-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use md5 hash as role session name when assuming into customer's support role #283
Use md5 hash as role session name when assuming into customer's support role #283
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #283 +/- ##
==========================================
- Coverage 46.83% 45.87% -0.97%
==========================================
Files 53 53
Lines 3540 3758 +218
==========================================
+ Hits 1658 1724 +66
- Misses 1621 1759 +138
- Partials 261 275 +14
|
pkg/awsutil/sts.go
Outdated
assumeRoleRetryBackoff = 5 * time.Second | ||
assumeRoleMaxRetries = 3 | ||
assumeRoleRetryBackoff = 5 * time.Second | ||
assumeCustomerRoleSessionName = "RH-SRE" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker, I feel that bp-cli
may use ISV's for connecting to the cluster in the near future. In that case, this logic may not be accurate.
Ideally, we should move some of the assumed role logic to bp-api
endpoint where API decide how to determine the session-name based on some other factors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've updated the API to determine the role session name that should be used, but the actual AssumeRole logic needs to be done client side since we use individual SRE credentials for the isolated backplane flow.
https://gitlab.cee.redhat.com/service/backplane-api/-/merge_requests/329
3bd1b49
to
657f5b3
Compare
337f8bb
to
cd24a6d
Compare
cmd/ocm-backplane/cloud/common.go
Outdated
roleArnSession := awsutil.RoleArnSession{RoleArn: namedRoleArnEntry.Arn} | ||
if namedRoleArnEntry.Name == CustomerRoleArnName { | ||
data := []byte(email) | ||
roleArnSession.RoleSessionName = fmt.Sprintf("%x", md5.Sum(data)) //nolint:gosec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to get this from the backplane API? My concern is that an update to this in the CLI or API may mean they diverge in the future, it would be good to keep this consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's definitely possible - it comes down to how quickly we want this out the door.
To go this route, we would add a new API endpoint that takes a string and returns an md5 hash, using the same existing functions that are used in the API today for performing that conversion. Then the bp cli would call that endpoint instead.
I'm happy to go that route, and then we can keep this PR in a "hold" until that API change gets released. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually another thought - since this is only for the new flow, we could update the response object of the existing API call to include a new property for the role session name to be used for the customer's support role. That would be substantially less overhead and allow us quicker turnover.
cd24a6d
to
5d3d480
Compare
/unhold API changes have been promoted to production https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/92517 |
I still can see my user name in the cloudtrail, but it is not in the session part. I assume it is expected for now? |
@bmeng since the ticket specifically calls out the session name, I think we can go forward from here. I've started a thread here for further guidance on the principal being visible in cloudtrail: |
As discussed in slack, the scope for this pr should be limit the info from the session, for the rest parts we can cover them separately. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AlexVulaj, bmeng The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@AlexVulaj: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What type of PR is this?
feature
What this PR does / Why we need it?
backplane-cli passes the SRE's email address as a role session name when assuming a customer's support role. We should not pass any SRE usernames to a customer when assuming into their account.
Which Jira/Github issue(s) does this PR fix?
https://issues.redhat.com/browse/OSD-19901
Special notes for your reviewer
Pre-checks (if applicable)