following bullets)
- access control. Some platforms do not provide the proper IAM
(identity & access management) hooks to allow custom (e.g fine grained)
checks - e.g. CF does not. We plan on providing OSB API support across
Kube, CF, Docker and IaaS. Not all support pluggable IAM, and so having a
single centralized point of enforcement ensures consistency.
- business logic enforcement. Neither platforms nor brokers know what
business rules need to be applied. For example, while a user might be able
to see a service they may not be allowed to provision it if they don't have
the proper "credit" on their account? Or based on the type of account they
may be restricted in what actions they can take. These are not codified
into the platforms or brokers, so the proxies manage this.
- they allow for additional features that brokers may not support. For
example, "undelete". We have the need to not actually delete the service
when the user asks us to, rather we "fake it" so that they have a "grace
period" during which they can choose to "undelete" it if they need to.
Brokers are unaware of this going on.
The notion of having proxy brokers isn't new or unique to our needs. I
believe we've even talked about how there may be aggregation brokers that
sit between the platform and the "real" brokers that act as intermediaries
- and so providing them with the user info may be critical for them to get
their job done.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#939 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAWXmKaE_axZwvhrhSfbuEO66BfCu-Fmks5sYzdwgaJpZM4N5Dvv>
.
|
|
@duglin thanks for sharing the use cases. I still see making creator a permanent owner of the resource as enough for majority of use cases, including the ones you listed. Even if other user updates the resource, I don't see anything wrong with impersonating other user who originally created resource. In the end the platform impersonates the user anyway, since there is no synchronous call in Service Catalog which is directly proxies to the broker. Permissions for read/update/delete is IMO just an RBAC/namespaces story. For the case when the creator of resource has left the company (and any other story where changing the owner is necessary) we can think of feature of "migrating" the resource to other owner user. It is much easier to cover than tracking every action. And this feature can be implemented as an extension to what is currently being proposed. |
|
I think its important to first agree on what we're going to support before we decide on what code to merge. And based on today's, and yesterday's chat, I don't think we have agreement. |
I don't think it's necessary to know all the details of what the long-term solution is here to be able to merge this code. It's also impossible to necessarily know the long-term shape of this, because this feature of the OSB API isn't finalized yet. However, there's a way to deal with this ambiguity without painting ourselves into a corner (explained fully below). We need to be able to enable a simple version of this functionality in the short-term in order to gather feedback to be able to finalize the OSB feature. To be clear, I am in no way suggesting that we make a permanent commitment to the API described here. I am only interested in:
As I said here, there is a well-defined strategy to deal with the situation of having to add a new API construction in the future if we feel it is necessary:
...if we are able to figure out an alternative before the API goes GA (or even before it goes beta), we will not even have to preserve the old field in the next API version. I think there is a large amount of analysis and design required for the flavor of this feature that captures information about updates. So, the ambiguity on any alternative to what is implemented here, and the ability to gracefully deprecate the field in the future, if necessary, means that we can merge this work with confidence and unblock people in the short term while leaving ourselves space to have a different solution in the long-term without committing to a data migration. |
|
At a high level the current state of this PR does this:
New Proposal:
While this doesn't address all of the usecases/issues around capturing the user info, it covers enough for now. Adopting this proposal also means the following:
|
|
What is the expected behavior when the update of a ServiceInstance or ServiceInstanceCredential does not modify the user-accessible portion of a spec? Should we only change the UserInfo property when the user-accessible portion of a spec changes on an update? If we change the UserInfo property when there is no change to the user-accessible portion of the spec, then we will end up sending an update to the broker that does not make any changes to the broker resource. That does not seem appropriate to me. Note that there are not currently any fields in the spec for either ServiceInstance or ServiceInstanceCredential that the user can update. So, if we are not changing the UserInfo field for updates unless there is a modification to a user-accessible portion of the spec, then the UserInfo field will not be changed for any updates. |
@staebler |
|
@nilebox How does that work when the update strategy for the resource explicitly discards all changes made to the spec? |
@staebler I was unaware of this restriction in our code. OSB spec definitely allows you to update the instance parameters, see https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md#updating-a-service-instance, there is So I see this as a temporary short-term hack, and I don't think making any assumptions based on it are valid. |
|
Per the f2f on Monday, we have this decision: Consensus: we are ok with adding UserInfo to Instance and Binding, and using it to represent the user who did the last operation on the resource. Its value will be used in the OriginatingIdentity header field |
|
@staebler What kind of action on the Instance/Binding would cause use to send a request to the broker w/o the user changing anything in those resources? Are you thinking about that "poke" type of action where the user touched a secret that's referenced by the parametersFrom property? In general, we only need to update the UserInfo property when there will be a resulting OSB API request. So, if there are other updates to the Spec that don't result in an OSB API request then we don't need to set the UserInfo. |
|
Superceded by #1162 |
First part of #462
Essentially this adds a non-user-settable field in Instance and Binding that captures the userinfo from the authorizer. This is a pattern that has precedent in k8s in the certificate API: https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/certificates/certificates/strategy.go#L57