ability to add an auth module as part of the receiver component #1424
Comments
|
I'm currently working on an authentication processor, but it'll be executed as a regular processor, not before the receivers. What kind of auth backend did you have in mind? Right now, the processor I'm writing supports verifying a bearer token against a OIDC provider, which should be flexible enough. It requires an OIDC server, which seems fair to me, as most people are (or should) using an auth server anyway. @open-telemetry/collector-approvers, is this something that would be considered for this repository? Or would it be more suitable for the contrib repository? |
|
My use case is to validate the JSON web token which is present in the header in a custom key. Are the headers available in the regular processor? |
|
By custom key, do you mean that you are using a header other than HTTP's regular |
|
Triagged. Needs further discussions. |
|
@bogdandrutu @tigrannajaryan can we have the discussions here, in this issue? The minutes for the last SIG meeting says:
I also asked this on Gitter, but still couldn't get any concrete questions... |
Yes.. My service is fronted by a proxy layer which does the actual authentication using the |
|
@tigrannajaryan: would you please share what aspects needs discussion? I have a working branch which can serve as a concrete base for the discussion, but at this moment, I have no idea what needs to be discussed... |
|
@jpkrohling @tannaga is the requirement I am hearing for you: Today I heard also about some custom auth needed by AWS for the exporters as well. Self brainstorming:
Because we need this for the exporter as well (no way to have a processor to do this) I think we should go with the model where we define an interface for "Auth" that components can support to configure. There is a question about how this gets configured to the component because yaml static file cannot be used, so there needs to be a custom build of the collector. Another idea that I have is that we can have the |
Not quite sure. The gRPC receivers do propagate the HTTP headers down to the context already, which is what I'm using in the prototype: I'd still need to check other gRPC receivers, as well as other plain HTTP receivers, though.
What kind of custom auth do they need? Nowadays, the world has converged to OIDC as a standard for auth, and I'm sure AWS does support this type of authentication. The only other auth mechanism that I would consider supporting from day 1 is basic HTTP auth. Authorization might be a totally different thing, though.
I don't think we need any auth custom code to be executed by receivers/exporters. We might need it for auth/z, but this can be discussed separately.
I might be misunderstanding you, and you might be talking about authorization instead of authentication, but the gRPC exporters are able to send auth tokens on a per-RPC basis: opentelemetry-collector/config/configgrpc/configgrpc.go Lines 200 to 208 in 1e65674 Given that we have a common HTTP client as well, it would be trivial to add a similar support to it. In fact, a workaround that works already is to add a In a future iteration, we might need the capacity to propagate headers from the receiver to the exporter without an authentication processor in the middle, for the use case of chained collectors: That all said, here's my proposal based on the prototype I have: Add a new
Sample YAML files following the proposal: receivers:
examplereceiver:
processors:
authentication:
sourceheader:
grpc: authentication
http: "X-Auth-Token"
oidc:
issuer_url: http://localhost:1234
client_id: ec013524-d001-11ea-a711-482ae389cd6a
issuer_ca_path: /etc/pki/ca-trust/source/anchors/cacert.crt
username_claim: username
groups_claim: membership
authentication/basic:
basic:
htpasswd: /etc/auth/htpasswd
exporters:
exampleexporter:
service:
pipelines:
traces:
receivers: [examplereceiver]
processors: [authentication]
exporters: [exampleexporter] |
|
@alolita can you tell us about AWS requirements for auth? |
|
@alolita ping ? |
|
@bogdandrutu how can we move forward with this? |
|
As discussed during yesterday's call, @alolita's use case isn't about authenticating incoming requests, but rather, about adding authentication data to outgoing requests, at the exporters level. As such, I'm opening a PR with the proposal I have, which I believe supports the cases discussed. |
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
|
@pavolloffay has suggested an alternative approach to this and I would like to discuss it here: instead of having a processor, we could have a new set of options for gRPC and HTTP servers, like this: type GRPCServerSettings struct {
Auth *Authentication `mapstructure:"auth,omitempty"`
}
type HTTPServerSettings struct {
Auth *Authentication `mapstructure:"auth,omitempty"`
}
type Authentication struct {
OIDC *OIDC `mapstructure:"oidc,omitempty"`
}
type OIDC struct {
IssuerURL string `mapstructure:"issuer_url"`
Audience string `mapstructure:"audience"`
IssuerCAPath string `mapstructure:"issuer_ca_path"`
UsernameClaim string `mapstructure:"username_claim"`
GroupsClaim string `mapstructure:"groups_claim"`
}The |
|
I thought about this as well. Cannot find enough pros/cons for either of the solutions, so I don't have a strong opinion, but would like to understand why you think that is better? |
|
Mostly this:
Meaning: if a big trace is coming over the wire for an unauthenticated call, it won't be unmarshalled, saving some CPU cycles. |
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
|
I updated the PR with this new approach and it's ready for review. |
|
Excuse me, I wonder if there will be any follow-up feature progress in this issue. Such as:
|
This PR may have answered my questions, and I'm looking forward to seeing how it goes |
|
@jpkrohling is there a plan to add the |
|
Yes, eventually. Right now, there's some work going on the client-side auth (exporters) and on propagating the auth data from receivers down the pipeline. If you have the bandwidth, a PR for confighttp based on what we have for configgrpc would be appreciated! |
…open-telemetry#1424) Bumps [github.com/itchyny/gojq](https://github.com/itchyny/gojq) from 0.11.2 to 0.12.0. - [Release notes](https://github.com/itchyny/gojq/releases) - [Changelog](https://github.com/itchyny/gojq/blob/master/CHANGELOG.md) - [Commits](itchyny/gojq@v0.11.2...v0.12.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
I believe this is now completed. |
Is your feature request related to a problem? Please describe.
We are using the http endpoint as one of the receiver endpoints. Our company mandates to add an authentication layer which seems to be missing today.
Describe the solution you'd like
Couple of thoughts
Config Snippet example
Describe alternatives you've considered
At present thinking of using nginix proxy, to do the auth.
The text was updated successfully, but these errors were encountered: