Cleanup k8s-keystone-auth

- Move files around
- fix logging levels
- fail unauthenticated users in sample policy.json

Author: dims

cmd/k8s-keystone-auth/main.go

@@ -15,14 +15,17 @@ limitations under the License.
 package main
 
 import (
-	flag "github.com/spf13/pflag"
-	"log"
+	"flag"
+	"github.com/golang/glog"
+	"github.com/spf13/pflag"
 	"net/http"
 
-	"git.openstack.org/openstack/openstack-cloud-controller-manager/pkg/authenticator/token/keystone"
+	"git.openstack.org/openstack/openstack-cloud-controller-manager/pkg/identity/keystone"
 	"git.openstack.org/openstack/openstack-cloud-controller-manager/pkg/identity/webhook"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	kflag "k8s.io/apiserver/pkg/util/flag"
+	"k8s.io/apiserver/pkg/util/logs"
 )
 
 func webhookServer(authenticator authenticator.Token, authorizer authorizer.Authorizer) http.Handler {
@@ -42,35 +45,39 @@ var (
 )
 
 func main() {
-	flag.StringVar(&listenAddr, "listen", "localhost:8443", "<address>:<port> to listen on")
-	flag.StringVar(&tlsCertFile, "tls-cert-file", "", "File containing the default x509 Certificate for HTTPS.")
-	flag.StringVar(&tlsPrivateKey, "tls-private-key-file", "", "File containing the default x509 private key matching --tls-cert-file.")
-	flag.StringVar(&keystoneURL, "keystone-url", "http://localhost/identity/v3/", "URL for the OpenStack Keystone API")
-	flag.StringVar(&keystoneCaFile, "keystone-ca-file", "", "File containing the certificate authority for Keystone Service.")
-	flag.StringVar(&policyFile, "keystone-policy-file", "", "File containing the policy.")
-	flag.Parse()
+	flag.CommandLine.Parse([]string{})
+	pflag.StringVar(&listenAddr, "listen", "0.0.0.0:8443", "<address>:<port> to listen on")
+	pflag.StringVar(&tlsCertFile, "tls-cert-file", "", "File containing the default x509 Certificate for HTTPS.")
+	pflag.StringVar(&tlsPrivateKey, "tls-private-key-file", "", "File containing the default x509 private key matching --tls-cert-file.")
+	pflag.StringVar(&keystoneURL, "keystone-url", "http://localhost/identity/v3/", "URL for the OpenStack Keystone API")
+	pflag.StringVar(&keystoneCaFile, "keystone-ca-file", "", "File containing the certificate authority for Keystone Service.")
+	pflag.StringVar(&policyFile, "keystone-policy-file", "", "File containing the policy.")
+
+	kflag.InitFlags()
+	logs.InitLogs()
+	defer logs.FlushLogs()
 
 	if tlsCertFile == "" || tlsPrivateKey == "" {
-		log.Fatal("Please specify --tls-cert-file and --tls-private-key-file arguments.")
+		glog.Fatal("Please specify --tls-cert-file and --tls-private-key-file arguments.")
 	}
 	if policyFile == "" {
-		log.Printf("Argument --keystone-policy-file missing. Only keystone authentication will work. Use RBAC for authorization.")
+		glog.Infof("Argument --keystone-policy-file missing. Only keystone authentication will work. Use RBAC for authorization.")
 	}
 
 	authentication_handler, err := keystone.NewKeystoneAuthenticator(keystoneURL, keystoneCaFile)
 	if err != nil {
-		log.Fatal(err.Error())
+		glog.Fatal(err.Error())
 	}
 
 	authorization_handler, err := keystone.NewKeystoneAuthorizer(keystoneURL, keystoneCaFile, policyFile)
 	if err != nil {
-		log.Fatal(err.Error())
+		glog.Fatal(err.Error())
 	}
 
 	http.Handle("/webhook", webhookServer(authentication_handler, authorization_handler))
-	log.Println("Starting webhook..")
-	log.Fatal(
-		http.ListenAndServeTLS(":8443",
+	glog.Infof("Starting webhook..")
+	glog.Fatal(
+		http.ListenAndServeTLS(listenAddr,
 			tlsCertFile,
 			tlsPrivateKey,
 			nil))

examples/webhook/policy.json

@@ -20,7 +20,7 @@
     },
     "match": {
       "type": "group",
-      "value": "*"
+      "value": "system:authenticated"
     }
   },
   {
@@ -40,7 +40,7 @@
     },
     "match": {
       "type": "group",
-      "value": "*"
+      "value": "system:authenticated"
     }
   }
 ]

…nticator/token/keystone/authenticator.go pkg/identity/keystone/authenticator.gopkg/authenticator/token/keystone/authenticator.go renamed to pkg/identity/keystone/authenticator.go pkg/authenticator/token/keystone/authenticator.go renamed to pkg/identity/keystone/authenticator.go

@@ -50,14 +50,14 @@ func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticateToken(token stri
 	url := keystoneAuthenticator.client.ServiceURL("auth", "tokens")
 	response, err := keystoneAuthenticator.client.Request("GET", url, &request_opts)
 	if err != nil {
-		glog.V(4).Info("Failed: bad response from API call: %v", err)
+		glog.Warningf("Failed: bad response from API call: %v", err)
 		return nil, false, errors.New("Failed to authenticate")
 	}
 
 	defer response.Body.Close()
 	bodyBytes, err := ioutil.ReadAll(response.Body)
 	if err != nil {
-		glog.V(4).Infof("Cannot get HTTP response body from keystone token validate: %v", err)
+		glog.Warningf("Cannot get HTTP response body from keystone token validate: %v", err)
 		return nil, false, errors.New("Failed to authenticate")
 	}
 
@@ -79,7 +79,7 @@ func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticateToken(token stri
 
 	err = json.Unmarshal(bodyBytes, &obj)
 	if err != nil {
-		glog.V(4).Infof("Cannot unmarshal response: %v", err)
+		glog.Warningf("Cannot unmarshal response: %v", err)
 		return nil, false, errors.New("Failed to authenticate")
 	}
 

…thenticator/token/keystone/authorizer.go pkg/identity/keystone/authorizer.gopkg/authenticator/token/keystone/authorizer.go renamed to pkg/identity/keystone/authorizer.go pkg/authenticator/token/keystone/authorizer.go renamed to pkg/identity/keystone/authorizer.go

@@ -17,32 +17,33 @@ limitations under the License.
 package keystone
 
 import (
+	"encoding/json"
+
+	"github.com/golang/glog"
 	"github.com/gophercloud/gophercloud"
-	"log"
 
-	"encoding/json"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 )
 
 type KeystoneAuthorizer struct {
 	authURL string
 	client  *gophercloud.ServiceClient
-	pl      policyList
+	pl      PolicyList
 }
 
 func resourceMatches(p Policy, a authorizer.Attributes) bool {
 	if p.NonResourceSpec != nil && p.ResourceSpec != nil {
-		log.Printf("Policy has both resource and nonresource sections. skipping : %#v", p)
+		glog.Infof("Policy has both resource and nonresource sections. skipping : %#v", p)
 		return false
 	}
 
 	if p.ResourceSpec.Verb == "" {
-		log.Printf("verb is empty. skipping : %#v", p)
+		glog.Infof("verb is empty. skipping : %#v", p)
 		return false
 	}
 
 	if p.ResourceSpec.APIGroup == nil || p.ResourceSpec.Namespace == nil || p.ResourceSpec.Resource == nil {
-		log.Printf("version/namespace/resource should be all set. skipping : %#v", p)
+		glog.Infof("version/namespace/resource should be all set. skipping : %#v", p)
 		return false
 	}
 
@@ -54,7 +55,7 @@ func resourceMatches(p Policy, a authorizer.Attributes) bool {
 					if allowed {
 						output, err := json.MarshalIndent(p, "", "  ")
 						if err == nil {
-							log.Printf(">>>> matched rule : %s", string(output))
+							glog.V(6).Infof("matched rule : %s", string(output))
 						}
 						return true
 					}
@@ -67,12 +68,12 @@ func resourceMatches(p Policy, a authorizer.Attributes) bool {
 
 func nonResourceMatches(p Policy, a authorizer.Attributes) bool {
 	if p.NonResourceSpec.Verb == "" {
-		log.Printf("verb is empty. skipping : %#v", p)
+		glog.Infof("verb is empty. skipping : %#v", p)
 		return false
 	}
 
 	if p.NonResourceSpec.NonResourcePath == nil {
-		log.Printf("path should be set. skipping : %#v", p)
+		glog.Infof("path should be set. skipping : %#v", p)
 		return false
 	}
 
@@ -83,7 +84,7 @@ func nonResourceMatches(p Policy, a authorizer.Attributes) bool {
 				if allowed {
 					output, err := json.MarshalIndent(p, "", "  ")
 					if err == nil {
-						log.Printf(">>>> matched rule : %s", string(output))
+						glog.V(6).Infof("matched rule : %s", string(output))
 					}
 					return true
 				}
@@ -138,16 +139,16 @@ func match(match Match, attributes authorizer.Attributes) bool {
 			}
 		}
 	} else {
-		log.Printf("unknown type %s. skipping.", match.Type)
+		glog.Infof("unknown type %s. skipping.", match.Type)
 	}
 	return false
 }
 
 func (KeystoneAuthorizer *KeystoneAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
-	log.Printf("Authorizing user : %#v\n", a.GetUser())
+	glog.Infof("Authorizing user : %#v\n", a.GetUser())
 	for _, p := range KeystoneAuthorizer.pl {
 		if p.NonResourceSpec != nil && p.ResourceSpec != nil {
-			log.Printf("Policy has both resource and nonresource sections. skipping : %#v", p)
+			glog.Infof("Policy has both resource and nonresource sections. skipping : %#v", p)
 			continue
 		}
 		if p.ResourceSpec != nil {

…authenticator/token/keystone/keystone.go pkg/identity/keystone/keystone.gopkg/authenticator/token/keystone/keystone.go renamed to pkg/identity/keystone/keystone.go pkg/authenticator/token/keystone/keystone.go renamed to pkg/identity/keystone/keystone.go

@@ -21,9 +21,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"log"
 	"net/http"
-	//"strings"
 
 	"github.com/golang/glog"
 	"github.com/gophercloud/gophercloud"
@@ -89,11 +87,11 @@ func createKeystoneClient(authURL string, caFile string) (*gophercloud.ServiceCl
 	// We should use the V3 API
 	client, err := openstack.NewIdentityV3(provider, gophercloud.EndpointOpts{})
 	if err != nil {
-		glog.V(4).Info("Failed: Unable to use keystone v3 identity service: %v", err)
+		glog.Warningf("Failed: Unable to use keystone v3 identity service: %v", err)
 		return nil, errors.New("Failed to authenticate")
 	}
 	if err != nil {
-		glog.V(4).Info("Failed: Starting openstack authenticate client: %v", err)
+		glog.Warningf("Failed: Starting openstack authenticate client: %v", err)
 		return nil, errors.New("Failed to authenticate")
 	}
 
@@ -122,9 +120,9 @@ func NewKeystoneAuthorizer(authURL string, caFile string, policyFile string) (*K
 	policyList, err := NewFromFile(policyFile)
 	output, err := json.MarshalIndent(policyList, "", "  ")
 	if err == nil {
-		log.Printf(">>> Policy %s", string(output))
+		glog.V(6).Infof("Policy %s", string(output))
 	} else {
-		log.Fatalf(">>> Error %#v", err)
+		glog.V(6).Infof("Error %#v", err)
 	}
 
 	return &KeystoneAuthorizer{authURL: authURL, client: client, pl: policyList}, nil

…g/authenticator/token/keystone/policy.go pkg/identity/keystone/policy.gopkg/authenticator/token/keystone/policy.go renamed to pkg/identity/keystone/policy.go pkg/authenticator/token/keystone/policy.go renamed to pkg/identity/keystone/policy.go

@@ -66,16 +66,16 @@ type NonResourcePolicySpec struct {
 	NonResourcePath *string `json:"path"`
 }
 
-type policyList []*Policy
+type PolicyList []*Policy
 
-func NewFromFile(path string) (policyList, error) {
+func NewFromFile(path string) (PolicyList, error) {
 	file, err := os.Open(path)
 	if err != nil {
 		return nil, err
 	}
 	defer file.Close()
 
-	var data policyList
+	var data PolicyList
 
 	reader := bufio.NewReader(file)
 	decoder := json.NewDecoder(reader)

pkg/identity/webhook/handlers.go pkg/identity/webhook/webhook.gopkg/identity/webhook/handlers.go renamed to pkg/identity/webhook/webhook.go

@@ -19,10 +19,11 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/golang/glog"
+
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
-	"log"
 )
 
 type userInfo struct {
@@ -71,9 +72,8 @@ func (h *WebhookHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *WebhookHandler) authenticateToken(w http.ResponseWriter, r *http.Request, token string, data map[string]interface{}) {
-	//log.Printf(">>>> authenticateToken data : %#v\n", data)
 	user, authenticated, err := h.Authenticator.AuthenticateToken(token)
-	log.Printf("<<<< authenticateToken : %v, %v, %v\n", token, user, err)
+	glog.V(6).Infof("authenticateToken : %v, %v, %v\n", token, user, err)
 
 	if !authenticated {
 		var response status
@@ -122,7 +122,7 @@ func getField(data map[string]interface{}, name string) string {
 
 func (h *WebhookHandler) authorizeToken(w http.ResponseWriter, r *http.Request, data map[string]interface{}) {
 	output, err := json.MarshalIndent(data, "", "  ")
-	log.Printf(">>>> authorizeToken data : %s\n", string(output))
+	glog.V(6).Infof("authorizeToken data : %s\n", string(output))
 
 	spec := data["spec"].(map[string]interface{})
 
@@ -172,7 +172,7 @@ func (h *WebhookHandler) authorizeToken(w http.ResponseWriter, r *http.Request,
 	}
 
 	allowed, reason, err := h.Authorizer.Authorize(attrs)
-	log.Printf("<<<< authorizeToken : %v, %v, %v\n", allowed, reason, err)
+	glog.Infof("<<<< authorizeToken : %v, %v, %v\n", allowed, reason, err)
 	if err != nil {
 		http.Error(w, reason, http.StatusInternalServerError)
 		return

pkg/volume/cinder/provisioner/provisioner.go

@@ -43,7 +43,7 @@ type cinderProvisioner struct {
 	// Openstack cinder client
 	VolumeService *gophercloud.ServiceClient
 
-	// Kubernetes Client. Use to create secret
+	// Kubernetes client. Use to create secret
 	Client kubernetes.Interface
 	// Identity of this cinderProvisioner, generated. Used to identify "this"
 	// provisioner's PVs.