Basic Authentication
Daniel15 opened this issue ยท 8 comments
Description
I'm trying to work out how to secure Fn when hosting it 'standalone' (without Kubernetes), given the ext-auth middleware is broken.
Even if I stick Fn behind an Nginx reverse proxy that performs authentication for all the administrative actions (deploying functions, etc), someone on the server itself could still directly hit the IP address for the Fn Docker container, bypassing the Nginx reverse proxy. It would be nice to support basic auth or a Bearer auth token out-of-the-box, similar to what OpenFaaS does: https://docs.openfaas.com/reference/authentication/. Then I could at least use this auth token in the Nginx configuration.
Hey @Daniel15 - I am going to try to get the auth and dns middleware examples working again this/next week, I suspect this is just a few minor compile bugs but may use the opportunity to clean up extensions stuff in general.
we do have support for an auth token in the cli I think by happenstance, as far as supporting it out of the box in fn, I suppose we could support it by allowing a token to be configured on server startup, but I think our hope in general is that if this is desired it's easy enough to build and use fn with auth extensions - have not thought out specifically supporting auth out of the box and intersection with any additional middleware authentication, specifically schemes that are not basic auth (and how to configure this to override basic, abstraction, etc).
Thanks @rdallman! I did have a very brief look at trying to work out how to fix it, but didn't get too far, and you'll likely be able to do a better job. These are the compilation errors I hit when building ext-auth (fnproject/ext-auth#4):
../../fnproject/ext-auth/app_listener.go:27:23: l.simple.ds.GetDatabase undefined (type models.Datastore has no field or method GetDatabase)
../../fnproject/ext-auth/app_listener.go:56:23: l.simple.ds.GetDatabase undefined (type models.Datastore has no field or method GetDatabase)
../../fnproject/ext-auth/app_listener.go:78:20: l.simple.ds.GetDatabase undefined (type models.Datastore has no field or method GetDatabase)
../../fnproject/ext-auth/app_listener.go:89:8: filter.NameIn undefined (type *models.AppFilter has no field or method NameIn)
../../fnproject/ext-auth/middleware.go:80:27: m.simple.ds.GetApp undefined (type models.Datastore has no field or method GetApp)
../../fnproject/ext-auth/simple.go:91:12: s.ds.GetDatabase undefined (type models.Datastore has no field or method GetDatabase)
../../fnproject/ext-auth/simple.go:107:12: s.ds.GetDatabase undefined (type models.Datastore has no field or method GetDatabase)
../../fnproject/ext-auth/simple.go:126:12: s.ds.GetDatabase undefined (type models.Datastore has no field or method GetDatabase)
../../fnproject/ext-auth/simple.go:146:13: s.ds.GetDatabase undefined (type models.Datastore has no field or method GetDatabase)
#1060 removed the GetDatabase method from models.Datastore, and I wasn't quite sure what to replace it with. Perhaps the solution is for ext-auth to have its own database object (instead of reusing fn's one), but given I don't actually know Golang and don't have time to properly learn it, I stopped looking into it ๐
I suspect when Fn hits 1.0, the API/ABI will be less susceptible to breaking changes like this.
The other functionality that'd be useful is the ability to disable creating new users (fnproject/ext-auth#3) and allow multiple users for one app (fnproject/ext-auth#2).
hey @Daniel15 - first step of updating #1481 (pending review) - I think I'm going to rework the example's main to set up the datastore itself, grab the db out of there, and use it, rather than all the additional plumbing to get the datastore out. sorry for delay here, wedged getting reviews for a bit now.
Any way to help here?
@dgutson #1476 (comment) is the plan, it's going to take some time to add some methods to fn and then make the changes in the ext-auth repo to use them. if you have an existing auth solution you need to integrate with, ext-auth is a decent template as is and the changes I'm making won't help much - just remove all the db usage and change it to client calls to your auth service (/ caching).
I am going with standalone fn option, @Daniel15 , have you made any progress to authenticate fn? i am thinking of going by iptables access, only few apps are given access to hit fn server.
i put nginx infront of fn api but the fn api client cant handle basic auth