Added support for authentication processor #1728
Conversation
jpkrohling
requested review from
bogdandrutu,
dmitryax,
james-bebbington,
nilebox,
owais,
pjanotti and
tigrannajaryan
as code owners
jpkrohling
force-pushed
the
jpkrohling/authentication-processor
branch
from
975159a to
d2ab657
Compare
Codecov Report
@@ Coverage Diff @@
## master #1728 +/- ##
==========================================
+ Coverage 91.90% 91.92% +0.02%
==========================================
Files 262 265 +3
Lines 18744 18894 +150
==========================================
+ Hits 17226 17369 +143
- Misses 1085 1090 +5
- Partials 433 435 +2
Continue to review full report at Codecov.
|
This comment has been minimized.
This comment has been minimized.
jpkrohling
force-pushed
the
jpkrohling/authentication-processor
branch
from
1330125 to
dddab34
Compare
|
@bogdandrutu could you please review this one, or assign someone to do it? |
There was a problem hiding this comment.
Please try to follow the rules from contributing guidelines:
https://github.com/open-telemetry/opentelemetry-collector/blob/master/CONTRIBUTING.md#when-adding-a-new-component
| * Supported pipeline types: traces | ||
| * Status: in development | ||
|
|
||
| This processor authenticates the incoming traces by extracting the authentication data from the context |
| oCfg := cfg.(*Config) | ||
| if oCfg.OIDC == nil { | ||
| return nil, errNoOIDCProvided | ||
| } | ||
| if oCfg.OIDC.Audience == "" { | ||
| return nil, errNoClientIDProvided | ||
| } | ||
| if oCfg.OIDC.IssuerURL == "" { | ||
| return nil, errNoIssuerURL | ||
| } |
There was a problem hiding this comment.
extract this in a separate func "validateConfig". We should be able to reuse everything for metrics/logs as well.
| and verifying the bearer token with the specified provider. | ||
|
|
||
| Currently, only bearer token authentication is supported, added as part of `PerRPC` gRPC authentication. | ||
| It requires the gRPC client to send a header named `authorization` in line with the equivalent HTTP/2 header. |
There was a problem hiding this comment.
Can we have the header name as a config option with a default value "authorization"?
| } | ||
|
|
||
| // OIDC defines the OpenID Connect properties for this processor | ||
| type OIDC struct { |
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package authenticationprocessor |
There was a problem hiding this comment.
No need to have an empty doc.go
| @@ -0,0 +1,23 @@ | |||
| # Authentication Processor | |||
|
|
|||
| * Supported pipeline types: traces | |||
There was a problem hiding this comment.
Any reason only traces can be supported?
|
I'm converting this PR to draft, as @pavolloffay had very good suggestions on how to make this better. Once discussion has been concluded as part of #1424, I'll update this PR with the new proposal. |
jpkrohling
force-pushed
the
jpkrohling/authentication-processor
branch
from
dddab34 to
e6adf0a
Compare
|
This PR is ready for review again, moving the auth logic from a processor to interceptors. In this first iteration, it's only for gRPC receivers, but I'll work on HTTP receivers in a follow-up PR, as this PR is already big enough. |
|
This has been tested manually with Auth0 as the OIDC provider. The following configuration was used during the manual tests: receivers:
otlp/noauth:
protocols:
grpc:
endpoint: localhost:55680
otlp/auth:
protocols:
grpc:
endpoint: localhost:56680
tls_settings:
cert_file: ./local/self-signed.pem
key_file: ./local/self-signed-key.pem
auth:
oidc:
issuer_url: https://dev-zkkhf874.eu.auth0.com/
audience: http://auth.example.com
processors:
batch:
exporters:
logging:
otlp/auth:
endpoint: localhost:56680
ca_file: ./local/ca.pem
per_rpc_auth:
type: bearer
bearer_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImxiWmJrd2JHUXlrWGdub09mRXNRNCJ9.eyJpc3MiOiJodHRwczovL2Rldi16a2toZjg3NC5ldS5hdXRoMC5jb20vIiwic3ViIjoiMUpEUmZJMm43c0JhNnhvMkQ2VEJSVnpjbGs5M25uVUZAY2xpZW50cyIsImF1ZCI6Imh0dHA6Ly9hdXRoLmV4YW1wbGUuY29tIiwiaWF0IjoxNjAwMzM4MTU4LCJleHAiOjE2MDA0MjQ1NTgsImF6cCI6IjFKRFJmSTJuN3NCYTZ4bzJENlRCUlZ6Y2xrOTNublVGIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.qU8CSyIgD6KML5Z1hvjKITLlysX6GNPAECsUSp7FxyGW4ryygICcuwqJ85nAv8Xvgrg9EMITG0GY3MlvzokzfWgrAT_CncQ9_Aaxj3-BRvcOvHUur2fUNLE53Pqj1kroVt21333Ly5SqwLQb-DEiEKDXnw1u70clFaxQs4eT9xmvjqY9FX3jW-fh2lbUkURv3opuA0F1nerUbGvX9wD-pToMZUGHwNScf1VrN-Um8i36WBwgWmeGmVIcgzZHMEVxs8AbvLOnyOlCojnshJod3VFqOriH47F4NvhfK0YABSOt_4Q1AVHHFDQ2J_9oI0gRvj-FvU5TxLBsQ-Fqd6AhxA
jaeger:
endpoint: localhost:14250
insecure: true
service:
pipelines:
traces:
receivers:
- otlp/noauth
processors:
- batch
exporters:
- otlp/auth
traces/2:
receivers:
- otlp/auth
processors:
- batch
exporters:
- jaeger |
Includes an initial support for OIDC authenticator. Closes open-telemetry#1424 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
jpkrohling
force-pushed
the
jpkrohling/authentication-processor
branch
from
e6adf0a to
8c61692
Compare
Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Signed-off-by: Juraci Paixão Kröhling <[email protected]>
| @@ -0,0 +1,17 @@ | |||
| # Authentication mechanism for servers | |||
There was a problem hiding this comment.
This probably can go to the configauth. That is the main package, here is just the implementation.
Done: |
|
Closing this in favor of the 4 PRs listed above. |
Use the newly added SpanContext.IsRemote method instead.
Description: Added a new processor, to take care of authentication for incoming requests
Link to tracking Issue: #1424
Testing: unit tests + manual tests
Documentation: readme included
Includes an initial support for OIDC authenticator.
Closes #1424
Signed-off-by: Juraci Paixão Kröhling [email protected]