Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update oauth-proxy openshift-delegate-urls #2789

Merged
merged 1 commit into from
May 10, 2024
Merged

update oauth-proxy openshift-delegate-urls #2789

merged 1 commit into from
May 10, 2024

Conversation

christianvogt
Copy link
Contributor

https://issues.redhat.com/browse/RHOAIENG-6479

Description

The oauth-proxy openshift-delegate-urls option grants access to the underlying service via Authorization: Bearer header. The current access check is restricted to users with access to the namespace in which the dashboard is deployed. This limits access to privileged users and restricts other users, such as self-provisioners.

When running a local frontend dev server, developers want to target external clusters and test with users of varying access. Currently this method of development only works for cluster admin users. The change in this PR will loosen the access check so that any user with the ability to list projects can get through.

How Has This Been Tested?

Apply the deployment changes for the oauth-proxy configuration.

Create a self-provisioner user on the cluster
In a terminal, oc login ... to your cluster with the unprivileged user
Now start the dev server: npm run start:dev:ext

Visit http://localhost:4010 to check the UI is running as expected.

Test Impact

None.

Request review criteria:

Self checklist (all need to be checked):

  • The developer has manually tested the changes and verified that the changes work
  • Commits have been squashed into descriptive, self-contained units of work (e.g. 'WIP' and 'Implements feedback' style messages have been removed)
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

  • Included any necessary screenshots or gifs if it was a UI change.
  • Included tags to the UX team if it was a UI/UX change (find relevant UX in the SMEs section).

After the PR is posted & before it merges:

  • The developer has tested their solution on a cluster by using the image produced by the PR to main

cc @andrewballantyne

@openshift-ci openshift-ci bot requested review from dpanshug and ppadti May 8, 2024 18:53
@christianvogt christianvogt added the do-not-merge/hold This PR is hold for some reason label May 8, 2024
@christianvogt christianvogt force-pushed the oauth-delegate branch 2 times, most recently from 958d4f2 to 623d2ac Compare May 8, 2024 20:15
@christianvogt christianvogt removed the do-not-merge/hold This PR is hold for some reason label May 8, 2024
@christianvogt
Copy link
Contributor Author

fyi @andrewballantyne @lucferbux

@christianvogt christianvogt force-pushed the oauth-delegate branch 2 times, most recently from 444b17d to 20238c8 Compare May 10, 2024 16:58
@christianvogt
Copy link
Contributor Author

/retest

@christianvogt
Copy link
Contributor Author

@andrewballantyne referred me to #1046 for testing because it made changes to the oauth-proxy openshift-delegate-urls and added the NAMESPACE arg so that service accounts without cluster access could be used to authenticate with a bearer token. I tested its use case and the same service account with view access can list projects and authenticate with this change.

The change in this PR should allow any authenticated user access.

@openshift-ci openshift-ci bot added the lgtm label May 10, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 10, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewballantyne

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 5990684 into opendatahub-io:main May 10, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewballantyne andrewballantyne andrewballantyne approved these changes

@dpanshug dpanshug Awaiting requested review from dpanshug

@ppadti ppadti Awaiting requested review from ppadti

Assignees

@andrewballantyne andrewballantyne

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@christianvogt @andrewballantyne