Remote Authenticator Service & LDAP Removal

[Isan-Rivkin]

Closes #5262

1. Support remote authentication service, updated configuration, docs and functionality.
2. [Breaking Change] Remove LDAP functionality including configuration.

[Isan-Rivkin]

@nopcoder please jump in as well if you can take a look 🙏
It's mostly done, so feel free to skim through it.
I'll ping when all done.

[arielshaqed]

Thanks!

Nothing major requested :-)

[arielshaqed]

Please exit lakeFS from the main program. This function could just return an error, which would let us wrap it with additional information about why the LDAP authenticator got called.

Also if we did that then we would not be writing error messages to standard output as we end up doing here (although that is of course easy to fix at this place).

[Isan-Rivkin]

I'm not quite sure what you mean, can you take a look at the change I added? If not that then please elaborate.
Also, assuming I understand you correctly notice I applied the same change to allowForeign, err := cmd.Flags().GetBool(mismatchedReposFlagName) in the same file as well.

[arielshaqed]

@ortz how much guidance do we plan for explaining external authentication?

[ortz]

let's see how many requests we got for this and we'll invest efforts accordingly.

[Isan-Rivkin]

👍

[arielshaqed]

Not sure that this is how LDAP works today. Isn't this planned to be the user's DN?

[Isan-Rivkin]

Yes correct, but the field name is generic to different systems, not sure what's the question?

[arielshaqed]

Suggested change

	return "", fmt.Errorf("doing http request %s: %w", username, err)
	return "", fmt.Errorf("remote authenticate %s: %w", username, err)

[Isan-Rivkin]

I think it's less indicative since it's less explicit on which step failed. there are many authenticators running (chain) with errors chaining when they occur.
I prefer to keep it (specifically the part about http)

[nopcoder]

authremote or same package - not sure we need a different package for this one.

[Isan-Rivkin]

• Fixed
• Regarding another package, even though it's fairly small, the reason I prefer another package is due to encapsulation. In this particular case for a new comer like myself it's really confusing what code in auth suppose to do, authentication, authorization etc.

[nopcoder]

• Think we should drop the Basic from the name - it is a remote authenticator. So maybe call it
• We have external and remote - I assume this func was made to consolidate LDAP and Remote. It the code looks more complex as the previous code was simple: check the configuration and chain the auth to the middleware.
• Suggest: moving the building of the auth middleware chain to a function (not partial). Check the configuration validity as part of Config, so the code here will just allocate the right middleware based on verified configuration.

[Isan-Rivkin]

it's now all in the same place like LDAP used to be.

[nopcoder]

We just long the err in this case and throw the error - I suggest to return the original in this case. Alt. will be to wrap it by invalid request, but I don't see the point in this case.

[Isan-Rivkin]

👍

[nopcoder]

Use dbUsername while we use it all the way until here. Or use newUser.Username for all places we used dbUsername.

[Isan-Rivkin]

Done!

[nopcoder]

Do we need to serialize remote authenticator as string?

[Isan-Rivkin]

Yes, it's used by the chain authenticator.

[ortz]

Thanks @Isan-Rivkin !
Overall, looks good to me... I do have some questions

[ortz]

leftover? or you plan on adding content here?

[Isan-Rivkin]

Not a left over, just not sure how deep to do see

[Isan-Rivkin]

updated all relevant docs.

[ortz]

is this relevant?

[Isan-Rivkin]

Yes, The OIDC itself config is relevant. (From previous PR's)
here it's only mapstructure:"oidc" following comment previously about alignment incase field name change.

[ortz]

why do we need to create credentials for that user?

[Isan-Rivkin]

Actually it's a good question, right now it's backward compatible with the LDAP implementation.

I couldn't find a reason for it, testing without this function CreateCredentials seems to work.
Do you happen to know why it's here @arielshaqed @nopcoder ?

[arielshaqed]

I don't remember why we did it this way. I think I didn't want to special-case the existing auth path, which needed to find some credentials or something??!?

Anyway if it works then we're well rid of it >:-)

[Isan-Rivkin]

removed!

[arielshaqed]

Thanks!

Minor points, mostly about logging...

[arielshaqed]

I don't remember why we did it this way. I think I didn't want to special-case the existing auth path, which needed to find some credentials or something??!?

Anyway if it works then we're well rid of it >:-)

[nopcoder]

RemoteAuthenticator have Enabled property - suggest to remove the pointer from here. It will make handling the configuration less issue in case it is nil.
We only need to check cfg.RemoteAuthenticator.Enabled
Note - I'll also embed the type here as the complete configuration is easy to understand without jumping over the types.

[Isan-Rivkin]

👍 as discussed

[nopcoder]

Just note that in the release notes of this release we should guide ppl to update the configuration as lakeFS will not run with known configuration properties - and we are removing LDAP.
So starting lakeFS with the old configuration will break.

[Isan-Rivkin]

👍

[nopcoder]

• Return the concrete type and not the interface
• Remove dependency in config as possible - create a structure with the same layout as your configuration and just pass it while calling NewRemoteAuthenticator from your main. Alternative: pass the relevant parameters to configuration struct that you define as part of this package. This is to decouple of use of config package from this one.

[Isan-Rivkin]

• Return the concrete type and not the interface, updated but for clarification, WHY?
• Done

[nopcoder]

Why do we need this one?

[Isan-Rivkin]

I'm pretty sure I answered this and somehow my comment disappeared 😮
Anyway, it's used by chain auth when auth errors occurs.

[nopcoder]

yes, I missed your answer.

[nopcoder]

Use log and not ra as you like to add the extra information and not re-write

[Isan-Rivkin]

Good catch thanks!

[nopcoder]

Suggested change

	// if the external authentication service provided an external user identifier, use it as the username
	if res.ExternalUserIdentifier != nil && *res.ExternalUserIdentifier != "" {
	log = ra.Logger.WithField("external_user_identifier", *res.ExternalUserIdentifier)
	dbUsername = *res.ExternalUserIdentifier
	}
	// if the external authentication service provided an external user identifier, use it as the username
	externalUserIdentifier := swag.String(res.ExternalUserIdentifier)
	if externalUserIdentifier != "" {
	log = log.WithField("external_user_identifier", externalUserIdentifier)
	dbUsername = externalUserIdentifier
	}

[Isan-Rivkin]

👍 added (with swag.StringValue)

[nopcoder]

1. use scope const
2. suggest to use https://github.com/mvdan/gofumpt

[Isan-Rivkin]

not sure I see the benefit of adding gofumpt, but changed scope

[nopcoder]

Its alternative to gofmt (command line) that will format your code just in strict way

[nopcoder]

Endpoint is empty / missing

[Isan-Rivkin]

done

[nopcoder]

No need to set default to the flag's default

[Isan-Rivkin]

💯

[nopcoder]

I prefer the to have a default to be 10 sec or 30 sec - something smaller than 'no timeout' but something that will work for many use-cases and in case the user will want to restrict the time for authenticate, it can be done by configuration.

[Isan-Rivkin]

Previously (In LDAP) was 7, changed to 10 👍

[nopcoder]

LGTM!

[ortz]

Great job!
I do have some comments, some small fixes and questions

[ortz]

note that lakefs' default group is Developers, I think that we should be aligned with the non-remote authenticator configuration.