Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add machine token support for GWT-IDE #13137

Merged
merged 2 commits into from
Apr 26, 2019
Merged

Add machine token support for GWT-IDE #13137

merged 2 commits into from
Apr 26, 2019

Conversation

monaka
Copy link
Member

@monaka monaka commented Apr 13, 2019
edited
Loading

What does this PR do?

Enables to access API server via JWT-proxy from GWT-IDE.

This is a first step.
Some more patches are required to run GWT-IDE with JWT-proxy.

The overview of fixes.

Traefik related fixes are interim. Whole Traefik will be replaced to more lightweight one in the future.

  • Fixes routing.
    • dockerfiles/gwt-ide/traefik.toml
  • Adding Authorization: Bearer ${CHE_MACHINE_TOKEN} header to /api calls.
    • dockerfiles/gwt-ide/traefik.toml
    • dockerfiles/gwt-ide/traefik_conf.sh
  • Enables to get /api/project-template and /api/installer by valid machine tokens.
    • multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineAuthModule.java

The /api/project-template related fixes will be resolve a part of #12273 .

What issues does this PR fix or reference?

refs: #12243 #12273 #12956 #13099

@che-bot
Copy link
Contributor

che-bot commented Apr 13, 2019

Can one of the admins verify this patch?

2 similar comments
@che-bot
Copy link
Contributor

che-bot commented Apr 13, 2019

Can one of the admins verify this patch?

@che-bot
Copy link
Contributor

che-bot commented Apr 13, 2019

Can one of the admins verify this patch?

@monaka monaka added the kind/enhancement A feature request - must adhere to the feature request template. label Apr 13, 2019
@skabashnyuk
Copy link
Contributor

@monaka can you describe what this pr is doing and how?

@monaka
Copy link
Member Author

monaka commented Apr 14, 2019
edited
Loading

@skabashnyuk I added The overview of fixes above.

We've not decided how IDE call APIs that are required Keycloack tokens for now.
But in #13099 , we agreed it should be called API with machine tokens as possible as it can.

So I added machine tokens related patches only in this PR.

@monaka monaka mentioned this pull request Apr 14, 2019
Closed
@skabashnyuk
Copy link
Contributor

Adding Authorization: Bearer ${CHE_MACHINE_TOKEN} header to /api calls

I'm confused with this change. Is there any authorization made before this token would be added?

@monaka
Copy link
Member Author

monaka commented Apr 15, 2019
edited
Loading

@skabashnyuk That code is run under IDE sidecar container. AFAIK, all sidecar containers are added their machine token as the environment variable.
The patch is inspired by the code in Che-Theia.

https://github.com/eclipse/che-theia/blob/38ffd96d92d2ae859811de13f1dc02b3a726faa2/extensions/eclipse-che-theia-terminal/src/node/workspace-service-impl.ts#L109-L125

@monaka
Copy link
Member Author

monaka commented Apr 15, 2019

@skabashnyuk
In addition above.

Prior the workspace starts, the web browser is authorized by API endpoint and get the access_token as the cookie.
Next, after jwt-proxy was launched, it checks the access_token cookie from the web browser.
So authorized connections only can reach to Traefik in GWT-IDE container.

This is the reason why we can add the bearer token at Traefik with no authentication.

@skabashnyuk
Copy link
Contributor

ci-test

@che-bot
Copy link
Contributor

che-bot commented Apr 17, 2019

Results of automated E2E tests of Eclipse Che Multiuser on OCP:
Build details
Test report
docker image: eclipseche/che-server:13137
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@monaka
Fix routes. Support the machine token.
f0e36ef 
Signed-off-by: Masaki Muranaka <monaka@monami-ya.com>
@monaka
Add project-template and /installer as machine authenticated reso…
10f3121 
…urces.

They are used by GWT-IDE. They have no sensitive data.

Signed-off-by: Masaki Muranaka <monaka@monami-ya.com>
@musienko-maxim
Copy link
Contributor

Can one of the admins verify this PR?

@skabashnyuk
Copy link
Contributor

@eclipse/eclipse-che-qa can you take a look too?

@SkorikSergey
Copy link
Contributor

Selenium tests execution on Eclipse Che Multiuser on OCP (https://ci.codenvycorp.com/job/che-pullrequests-test-ocp/1718//Selenium_20tests_20report/) doesn't show any regression against this Pull Request.

@SkorikSergey
Copy link
Contributor

ci-build

@monaka
Copy link
Member Author

monaka commented Apr 23, 2019

@SkorikSergey
Referring to https://ci.codenvycorp.com/job/che-pullrequests-build/6462/org.eclipse.che$terminal-agent/console, the build failure was caused by the CI server side issue ...?
The part of logs is:

[INFO] ------ (linux_arm6) org.codehaus.mojo:exec-maven-plugin:1.6.0:exec
# github.com/eclipse/che/agents/go-agents/bootstrapper
/home/codenvy/tools/org.jenkinsci.plugins.golang.GolangInstallation/go1.11.2/pkg/tool/linux_amd64/link: cannot open file $WORK/b095/_pkg_.a: open $WORK/b095/_pkg_.a: no such file or directory
# math
asm: open $WORK/b021/erf_stub.o: no such file or directory
# github.com/eclipse/che/agents/go-agents/terminal-agent
/home/codenvy/tools/org.jenkinsci.plugins.golang.GolangInstallation/go1.11.2/pkg/tool/linux_amd64/link: cannot open file $WORK/b026/_pkg_.a: open $WORK/b026/_pkg_.a: no such file or directory
# runtime
asm: open $WORK/b009/memmove_arm.o: no such file or directory
# github.com/eclipse/che/agents/go-agents/exec-agent
/home/codenvy/tools/org.jenkinsci.plugins.golang.GolangInstallation/go1.11.2/pkg/tool/linux_amd64/link: cannot open file $WORK/b094/_pkg_.a: open $WORK/b094/_pkg_.a: no such file or directory

@SkorikSergey
Copy link
Contributor

ci-build

@monaka
Copy link
Member Author

monaka commented Apr 26, 2019

@SkorikSergey Hmm...? This branch was built with success on my CI server. https://dev.azure.com/pizzafactory/camino/_build/results?buildId=506

@SkorikSergey
Copy link
Contributor

ci-build

@SkorikSergey
Copy link
Contributor

@SkorikSergey Hmm...? This branch was built with success on my CI server. https://dev.azure.com/pizzafactory/camino/_build/results?buildId=506

ci-build-check successful.

@monaka monaka merged commit ac56987 into eclipse-che:master Apr 26, 2019
@monaka monaka deleted the pr-add-machine-token-support branch April 26, 2019 08:45
@monaka
Copy link
Member Author

monaka commented Apr 26, 2019

@SkorikSergey Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skabashnyuk skabashnyuk skabashnyuk approved these changes

@benoitf benoitf Awaiting requested review from benoitf

@mshaposhnik mshaposhnik Awaiting requested review from mshaposhnik

@riuvshin riuvshin Awaiting requested review from riuvshin

Assignees
No one assigned
Labels
kind/enhancement A feature request - must adhere to the feature request template.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@monaka @che-bot @skabashnyuk @musienko-maxim @SkorikSergey