Compare commits

...

37 Commits

Author SHA1 Message Date
Andrey Melnikov
6c5b6c877e Merge pull request #660 from Vafilor/feat/revert.jwt
feat: revert jwt changes as it creates issues with workflow authentication logic
2020-10-14 12:15:27 -07:00
Andrey Melnikov
67e684a715 revert: remove util/tokens/jwt as it is no longer used. 2020-10-14 11:54:23 -07:00
Andrey Melnikov
20c4950b69 feat: revert jwt token from auth 2020-10-14 11:53:05 -07:00
Andrey Melnikov
5e5c3cca67 Merge pull request #657 from rushtehrani/fix/workspace-resource
fix: Update label function to return group and resource
2020-10-13 16:15:28 -07:00
Andrey Melnikov
575a33c272 Merge pull request #658 from Vafilor/feat/onepanel.io.653-additional-fixes
fix: issue with concurrent map access
2020-10-13 16:09:22 -07:00
rushtehrani
8e9b95aa12 update label function to return group and resource 2020-10-13 16:06:08 -07:00
Andrey Melnikov
38f1aafaec fix: issue with concurrent map access 2020-10-13 16:02:40 -07:00
rushtehrani
30ebda4918 use workspaces instead of statefulset for resource 2020-10-13 15:47:20 -07:00
Andrey Melnikov
ce972f2988 Merge pull request #656 from Vafilor/feat/onepanel.io.653-additional-fixes
fix: bad token issue
2020-10-13 15:27:45 -07:00
Andrey Melnikov
ede4c67c8f fix: bad token issue 2020-10-13 15:17:56 -07:00
Rush Tehrani
68ddec78c8 Merge pull request #655 from Vafilor/feat/onepanelio.core.653-auth.changes
feat: update incoming token to be a JWT token that takes in username
2020-10-13 12:45:14 -07:00
Andrey Melnikov
c42997a643 fix: error to be API friendly 2020-10-13 12:21:32 -07:00
Andrey Melnikov
5bd2feaa86 update: added username to returned auth token 2020-10-12 17:01:26 -07:00
Andrey Melnikov
de4302d226 chore: formatting updates for error strings 2020-10-12 16:17:16 -07:00
Andrey Melnikov
7150f24631 feat: update incoming token to be a JWT token that takes in username 2020-10-12 16:07:12 -07:00
Rush Tehrani
0e1e48dfc8 Merge pull request #647 from rushtehrani/master
fix: Use correct group for workspaces resource
2020-10-08 20:03:51 -07:00
rushtehrani
dd0f1f7705 use correct group for workspaces resource 2020-10-08 19:52:48 -07:00
Aleksandr Melnikov
03f8f47664 Merge pull request #642 from Vafilor/fix/jupyterlab.migrations
feat: added convenience method to update workspace template manifest
2020-10-06 10:47:18 -07:00
Andrey Melnikov
c85496d216 update: added method specifically to update the manifest of a workspace template and modified recent migration to use it.
This fixes an issue where the jupyterlab migration wiped out the old description.
2020-10-06 10:28:03 -07:00
Rush Tehrani
5f6415548d Merge pull request #640 from aleksandrmelnikov/fix/core.637-dedicated.nodes.via.hostport
fix: Fixing issues with using hostPort. Removed prior logic that still relied on running nodes.
2020-10-05 15:40:26 -07:00
Aleksandr Melnikov
c641c17a8c Updating code that generates an extra container for a workspace.
- Renamed function to make it clearer what it's doing with the extra container
- Added documentation for the function
- Removed listing nodes code, since we only care if the workspace has
a nodeSelector set.
2020-10-05 14:17:00 -07:00
Aleksandr Melnikov
83a2543b13 Updating function name to reflect what it's doing. 2020-10-05 14:04:32 -07:00
Aleksandr Melnikov
e8dae0f2e9 Since we're no longer relying on running nodes, we don't need logic
relating to them.
- We can just check if a nodeSelector is set on the template.
2020-10-05 13:59:14 -07:00
Rush Tehrani
b85bf4d688 Merge pull request #638 from aleksandrmelnikov/fix/core.637-dedicated.nodes.via.hostport
fix: Replace resource requests and limits with hostPort, as a means of grabbing dedicated nodes.
2020-10-05 12:17:45 -07:00
Aleksandr Melnikov
7fe0ab2654 Tweaking names so it's more clear why they are there. 2020-10-05 11:51:04 -07:00
Aleksandr Melnikov
dfa6eb2fe6 Removing function that's no longer used. 2020-10-05 11:46:19 -07:00
Aleksandr Melnikov
cc2c51ace5 Removing resource requests and limits.
- Using hostPort on the node as a way to require dedicated nodes
for workspaces and workflows.
2020-10-05 11:46:01 -07:00
Andrey Melnikov
897462ede7 Merge pull request #636 from aleksandrmelnikov/fix/if.no.running.node.don't.try.to.set.resources
fix: Do not try to calculate resource requests and limits if the node is not running.
2020-10-02 16:25:04 -07:00
Aleksandr Melnikov
4e3c24fd89 Merge pull request #630 from Vafilor/fix/workspace.start.resource.requirements
fix: added resource requirements to start workspace
2020-10-02 16:17:15 -07:00
Aleksandr Melnikov
276e105f20 Adding documentation for function call.
- Refactoring the parameter names so they are actually usefully named.
2020-10-02 15:53:29 -07:00
Aleksandr Melnikov
656026ac84 Refactored workflow_execution resource calculation to use the new
function, to put the logic into the same place.
2020-10-02 13:08:48 -07:00
Aleksandr Melnikov
95bea11e43 Refactored the resource calculation piece into it's own function.
Added code logic to check the cpu and memory generated by the node.
- If they are empty, then skip trying to add an extra container
for workspace.
2020-10-02 13:08:29 -07:00
Andrey Melnikov
c6f65510d8 Merge pull request #635 from Vafilor/fix/remove.dependabot.from.release.notes
fix: remove dependabot[bot] from release notes
2020-10-01 22:55:31 -07:00
Andrey Melnikov
d6e279dde5 fix: remove dependabot[bot] from release notes 2020-10-01 22:52:08 -07:00
Andrey Melnikov
e99b0e943d Merge pull request #632 from onepanelio/fix/tags
fix: build docker image on tag push
2020-10-01 22:44:58 -07:00
Andrey Melnikov
22a7c31f1d fix: testing tag push 2020-10-01 22:31:26 -07:00
Andrey Melnikov
b6c0f24170 fix: added resource requirements to start workspace 2020-10-01 21:21:57 -07:00
17 changed files with 314 additions and 338 deletions

29
.github/workflows/push_tag.yaml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: Publish docker image on tag push
on:
push:
tags:
- '*'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: olegtarasov/get-tag@v2
id: tagName
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@master
with:
name: onepanel/core
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
tags: "${{ env.GIT_TAG_NAME }}"
- name: Set Slack Message
run: echo "::set-env name=SLACK_MESSAGE::Tag $GIT_TAG_NAME. Docker Tag onepanel/core:$GIT_TAG_NAME"
- name: Notify Slack Channels
uses: rtCamp/action-slack-notify@v2.0.0
env:
SLACK_CHANNEL: dev
SLACK_ICON: https://avatars1.githubusercontent.com/u/30390575?s=48&v=4
SLACK_TITLE: New Core Version
SLACK_USERNAME: opBot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

View File

@@ -3,7 +3,7 @@
"info": {
"title": "Onepanel",
"description": "Onepanel API",
"version": "0.13.0",
"version": "0.14.0",
"contact": {
"name": "Onepanel project",
"url": "https://github.com/onepanelio/core"
@@ -77,7 +77,7 @@
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/TokenWrapper"
"$ref": "#/definitions/IsValidTokenRequest"
}
}
],
@@ -2967,11 +2967,28 @@
}
}
},
"IsValidTokenRequest": {
"type": "object",
"properties": {
"username": {
"type": "string"
},
"token": {
"type": "string"
}
}
},
"IsValidTokenResponse": {
"type": "object",
"properties": {
"domain": {
"type": "string"
},
"token": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
@@ -3394,14 +3411,6 @@
}
}
},
"TokenWrapper": {
"type": "object",
"properties": {
"token": {
"type": "string"
}
}
},
"UpdateSecretKeyValueResponse": {
"type": "object",
"properties": {

View File

@@ -204,65 +204,19 @@ func (x *IsAuthorizedResponse) GetAuthorized() bool {
return false
}
type TokenWrapper struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
}
func (x *TokenWrapper) Reset() {
*x = TokenWrapper{}
if protoimpl.UnsafeEnabled {
mi := &file_auth_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *TokenWrapper) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*TokenWrapper) ProtoMessage() {}
func (x *TokenWrapper) ProtoReflect() protoreflect.Message {
mi := &file_auth_proto_msgTypes[3]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use TokenWrapper.ProtoReflect.Descriptor instead.
func (*TokenWrapper) Descriptor() ([]byte, []int) {
return file_auth_proto_rawDescGZIP(), []int{3}
}
func (x *TokenWrapper) GetToken() string {
if x != nil {
return x.Token
}
return ""
}
type IsValidTokenRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Token *TokenWrapper `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
Token string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
}
func (x *IsValidTokenRequest) Reset() {
*x = IsValidTokenRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_auth_proto_msgTypes[4]
mi := &file_auth_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -275,7 +229,7 @@ func (x *IsValidTokenRequest) String() string {
func (*IsValidTokenRequest) ProtoMessage() {}
func (x *IsValidTokenRequest) ProtoReflect() protoreflect.Message {
mi := &file_auth_proto_msgTypes[4]
mi := &file_auth_proto_msgTypes[3]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -288,14 +242,21 @@ func (x *IsValidTokenRequest) ProtoReflect() protoreflect.Message {
// Deprecated: Use IsValidTokenRequest.ProtoReflect.Descriptor instead.
func (*IsValidTokenRequest) Descriptor() ([]byte, []int) {
return file_auth_proto_rawDescGZIP(), []int{4}
return file_auth_proto_rawDescGZIP(), []int{3}
}
func (x *IsValidTokenRequest) GetToken() *TokenWrapper {
func (x *IsValidTokenRequest) GetUsername() string {
if x != nil {
return x.Username
}
return ""
}
func (x *IsValidTokenRequest) GetToken() string {
if x != nil {
return x.Token
}
return nil
return ""
}
type IsValidTokenResponse struct {
@@ -303,13 +264,15 @@ type IsValidTokenResponse struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
Token string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
Username string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"`
}
func (x *IsValidTokenResponse) Reset() {
*x = IsValidTokenResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_auth_proto_msgTypes[5]
mi := &file_auth_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -322,7 +285,7 @@ func (x *IsValidTokenResponse) String() string {
func (*IsValidTokenResponse) ProtoMessage() {}
func (x *IsValidTokenResponse) ProtoReflect() protoreflect.Message {
mi := &file_auth_proto_msgTypes[5]
mi := &file_auth_proto_msgTypes[4]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -335,7 +298,7 @@ func (x *IsValidTokenResponse) ProtoReflect() protoreflect.Message {
// Deprecated: Use IsValidTokenResponse.ProtoReflect.Descriptor instead.
func (*IsValidTokenResponse) Descriptor() ([]byte, []int) {
return file_auth_proto_rawDescGZIP(), []int{5}
return file_auth_proto_rawDescGZIP(), []int{4}
}
func (x *IsValidTokenResponse) GetDomain() string {
@@ -345,6 +308,20 @@ func (x *IsValidTokenResponse) GetDomain() string {
return ""
}
func (x *IsValidTokenResponse) GetToken() string {
if x != nil {
return x.Token
}
return ""
}
func (x *IsValidTokenResponse) GetUsername() string {
if x != nil {
return x.Username
}
return ""
}
var File_auth_proto protoreflect.FileDescriptor
var file_auth_proto_rawDesc = []byte{
@@ -370,32 +347,33 @@ var file_auth_proto_rawDesc = []byte{
0x7a, 0x65, 0x64, 0x22, 0x36, 0x0a, 0x14, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x61,
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52,
0x0a, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x22, 0x24, 0x0a, 0x0c, 0x54,
0x6f, 0x6b, 0x65, 0x6e, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x74,
0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
0x6e, 0x22, 0x3e, 0x0a, 0x13, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65,
0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x54, 0x6f,
0x6b, 0x65, 0x6e, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
0x6e, 0x22, 0x2e, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d,
0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
0x6e, 0x32, 0xea, 0x01, 0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
0x65, 0x12, 0x6c, 0x0a, 0x0c, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
0x6e, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54,
0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70,
0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65,
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x27, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x21, 0x22, 0x18,
0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75,
0x74, 0x68, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12,
0x6d, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12,
0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e,
0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70,
0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x12, 0x2f, 0x61,
0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68,
0x3a, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x62, 0x06,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x0a, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x22, 0x47, 0x0a, 0x13, 0x49,
0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65,
0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14,
0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74,
0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x60, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54,
0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06,
0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f,
0x6d, 0x61, 0x69, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20,
0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73,
0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73,
0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xe6, 0x01, 0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53,
0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x68, 0x0a, 0x0c, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69,
0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56,
0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f,
0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4,
0x93, 0x02, 0x1d, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74,
0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a,
0x12, 0x6d, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69,
0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73,
0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x12, 0x2f,
0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74,
0x68, 0x3a, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x62,
0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -410,27 +388,25 @@ func file_auth_proto_rawDescGZIP() []byte {
return file_auth_proto_rawDescData
}
var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
var file_auth_proto_goTypes = []interface{}{
(*IsAuthorized)(nil), // 0: api.IsAuthorized
(*IsAuthorizedRequest)(nil), // 1: api.IsAuthorizedRequest
(*IsAuthorizedResponse)(nil), // 2: api.IsAuthorizedResponse
(*TokenWrapper)(nil), // 3: api.TokenWrapper
(*IsValidTokenRequest)(nil), // 4: api.IsValidTokenRequest
(*IsValidTokenResponse)(nil), // 5: api.IsValidTokenResponse
(*IsValidTokenRequest)(nil), // 3: api.IsValidTokenRequest
(*IsValidTokenResponse)(nil), // 4: api.IsValidTokenResponse
}
var file_auth_proto_depIdxs = []int32{
0, // 0: api.IsAuthorizedRequest.isAuthorized:type_name -> api.IsAuthorized
3, // 1: api.IsValidTokenRequest.token:type_name -> api.TokenWrapper
4, // 2: api.AuthService.IsValidToken:input_type -> api.IsValidTokenRequest
1, // 3: api.AuthService.IsAuthorized:input_type -> api.IsAuthorizedRequest
5, // 4: api.AuthService.IsValidToken:output_type -> api.IsValidTokenResponse
2, // 5: api.AuthService.IsAuthorized:output_type -> api.IsAuthorizedResponse
4, // [4:6] is the sub-list for method output_type
2, // [2:4] is the sub-list for method input_type
2, // [2:2] is the sub-list for extension type_name
2, // [2:2] is the sub-list for extension extendee
0, // [0:2] is the sub-list for field type_name
3, // 1: api.AuthService.IsValidToken:input_type -> api.IsValidTokenRequest
1, // 2: api.AuthService.IsAuthorized:input_type -> api.IsAuthorizedRequest
4, // 3: api.AuthService.IsValidToken:output_type -> api.IsValidTokenResponse
2, // 4: api.AuthService.IsAuthorized:output_type -> api.IsAuthorizedResponse
3, // [3:5] is the sub-list for method output_type
1, // [1:3] is the sub-list for method input_type
1, // [1:1] is the sub-list for extension type_name
1, // [1:1] is the sub-list for extension extendee
0, // [0:1] is the sub-list for field type_name
}
func init() { file_auth_proto_init() }
@@ -476,18 +452,6 @@ func file_auth_proto_init() {
}
}
file_auth_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*TokenWrapper); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*IsValidTokenRequest); i {
case 0:
return &v.state
@@ -499,7 +463,7 @@ func file_auth_proto_init() {
return nil
}
}
file_auth_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*IsValidTokenResponse); i {
case 0:
return &v.state
@@ -518,7 +482,7 @@ func file_auth_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_auth_proto_rawDesc,
NumEnums: 0,
NumMessages: 6,
NumMessages: 5,
NumExtensions: 0,
NumServices: 1,
},

View File

@@ -39,7 +39,7 @@ func request_AuthService_IsValidToken_0(ctx context.Context, marshaler runtime.M
if berr != nil {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
}
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Token); err != nil && err != io.EOF {
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
}
@@ -56,7 +56,7 @@ func local_request_AuthService_IsValidToken_0(ctx context.Context, marshaler run
if berr != nil {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
}
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Token); err != nil && err != io.EOF {
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
}

View File

@@ -9,7 +9,7 @@ service AuthService {
rpc IsValidToken(IsValidTokenRequest) returns (IsValidTokenResponse) {
option (google.api.http) = {
post: "/apis/v1beta1/auth/token"
body: "token"
body: "*"
};
}
@@ -37,14 +37,13 @@ message IsAuthorizedResponse {
bool authorized = 1;
}
message TokenWrapper {
string token = 1;
}
message IsValidTokenRequest {
TokenWrapper token = 1;
string username = 1;
string token = 2;
}
message IsValidTokenResponse {
string domain = 1;
string token = 2;
string username = 3;
}

View File

@@ -155,6 +155,10 @@ func printMarkDown(issues []*issue, version *string) {
fmt.Println("# Contributors")
contributors := make([]user, 0)
for _, contributor := range contributorsMap {
// Sorry, no bots.
if contributor.Login == "dependabot[bot]" {
continue
}
contributors = append(contributors, contributor)
}
sort.Slice(contributors, func(i, j int) bool { return contributors[i].ContributionsCount > contributors[j].ContributionsCount })

View File

@@ -2,7 +2,6 @@ package migration
import (
"database/sql"
v1 "github.com/onepanelio/core/pkg"
uid2 "github.com/onepanelio/core/pkg/util/uid"
"github.com/pressly/goose"
)
@@ -103,13 +102,7 @@ func Up20200929153931(tx *sql.Tx) error {
return err
}
for _, namespace := range namespaces {
workspaceTemplate := &v1.WorkspaceTemplate{
UID: uid,
Name: jupyterLabTemplateName,
Manifest: jupyterWorkspaceTemplate3,
}
if _, err := client.UpdateWorkspaceTemplate(namespace.Name, workspaceTemplate); err != nil {
if _, err := client.UpdateWorkspaceTemplateManifest(namespace.Name, uid, jupyterWorkspaceTemplate3); err != nil {
return err
}
}
@@ -144,14 +137,9 @@ func Down20200929153931(tx *sql.Tx) error {
if err != nil {
return err
}
workspaceTemplate := &v1.WorkspaceTemplate{
UID: uid,
Name: jupyterLabTemplateName,
Manifest: jupyterWorkspaceTemplate2,
}
for _, namespace := range namespaces {
if _, err := client.UpdateWorkspaceTemplate(namespace.Name, workspaceTemplate); err != nil {
if _, err := client.UpdateWorkspaceTemplateManifest(namespace.Name, uid, jupyterWorkspaceTemplate2); err != nil {
return err
}
}

3
go.mod
View File

@@ -43,4 +43,5 @@ require (
k8s.io/apimachinery v0.16.7-beta.0
k8s.io/client-go v0.16.4
sigs.k8s.io/yaml v1.2.0
)
github.com/dgrijalva/jwt-go v3.2.0+incompatible
)

View File

@@ -4,6 +4,7 @@ import (
"fmt"
sq "github.com/Masterminds/squirrel"
argoprojv1alpha1 "github.com/argoproj/argo/pkg/client/clientset/versioned/typed/workflow/v1alpha1"
"github.com/jmoiron/sqlx"
"github.com/onepanelio/core/pkg/util/gcs"
"github.com/onepanelio/core/pkg/util/router"
"github.com/onepanelio/core/pkg/util/s3"
@@ -38,6 +39,24 @@ func NewConfig() (config *Config) {
return
}
// GetDefaultClient loads a default k8s client
func GetDefaultClient() (*Client, error) {
kubeConfig := NewConfig()
client, err := NewClient(kubeConfig, nil, nil)
if err != nil {
return nil, err
}
config, err := client.GetSystemConfig()
if err != nil {
return nil, err
}
dbDriverName, dbDataSourceName := config.DatabaseConnection()
client.DB = NewDB(sqlx.MustConnect(dbDriverName, dbDataSourceName))
return client, nil
}
// NewClient creates a client to interact with the Onepanel system.
// It includes access to the database, kubernetes, argo, and configuration.
func NewClient(config *Config, db *DB, systemConfig SystemConfig) (client *Client, err error) {

View File

@@ -38,6 +38,12 @@ func NewSystemConfig(configMap *ConfigMap, secret *Secret) (config SystemConfig,
}
config["databasePassword"] = string(databasePassword)
hmac, err := base64.StdEncoding.DecodeString(secret.Data["hmac"])
if err != nil {
return
}
config["hmac"] = string(hmac)
return
}
@@ -183,6 +189,16 @@ func (s SystemConfig) UpdateNodePoolOptions(parameters []Parameter) ([]Parameter
return result, nil
}
// HMACKey gets the HMAC value, or nil.
func (s SystemConfig) HMACKey() []byte {
hmac := s.GetValue("hmac")
if hmac == nil {
return []byte{}
}
return []byte(*hmac)
}
// ArtifactRepositoryS3Provider is meant to be used
// by the CLI. CLI will marshal this struct into the correct
// YAML structure for k8s configmap / secret.

View File

@@ -18,7 +18,6 @@ import (
"gopkg.in/yaml.v2"
"io"
"io/ioutil"
"k8s.io/apimachinery/pkg/api/resource"
"k8s.io/apimachinery/pkg/watch"
"net/http"
"strconv"
@@ -197,93 +196,21 @@ func injectArtifactRepositoryConfig(artifact *wfv1.Artifact, namespaceConfig *Na
}
}
// injectContainerResourceQuotas adds resource requests and limits if they exist
// Code grabs the resource request information from the nodeSelector, compared against running nodes.
// If the running node is not present, no resource information is retrieved.
func (c *Client) injectContainerResourceQuotas(wf *wfv1.Workflow, template *wfv1.Template, systemConfig SystemConfig) error {
// injectHostPortToContainer adds a hostPort to the template container, if a nodeSelector is present.
// Kubernetes will ensure that multiple containers with the same hostPort do not share the same node.
func (c *Client) injectHostPortToContainer(template *wfv1.Template) error {
if template.NodeSelector == nil {
return nil
}
supportedNodePoolLabels := []string{"beta.kubernetes.io/instance-type", "node.kubernetes.io/instance-type"}
nodePoolLabel := ""
var value string
for k, v := range template.NodeSelector {
for _, supportedNodePoolLabel := range supportedNodePoolLabels {
if k == supportedNodePoolLabel {
nodePoolLabel = k
value = v
break
}
}
ports := []corev1.ContainerPort{
{Name: "node-capturer", HostPort: 80, ContainerPort: 80},
}
if value == "" {
return nil
if template.Container != nil {
template.Container.Ports = ports
}
if strings.Contains(value, "{{workflow.") {
parts := strings.Split(strings.Replace(value, "}}", "", -1), ".")
paramName := parts[len(parts)-1]
for _, param := range wf.Spec.Arguments.Parameters {
if param.Name == paramName && param.Value != nil {
value = *param.Value
break
}
}
}
runningNodes, err := c.Interface.CoreV1().Nodes().List(ListOptions{})
if err != nil {
return err
}
var cpu string
var memory string
var gpu int64
gpuManufacturer := ""
for _, node := range runningNodes.Items {
if node.Labels[nodePoolLabel] == value {
cpuInt := node.Status.Allocatable.Cpu().MilliValue()
cpu = strconv.FormatFloat(float64(cpuInt)*.9, 'f', 0, 64) + "m"
memoryInt := node.Status.Allocatable.Memory().MilliValue()
kiBase := 1024.0
ninetyPerc := float64(memoryInt) * .9
toKi := ninetyPerc / kiBase / kiBase
memory = strconv.FormatFloat(toKi, 'f', 0, 64) + "Ki"
//Check for Nvidia
gpuQuantity := node.Status.Allocatable["nvidia.com/gpu"]
if gpuQuantity.IsZero() == false {
gpu = gpuQuantity.Value()
gpuManufacturer = "nvidia.com/gpu"
}
//Check for AMD
//Source: https://github.com/RadeonOpenCompute/k8s-device-plugin/blob/master/example/pod/alexnet-gpu.yaml
gpuQuantity = node.Status.Allocatable["amd.com/gpu"]
if gpuQuantity.IsZero() == false {
gpu = gpuQuantity.Value()
gpuManufacturer = "amd.com/gpu"
}
}
}
if cpu != "" && memory != "" {
resourceList := corev1.ResourceRequirements{
Limits: nil,
Requests: map[corev1.ResourceName]resource.Quantity{
corev1.ResourceCPU: resource.MustParse(cpu),
corev1.ResourceMemory: resource.MustParse(memory),
},
}
if gpu > 0 {
stringGpu := strconv.FormatInt(gpu, 10)
resourceList.Limits = make(map[corev1.ResourceName]resource.Quantity)
resourceList.Limits[corev1.ResourceName(gpuManufacturer)] = resource.MustParse(stringGpu)
}
if template.Container != nil {
template.Container.Resources = resourceList
}
if template.Script != nil {
template.Script.Container.Resources = resourceList
}
if template.Script != nil {
template.Script.Container.Ports = ports
}
return nil
}
@@ -355,7 +282,7 @@ func (c *Client) injectAutomatedFields(namespace string, wf *wfv1.Workflow, opts
Name: "sys-dshm",
MountPath: "/dev/shm",
})
err = c.injectContainerResourceQuotas(wf, template, systemConfig)
err = c.injectHostPortToContainer(template)
if err != nil {
return err
}
@@ -363,7 +290,7 @@ func (c *Client) injectAutomatedFields(namespace string, wf *wfv1.Workflow, opts
}
if template.Script != nil {
err = c.injectContainerResourceQuotas(wf, template, systemConfig)
err = c.injectHostPortToContainer(template)
if err != nil {
return err
}
@@ -1924,14 +1851,14 @@ func workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, wo
func workflowExecutionsSelectBuilder(namespace, workflowTemplateUID, workflowTemplateVersion string, includeSystem bool) sq.SelectBuilder {
sb := workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, workflowTemplateVersion, includeSystem)
sb = sb.Columns(getWorkflowExecutionColumns("we", "")...).
sb = sb.Columns(getWorkflowExecutionColumns("we")...).
Columns(`wtv.version "workflow_template.version"`, `wtv.created_at "workflow_template.created_at"`, `wt.name "workflow_template.name"`, `wt.uid "workflow_template.uid"`)
return sb
}
func (c *Client) getWorkflowExecutionAndTemplate(namespace string, uid string) (workflow *WorkflowExecution, err error) {
sb := sb.Select(getWorkflowExecutionColumns("we", "")...).
sb := sb.Select(getWorkflowExecutionColumns("we")...).
Columns(getWorkflowTemplateColumns("wt", "workflow_template")...).
Columns(`wtv.manifest "workflow_template.manifest"`, `wtv.version "workflow_template.version"`).
From("workflow_executions we").

View File

@@ -15,7 +15,6 @@ import (
"github.com/onepanelio/core/pkg/util/request"
log "github.com/sirupsen/logrus"
"google.golang.org/grpc/codes"
"strconv"
"strings"
"time"
)
@@ -286,32 +285,15 @@ func (c *Client) addResourceRequestsAndLimitsToWorkspaceTemplate(t wfv1.Template
if !ok {
return nil, errors.New("unable to type check statefulset manifest")
}
//Get node selected
labelKey := "sys-node-pool-label"
labelKeyVal := ""
for _, parameter := range argoTemplate.Spec.Arguments.Parameters {
if parameter.Name == labelKey {
labelKeyVal = *parameter.Value
extraContainer := generateExtraContainerWithHostPortToSequesterNode()
if extraContainer != nil {
containers, ok := templateSpec["containers"].([]interface{})
if !ok {
return nil, errors.New("unable to type check statefulset manifest")
}
}
nodePoolKey := "sys-node-pool"
nodePoolVal := ""
for _, parameter := range workspace.Parameters {
if parameter.Name == nodePoolKey {
nodePoolVal = *parameter.Value
}
templateSpec["containers"] = append([]interface{}{extraContainer}, containers...)
}
extraContainer, err := generateExtraContainerWithResources(c, labelKeyVal, nodePoolVal)
if err != nil {
return nil, err
}
containers, ok := templateSpec["containers"].([]interface{})
if !ok {
return nil, errors.New("unable to type check statefulset manifest")
}
templateSpec["containers"] = append([]interface{}{extraContainer}, containers...)
resultManifest, err := yaml.Marshal(statefulSet)
if err != nil {
return nil, err
@@ -319,78 +301,25 @@ func (c *Client) addResourceRequestsAndLimitsToWorkspaceTemplate(t wfv1.Template
return resultManifest, nil
}
// generateExtraContainerWithResources will add an extra container to a workspace.
// The extra container will have the calculated resource request for the node selected by the workspace.
// generateExtraContainerWithHostPortToSequesterNode will add an extra container to a workspace.
// The extra container have a hostPort set. Kubernetes will ensure the hostPort does not get conflict
// between containers, scheduling a new node as needed.
// The container will sleep once started, and generally consume negligible resources.
//
// The node that was selected has to be already running, in order to get the resource request correct.
func generateExtraContainerWithResources(c *Client, labelKeyVal string, nodePoolVal string) (map[string]interface{}, error) {
runningNodes, err := c.Interface.CoreV1().Nodes().List(ListOptions{})
if err != nil {
return nil, err
}
var cpu string
var memory string
var gpu int64
gpuManufacturer := ""
for _, node := range runningNodes.Items {
if node.Labels[labelKeyVal] == nodePoolVal {
cpuInt := node.Status.Allocatable.Cpu().MilliValue()
cpu = strconv.FormatFloat(float64(cpuInt)*.9, 'f', 0, 64) + "m"
memoryInt := node.Status.Allocatable.Memory().MilliValue()
kiBase := 1024.0
ninetyPerc := float64(memoryInt) * .9
toKi := ninetyPerc / kiBase / kiBase
memory = strconv.FormatFloat(toKi, 'f', 0, 64) + "Ki"
//Check for Nvidia
gpuQuantity := node.Status.Allocatable["nvidia.com/gpu"]
if gpuQuantity.IsZero() == false {
gpu = gpuQuantity.Value()
gpuManufacturer = "nvidia.com/gpu"
}
//Check for AMD
//Source: https://github.com/RadeonOpenCompute/k8s-device-plugin/blob/master/example/pod/alexnet-gpu.yaml
gpuQuantity = node.Status.Allocatable["amd.com/gpu"]
if gpuQuantity.IsZero() == false {
gpu = gpuQuantity.Value()
gpuManufacturer = "amd.com/gpu"
}
}
}
func generateExtraContainerWithHostPortToSequesterNode() map[string]interface{} {
extraContainer := map[string]interface{}{
"image": "alpine:latest",
"name": "resource-requester",
"name": "node-capturer",
"command": []interface{}{"/bin/sh"},
"args": []interface{}{"-c", "while :; do sleep 2073600; done"},
"resources": map[string]interface{}{
"requests": map[string]interface{}{
"cpu": cpu,
"memory": memory,
"ports": []interface{}{
map[string]interface{}{
"name": "node-capturer",
"hostPort": 80,
"containerPort": 80,
},
"limits": map[string]interface{}{},
},
}
if gpu > 0 {
res, ok := extraContainer["resources"].(map[string]interface{})
if !ok {
return nil, errors.New("unable to type check extraContainer")
}
reqs, ok := res["requests"].(map[string]interface{})
if !ok {
return nil, errors.New("unable to type check extraContainer")
}
reqs[gpuManufacturer] = gpu
limits, ok := res["limits"].(map[string]interface{})
if !ok {
return nil, errors.New("unable to type check extraContainer")
}
limits[gpuManufacturer] = gpu
}
return extraContainer, err
return extraContainer
}
// startWorkspace starts a workspace and related resources. It assumes a DB record already exists
@@ -441,6 +370,17 @@ func (c *Client) startWorkspace(namespace string, parameters []byte, workspace *
}
}
templates := argoTemplate.Spec.Templates
for i, t := range templates {
if t.Name == WorkspaceStatefulSetResource {
resultManifest, err := c.addResourceRequestsAndLimitsToWorkspaceTemplate(t, argoTemplate, workspace)
if err != nil {
return nil, err
}
templates[i].Resource.Manifest = string(resultManifest)
}
}
_, err = c.CreateWorkflowExecution(namespace, &WorkflowExecution{
Parameters: workspace.Parameters,
}, workflowTemplate)

View File

@@ -1158,6 +1158,19 @@ func (c *Client) UpdateWorkspaceTemplate(namespace string, workspaceTemplate *Wo
return workspaceTemplate, nil
}
// UpdateWorkspaceTemplateManifest updates a workspace template by creating a new version where the only difference is the manifest
func (c *Client) UpdateWorkspaceTemplateManifest(namespace, uid string, manifest string) (*WorkspaceTemplate, error) {
existingTemplate, err := c.GetWorkspaceTemplate(namespace, uid, 0)
if err != nil {
return nil, err
}
existingTemplate.UID = uid
existingTemplate.Manifest = manifest
return c.UpdateWorkspaceTemplate(namespace, existingTemplate)
}
// ListWorkspaceTemplates returns a list of workspace templates that are not archived, sorted by most recent created first
func (c *Client) ListWorkspaceTemplates(namespace string, request *request.Request) (workspaceTemplates []*WorkspaceTemplate, err error) {
sb := c.workspaceTemplatesSelectBuilder(namespace).

View File

@@ -2,9 +2,13 @@ package auth
import (
"context"
"crypto/md5"
"encoding/hex"
"errors"
"fmt"
"github.com/onepanelio/core/api"
"github.com/onepanelio/core/pkg/util"
v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
"net/http"
"strings"
@@ -36,6 +40,9 @@ func getBearerToken(ctx context.Context) (*string, bool) {
return nil, false
}
t = strings.ReplaceAll(t, prefix, "")
if t == "null" {
return nil, false
}
return &t, true
}
@@ -64,7 +71,12 @@ func getClient(ctx context.Context, kubeConfig *v1.Config, db *v1.DB, sysConfig
return nil, status.Error(codes.Unauthenticated, `Missing or invalid "authorization" header.`)
}
if sysConfig["token"] != *bearerToken {
sysConfig["token"] = *bearerToken
}
kubeConfig.BearerToken = *bearerToken
client, err := v1.NewClient(kubeConfig, db, sysConfig)
if err != nil {
return nil, err
@@ -98,6 +110,43 @@ func IsAuthorized(c *v1.Client, namespace, verb, group, resource, name string) (
return
}
func verifyLogin(client *v1.Client, tokenRequest *api.IsValidTokenRequest) (rawToken string, err error) {
accountsList, err := client.CoreV1().ServiceAccounts("onepanel").List(v1.ListOptions{})
if err != nil {
return "", err
}
authTokenSecretName := ""
for _, serviceAccount := range accountsList.Items {
if serviceAccount.Name != tokenRequest.Username {
continue
}
for _, secret := range serviceAccount.Secrets {
if strings.Contains(secret.Name, "-token-") {
authTokenSecretName = secret.Name
break
}
}
}
if authTokenSecretName == "" {
return "", util.NewUserError(codes.InvalidArgument, fmt.Sprintf("unknown service account '%v'", tokenRequest.Username))
}
secret, err := client.CoreV1().Secrets("onepanel").Get(authTokenSecretName, v12.GetOptions{})
if err != nil {
return "", err
}
currentTokenBytes := md5.Sum(secret.Data["token"])
currentTokenString := hex.EncodeToString(currentTokenBytes[:])
if tokenRequest.Token != fmt.Sprintf("%s", currentTokenString) {
return "", util.NewUserError(codes.InvalidArgument, "token doesn't match what's on record")
}
return string(secret.Data["token"]), nil
}
// UnaryInterceptor performs authentication checks.
// The two main cases are:
// 1. Is the token valid? This is used for logging in.
@@ -113,10 +162,25 @@ func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfi
tokenRequest, ok := req.(*api.IsValidTokenRequest)
if !ok {
return resp, errors.New("IsValidToken does not have correct request type")
return resp, errors.New("LogInRequest does not have correct request type")
}
md.Set("authorization", tokenRequest.Token.Token)
defaultClient, err := v1.GetDefaultClient()
if err != nil {
return nil, err
}
rawToken, err := verifyLogin(defaultClient, tokenRequest)
if err != nil {
return nil, err
}
sysConfig, err := defaultClient.GetSystemConfig()
if err != nil {
return nil, err
}
md.Set("onepanel-auth-token", rawToken)
ctx, err = getClient(ctx, kubeConfig, db, sysConfig)
if err != nil {

View File

@@ -66,8 +66,10 @@ func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequ
if err != nil {
return
}
res = &api.IsValidTokenResponse{}
res.Domain = config["ONEPANEL_DOMAIN"]
res = &api.IsValidTokenResponse{
Domain: config["ONEPANEL_DOMAIN"],
Token: config["token"],
}
return res, nil
}

View File

@@ -7,21 +7,22 @@ import (
"github.com/onepanelio/core/server/auth"
)
func resourceIdentifierToArgoResource(identifier string) string {
func getGroupAndResourceByIdentifier(identifier string) (group, resource string) {
group = "argoproj.io"
switch identifier {
case v1.TypeWorkflowTemplate:
return "workflowtemplates"
return group, "workflowtemplates"
case v1.TypeWorkflowTemplateVersion:
return "workflowtemplates"
return group, "workflowtemplates"
case v1.TypeWorkflowExecution:
return "workflows"
return group, "workflows"
case v1.TypeCronWorkflow:
return "cronworkflows"
return group, "cronworkflows"
case v1.TypeWorkspace:
return "statefulset"
return "onepanel.io", "workspaces"
}
return ""
return "", ""
}
func mapLabelsToKeyValue(labels []*v1.Label) []*api.KeyValue {
@@ -54,10 +55,10 @@ func NewLabelServer() *LabelServer {
}
func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest) (*api.GetLabelsResponse, error) {
argoResource := resourceIdentifierToArgoResource(req.Resource)
group, resource := getGroupAndResourceByIdentifier(req.Resource)
client := getClient(ctx)
allowed, err := auth.IsAuthorized(client, req.Namespace, "get", "argoproj.io", argoResource, "")
allowed, err := auth.IsAuthorized(client, req.Namespace, "get", group, resource, "")
if err != nil || !allowed {
return nil, err
}
@@ -73,10 +74,10 @@ func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest)
}
func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest) (*api.GetLabelsResponse, error) {
argoResource := resourceIdentifierToArgoResource(req.Resource)
group, resource := getGroupAndResourceByIdentifier(req.Resource)
client := getClient(ctx)
allowed, err := auth.IsAuthorized(client, req.Namespace, "create", "argoproj.io", argoResource, "")
allowed, err := auth.IsAuthorized(client, req.Namespace, "create", group, resource, "")
if err != nil || !allowed {
return nil, err
}
@@ -97,10 +98,10 @@ func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest)
}
func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsRequest) (*api.GetLabelsResponse, error) {
argoResource := resourceIdentifierToArgoResource(req.Resource)
group, resource := getGroupAndResourceByIdentifier(req.Resource)
client := getClient(ctx)
allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
if err != nil || !allowed {
return nil, err
}
@@ -121,11 +122,11 @@ func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsR
}
func (s *LabelServer) DeleteLabel(ctx context.Context, req *api.DeleteLabelRequest) (*api.GetLabelsResponse, error) {
argoResource := resourceIdentifierToArgoResource(req.Resource)
group, resource := getGroupAndResourceByIdentifier(req.Resource)
client := getClient(ctx)
// update verb here since we are not deleting the resource, but labels
allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
if err != nil || !allowed {
return nil, err
}

View File

@@ -363,7 +363,7 @@ func (s *WorkspaceServer) RetryLastWorkspaceAction(ctx context.Context, req *api
func (s *WorkspaceServer) GetWorkspaceStatisticsForNamespace(ctx context.Context, req *api.GetWorkspaceStatisticsForNamespaceRequest) (*api.GetWorkspaceStatisticsForNamespaceResponse, error) {
client := getClient(ctx)
allowed, err := auth.IsAuthorized(client, req.Namespace, "list", "argoproj.io", "workspaces", "")
allowed, err := auth.IsAuthorized(client, req.Namespace, "list", "onepanel.io", "workspaces", "")
if err != nil || !allowed {
return nil, err
}