Add an Originating Identity http header #222
Conversation
|
Hey duglin! Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA. |
duglin
changed the title
|
(copy from #110) I think there's value in copying the Authorization header more closely as follows: example: X-Broker-API-Originating-Identity: MyJSONUserAndGroupScheme eyJ1c2VyIjoiZm9vIiwiZ3JvdXBzIjpbImJhciIsImJheiJdfQ== |
spec.md
Outdated
| for auditing or authorization purposes. In order to facilitate this, the | ||
| platform will need to provide this identification information to the broker | ||
| on each request. If the platform wishes to provide this information then | ||
| it MUST include an additional HTTP header on all requests it sends to the |
There was a problem hiding this comment.
Is this really all requests? Or just creational requests (ie, provision, bind)
There was a problem hiding this comment.
Also, 'MUST' seems like a backward-incompatible change.
There was a problem hiding this comment.
Its for all requests.
The "MUST" is predicated by the "if". If you want to send this info then it MUST be done this way.
There was a problem hiding this comment.
correction - all except GET /v2/catalog
There was a problem hiding this comment.
I gotcha, missed the 'if' qualification
spec.md
Outdated
|
|
||
| ``` | ||
| X-Broker-API-Originating-Identity: value[;charset=...] | ||
| ``` |
There was a problem hiding this comment.
Do we need to send a scheme as well? Ie, 'I am sending a kubernetes identity'
There was a problem hiding this comment.
I don't think so. Right now the assumption is that there's some out-of-band understanding between the platform and broker on how to interpret this data.
|
We should note specifically in the spec body when the platform should send this header on a request by request basis. |
|
@pmorie I like the idea of being more explicit - I think it makes sense to do it for the other http header(s) too - will give it a shot and see how it looks. |
|
Can we discuss the base64 encoding brought up by @jim-minter ? |
|
I also support @jim-minter's suggestion of base64 encoding the identity payload (comment: #222 (comment)) |
spec.md
Outdated
|
|
||
| | Header | Type | Description | | ||
| | --- | --- | --- | | ||
| | X-Broker-API-Version* | string | See [API Version Header](#api-version-header) | |
There was a problem hiding this comment.
I think we should leave the other headers out of this proposal
There was a problem hiding this comment.
I'm not comfortable leaving the spec in a 1/2 completed state. Either we add a table for http headers to each API and fill it out completely, or we don't (perhaps leaving it for a new PR). But I'm not keen on a PR that does 1/2 the job.
There was a problem hiding this comment.
A swagger spec would resolve the need for this duplication
There was a problem hiding this comment.
I'm in favor of having a headers table for each endpoint.
|
Thoughts on base64 encoding the header? |
spec.md
Outdated
| @@ -92,7 +93,7 @@ that do not understand them. | |||
|
|
|||
| Requests from the platform to the service broker MUST contain a header that declares the version number of the Service Broker API that the marketplace will use: | |||
|
|
|||
| `X-Broker-Api-Version: 2.11` | |||
| `X-Broker-API-Version: 2.11` | |||
There was a problem hiding this comment.
Opened #246 for this change
There was a problem hiding this comment.
Any reason you created a dup PR?
spec.md
Outdated
| Where: | ||
| - its REQUIRED `value` is a non-empty string. | ||
| - it MAY include a `charset` parameter specifying the character encoding of | ||
| the `value`. If not specified, the default value MUST be `us-ascii`. |
There was a problem hiding this comment.
Did we want to give an example for CF and Kubernetes here?
There was a problem hiding this comment.
Also, do we want to discuss that the value may be any scheme? For example, in Kubernetes, we'll probably want to send the base64 encoded userinfo. See kubernetes-retired/service-catalog#939
There was a problem hiding this comment.
I'd kind of like to leave that up to the platform instead of being prescriptive since the needs of the platform may vary.
|
From today's call I have a few questions about some of the things people were proposing:
At the last f2f we discussed moving the Context into and http header and realized that it would be problematic - not least of which because of the potential to hit a length limit. Encouraging arbitrary data in this PR's header, and not limiting it to something as simple as an email/userID/uuid/etc.. will lead us back to that same state, so it might be best if we only focus on our immediate needs. |
My intention when suggesting this was to reuse a standard, recognisable, simple to implement mechanism to allow small amounts of arbitrary data to be reliably exchanged. Not to obfuscate sensitive data.
A relevant example here is sending both the user identifier and their group memberships, for example. Not reams of information, but enough to make a compound object useful (and if it's base64 encoded by default, then there's protection against usernames with non-ascii characters, etc. I'd hope people wouldn't intend to send more than what you might find in a HTTP Authorization header.
Yes, this would probably better, but one issue is the body on DELETE problem, and it would be really nice to have access to user identification on delete to be able to check authorization. |
|
@duglin As far as I know, we don't have a use case in CF for this today. I can imagine us wanting to use this for either auditing purposes or possibly for asking brokers to perform actions on a users' behalf. The latter would probably require more than one piece of information (ie. an access token and a refresh token?), but without any concrete examples of how we want to use this, it's hard to plan for the future. (cc @avade @shalako in case I've missed something) I totally agree with you though that I think storing complex objects in the header would be a bad idea as it puts onus on brokers to deal with errors when the value is not in the format it expects. We purposely avoided doing this when discussing how to send |
|
@jim-minter yea, DELETE is always the problem child :-) but I'm hoping that the semantics of that operation shouldn't need additional info that would require it to be passed in the body. Besides, there's always query parameters or other HTTP headers if people really need it. Mashing non-user-identifying info into this header should seem non-kosher to me. I can see why we may need more than a single string, and thus a struct would be nice - if we add words to make it clear that this isn't a grab-bag to stick any random stuff (even though we can't technically stop people). Do we really need a scheme tag or can we just say its always a base64 json object? |
|
@duglin it's definitely valuable to have the user info on delete - as much as we're discussing at the moment - and the header is good enough to provide that. I'm not personally aware of other information that's needed on delete beyond that (the fact that there's no context object on delete isn't blocking me, at least). I think a scheme tag is valuable for at least the following reasons: |
|
Sorry if i wasn't clear - I do want this header on DELETE |
|
re: scheme - I think the assumption here is that the broker knows the platform (and therefore scheme or data it should expect) based on the identity of the auth negotiation of the request itself - and therefore will know the scheme of this header. It would need to know this, along with probably other info, in order to use it to do things like call back into the platform anyway. Not for simple logging purposes though, obviously, but in that case I doubt it needs to understand the json, it would just need to log it. To be clear, I'm not 100% against adding a scheme, but I want to make sure we're not adding it unnecessarily because the info is already available thru some other means - and it seems to me that in order for someone to really use the data in the json object they'll need to know a lot more than just the scheme anyway. We'd then need to agree on (standardize) the schemes too, no? |
|
@duglin maybe I'm beginning to understand. Perhaps the scheme isn't utterly essential, but I think it does provide some protection, and maybe mandating it in the spec also provides a small foundation in case in the future a platform could handle multiple identities on behalf of a user and send the right one to a broker. |
|
Do you have some sample schemes in mind so I can get a sense of how many (and their shape/values) you're thinking of? |
|
Nothing more than "the scheme Kubernetes uses" (user,groups,extra); "the scheme CloudFoundry uses" (sorry, don't know what that is). Perhaps "username on its own" for good measure. |
|
hmmm would it make sense to push for it to be the same string that used as the "platform" field in the "context" object? To get some consistency. |
|
Works for me. |
* Send the user's guid if available else omit the header openservicebrokerapi/servicebroker#222 [#149216559] Signed-off-by: Sam Gunaratne <sgunaratne@pivotal.io>
* Send the user's guid if available else omit the header openservicebrokerapi/servicebroker#222 [#149216559] Signed-off-by: Sam Gunaratne <sgunaratne@pivotal.io>
| | Header | Type | Description | | ||
| | --- | --- | --- | | ||
| | X-Broker-API-Version* | string | See [API Version Header](#api-version-header). | | ||
| | X-Broker-API-Originating-Identity | string | See [Originating Identity](#originating-identity). | |
There was a problem hiding this comment.
Is this the identity of the user that initiated the original action or the service account the platform component is running under?
I'm not sure that this makes sense to send on last operation, actually, because it seems like it's just checking the status of an action that's already been triggered.
There was a problem hiding this comment.
In the Cloud Foundry implementation we omit the header during last_operation and certain orphan mitigation scenarios as it is the platform performing the action.
|
A PR for this change has now been submitted to the Cloud Controller in CF as part of the validation through implementation: cloudfoundry/cloud_controller_ng#877 |
duglin
force-pushed
the
issue110
branch
3 times, most recently
from
23393a4 to
b8570de
Compare
* Send the user's guid if available else omit the header openservicebrokerapi/servicebroker#222 [#149216559] Signed-off-by: Sam Gunaratne <sgunaratne@pivotal.io>
* Send the user's guid if available else omit the header openservicebrokerapi/servicebroker#222 [#149216559] Signed-off-by: Sam Gunaratne <sgunaratne@pivotal.io>
mattmcneeney
added
3 - reviewing PR
and removed
2 - validating through implementation
labels
spec.md
Outdated
| platform will need to provide this identification information to the broker | ||
| on each request. Platforms MAY support this feature, and if they do, they | ||
| MUST adhere to the following: | ||
| - for any OSB API request that is the result of an action taken by |
There was a problem hiding this comment.
@angarg12 "Caps?" on which word(s) ?
There was a problem hiding this comment.
These 3 bullet points begin with a lowercase letter, - for, - any, - if
|
Yup, it also needs rebase. |
Closes openservicebrokerapi#110 Signed-off-by: Doug Davis <dug@us.ibm.com>
|
addressed comments and rebased. |
|
LGTM 👏 👏 👏 |
|
LGTM |
|
LGTM |
|
lgtm |
Per my AI from last week's call, I've created a PR for the proposal so its not hidden within the conversation in #110.
Closes #110
Signed-off-by: Doug Davis dug@us.ibm.com