Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc impersonation #11449

Merged
merged 7 commits into from
Dec 2, 2024
Merged

oidc impersonation #11449

merged 7 commits into from
Dec 2, 2024

Conversation

StekPerepolnen
Copy link
Collaborator

@StekPerepolnen StekPerepolnen commented Nov 11, 2024
edited
Loading

Changelog entry

https://nebius.atlassian.net/browse/NBYDB-594

oidc impersonation adds impersonated cookie that could be used instead session cookie
to get impersonated cookie session cookie and service-account-id could be used

2 oidc impersonate handler were added
/impersonate/start to add impersonated cookie
/impersonate/stop to remove impersonated cookie

If request to oidc happens, it checks new impersonated cookie. if exists, oidc uses it for next authentification
If the authentication domain returns a status code of 400 or 401, OIDC performs a redirect with a 307 status code to the same address and clears the impersonated cookie.

Changelog category

  • New feature

Additional information

Examples:

  1. /impersonate/start
    curl -i 'https://oidc.net/impersonate/start?service_account_id=serviceaccount-e0tydb-dev'
    -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7'
    -H 'cookie: __Host_session_cookie_6D76702D6F6964632D74657374696E67=****'
    --insecure

expected result:
set-cookie: __Host_impersonated_cookie_6D76702D6F6964632D74657374696E67=****; Path=/; Secure; HttpOnly; SameSite=None; Partitioned

  1. /impersonate/stop
    curl -i 'https://oidc.net/impersonate/start?service_account_id=service-account-name'
    -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7'
    -H 'cookie: __Host_session_cookie_6D76702D6F6964632D74657374696E67=****'
    --insecure

expected result:
set-cookie: __Host_impersonated_cookie_6D76702D6F6964632D74657374696E67=; Path=/; Secure; HttpOnly; SameSite=None; Partitioned; Max-Age=0

  1. impersonate access (just new impersonated cookie here)
    curl 'https://oidc.net/storage-status.ydb-global.ik8s-beta.ik8s.man.nbhost.net:8765/viewer/json/describe?database=%2Ftesting%2Fcharlotte&path=%2Ftesting%2Fcharlotte&enums=true&backup=false&private=true&partition_config=false&partition_stats=false&partitioning_info=false&subs=1'
    -H 'accept: application/json, text/plain, /'
    -H 'cookie: __Host_session_cookie_6D76702D6F6964632D74657374696E67=; __Host_impersonated_cookie_6D76702D6F6964632D74657374696E67=; _ga_N2V9EEXZGE=GS1.1.1731507944.10.1.1731507976.0.0.0'
    --insecure

If the authentication domain returns a status code of 400 or 401, OIDC performs a redirect with a 307 status code to the same address and clears the impersonated cookie.
...

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 11, 2024
edited
Loading

2024-11-11 06:25:04 UTC Pre-commit check linux-x86_64-release-asan for ecfceac has started.
2024-11-11 06:25:53 UTC Artifacts will be uploaded here
2024-11-11 06:26:21 UTC Check cancelled

@StekPerepolnen StekPerepolnen force-pushed the oidc-impersonation branch 2 times, most recently from 6964f88 to 67b9241 Compare November 11, 2024 06:27
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 11, 2024
edited
Loading

2024-11-11 06:27:56 UTC Pre-commit check linux-x86_64-relwithdebinfo for 78ffa85 has started.
2024-11-11 06:28:09 UTC Check cancelled

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 11, 2024
edited
Loading

2024-11-11 06:31:58 UTC Pre-commit check linux-x86_64-relwithdebinfo for 29a6483 has started.
2024-11-11 06:32:09 UTC Artifacts will be uploaded here
2024-11-11 06:34:39 UTC ya make is running...
🟢 2024-11-11 06:35:31 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
22 22 0 0 0 0

🟢 2024-11-11 06:35:37 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 11, 2024
edited
Loading

2024-11-11 06:32:05 UTC Pre-commit check linux-x86_64-release-asan for 29a6483 has started.
2024-11-11 06:32:15 UTC Artifacts will be uploaded here
2024-11-11 06:34:45 UTC ya make is running...
🟢 2024-11-11 06:35:55 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
22 22 0 0 0 0

🟢 2024-11-11 06:36:01 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 13, 2024
edited
Loading

2024-11-13 14:14:37 UTC Pre-commit check linux-x86_64-relwithdebinfo for bb4fad7 has started.
2024-11-13 14:14:49 UTC Artifacts will be uploaded here
2024-11-13 14:17:19 UTC ya make is running...
🟢 2024-11-13 14:18:14 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
25 25 0 0 0 0

🟢 2024-11-13 14:18:24 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 13, 2024
edited
Loading

2024-11-13 14:17:39 UTC Pre-commit check linux-x86_64-release-asan for bb4fad7 has started.
2024-11-13 14:17:50 UTC Artifacts will be uploaded here
2024-11-13 14:20:30 UTC ya make is running...
🟢 2024-11-13 14:21:51 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
25 25 0 0 0 0

🟢 2024-11-13 14:22:05 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 13, 2024
edited
Loading

2024-11-13 21:12:51 UTC Pre-commit check linux-x86_64-release-asan for 72da77d has started.
2024-11-13 21:13:02 UTC Artifacts will be uploaded here
2024-11-13 21:15:28 UTC ya make is running...
🟢 2024-11-13 21:16:35 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
26 26 0 0 0 0

🟢 2024-11-13 21:16:41 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 13, 2024
edited
Loading

2024-11-13 21:15:34 UTC Pre-commit check linux-x86_64-relwithdebinfo for 72da77d has started.
2024-11-13 21:15:45 UTC Artifacts will be uploaded here
2024-11-13 21:18:12 UTC ya make is running...
🟢 2024-11-13 21:19:02 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
26 26 0 0 0 0

🟢 2024-11-13 21:19:08 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 14, 2024
edited
Loading

2024-11-14 11:07:02 UTC Pre-commit check linux-x86_64-release-asan for bc32601 has started.
2024-11-14 11:07:07 UTC Artifacts will be uploaded here
2024-11-14 11:09:40 UTC ya make is running...
🟢 2024-11-14 11:10:39 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
26 26 0 0 0 0

🟢 2024-11-14 11:10:45 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 14, 2024
edited
Loading

2024-11-14 11:07:39 UTC Pre-commit check linux-x86_64-relwithdebinfo for bc32601 has started.
2024-11-14 11:07:46 UTC Artifacts will be uploaded here
2024-11-14 11:10:11 UTC ya make is running...
🟢 2024-11-14 11:10:52 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
26 26 0 0 0 0

🟢 2024-11-14 11:10:58 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 14, 2024
edited
Loading

2024-11-14 11:25:27 UTC Pre-commit check linux-x86_64-release-asan for 8ec7c90 has started.
2024-11-14 11:26:04 UTC Artifacts will be uploaded here
2024-11-14 11:29:00 UTC ya make is running...
🟢 2024-11-14 11:29:43 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
26 26 0 0 0 0

🟢 2024-11-14 11:29:49 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 14, 2024
edited
Loading

2024-11-14 11:26:02 UTC Pre-commit check linux-x86_64-relwithdebinfo for 8ec7c90 has started.
2024-11-14 11:26:12 UTC Artifacts will be uploaded here
2024-11-14 11:28:40 UTC ya make is running...
🟢 2024-11-14 11:29:11 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
26 26 0 0 0 0

🟢 2024-11-14 11:29:17 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 14, 2024
edited
Loading

2024-11-14 13:40:05 UTC Pre-commit check linux-x86_64-relwithdebinfo for d3f352b has started.
2024-11-14 13:40:16 UTC Artifacts will be uploaded here
2024-11-14 13:42:55 UTC ya make is running...
🟢 2024-11-14 13:43:53 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-14 13:44:00 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 14, 2024
edited
Loading

2024-11-14 13:40:08 UTC Pre-commit check linux-x86_64-release-asan for d3f352b has started.
2024-11-14 13:40:20 UTC Artifacts will be uploaded here
2024-11-14 13:42:46 UTC ya make is running...
🟢 2024-11-14 13:43:55 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-14 13:44:01 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 15, 2024
edited
Loading

2024-11-15 09:33:44 UTC Pre-commit check linux-x86_64-relwithdebinfo for c795117 has started.
2024-11-15 09:33:55 UTC Artifacts will be uploaded here
2024-11-15 09:36:25 UTC ya make is running...
🟢 2024-11-15 09:37:20 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-15 09:37:26 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 15, 2024
edited
Loading

2024-11-15 09:35:41 UTC Pre-commit check linux-x86_64-release-asan for c795117 has started.
2024-11-15 09:35:53 UTC Artifacts will be uploaded here
2024-11-15 09:38:33 UTC ya make is running...
🟢 2024-11-15 09:39:44 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-15 09:39:50 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 15, 2024
edited
Loading

2024-11-15 14:45:13 UTC Pre-commit check linux-x86_64-relwithdebinfo for d562ec6 has started.
2024-11-15 14:45:25 UTC Artifacts will be uploaded here
2024-11-15 14:48:09 UTC ya make is running...
🟢 2024-11-15 14:49:10 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-15 14:49:18 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 26, 2024
edited
Loading

2024-11-26 13:03:37 UTC Pre-commit check linux-x86_64-relwithdebinfo for e8324b7 has started.
2024-11-26 13:03:50 UTC Artifacts will be uploaded here
2024-11-26 13:06:31 UTC ya make is running...
🟢 2024-11-26 13:07:27 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-26 13:07:34 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 26, 2024
edited
Loading

2024-11-26 13:25:07 UTC Pre-commit check linux-x86_64-release-asan for 46fe47d has started.
2024-11-26 13:25:18 UTC Artifacts will be uploaded here
2024-11-26 13:27:56 UTC ya make is running...
🟢 2024-11-26 13:28:49 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-26 13:28:56 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 26, 2024
edited
Loading

2024-11-26 13:25:26 UTC Pre-commit check linux-x86_64-relwithdebinfo for 46fe47d has started.
2024-11-26 13:25:37 UTC Artifacts will be uploaded here
2024-11-26 13:28:03 UTC ya make is running...
🟢 2024-11-26 13:28:46 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
27 27 0 0 0 0

🟢 2024-11-26 13:28:52 UTC Build successful.

UgnineSirdis
UgnineSirdis requested changes Nov 26, 2024
View reviewed changes
ydb/mvp/oidc_proxy/oidc_protected_page_handler.h Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_session_create_handler.h Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/openid_connect.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/openid_connect.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_session_create_yandex.h Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_protected_page.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_protected_page.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 01:17:32 UTC Pre-commit check linux-x86_64-relwithdebinfo for 5dfa7e6 has started.
2024-11-27 01:17:44 UTC Artifacts will be uploaded here
2024-11-27 01:20:10 UTC ya make is running...
🟢 2024-11-27 01:21:04 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 01:21:11 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 01:17:39 UTC Pre-commit check linux-x86_64-release-asan for 5dfa7e6 has started.
2024-11-27 01:17:50 UTC Artifacts will be uploaded here
2024-11-27 01:20:19 UTC ya make is running...
🟢 2024-11-27 01:21:21 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 01:21:28 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 06:19:24 UTC Pre-commit check linux-x86_64-release-asan for 0492864 has started.
2024-11-27 06:19:35 UTC Artifacts will be uploaded here
2024-11-27 06:22:05 UTC ya make is running...
🟢 2024-11-27 06:23:06 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 06:23:13 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 06:19:32 UTC Pre-commit check linux-x86_64-relwithdebinfo for 0492864 has started.
2024-11-27 06:19:44 UTC Artifacts will be uploaded here
2024-11-27 06:22:10 UTC ya make is running...
🟢 2024-11-27 06:23:01 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 06:23:07 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 07:36:31 UTC Pre-commit check linux-x86_64-relwithdebinfo for 3cc117e has started.
2024-11-27 07:36:43 UTC Artifacts will be uploaded here
2024-11-27 07:39:09 UTC ya make is running...
🟢 2024-11-27 07:40:04 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 07:40:10 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 07:37:24 UTC Pre-commit check linux-x86_64-release-asan for 3cc117e has started.
2024-11-27 07:37:37 UTC Artifacts will be uploaded here
2024-11-27 07:40:18 UTC ya make is running...
🟢 2024-11-27 07:41:30 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 07:41:36 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 15:31:24 UTC Pre-commit check linux-x86_64-release-asan for d22f709 has started.
2024-11-27 15:32:00 UTC Artifacts will be uploaded here
2024-11-27 15:35:02 UTC ya make is running...
🟢 2024-11-27 15:36:17 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 15:36:24 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

2024-11-27 15:32:19 UTC Pre-commit check linux-x86_64-relwithdebinfo for d22f709 has started.
2024-11-27 15:32:52 UTC Artifacts will be uploaded here
2024-11-27 15:35:53 UTC ya make is running...
🟢 2024-11-27 15:36:53 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-27 15:37:02 UTC Build successful.

UgnineSirdis
UgnineSirdis requested changes Nov 28, 2024
View reviewed changes
ydb/mvp/oidc_proxy/oidc_session_create_yandex.h Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_session_create_yandex.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_session_create.h Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp Outdated Show resolved Hide resolved
ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 28, 2024
edited
Loading

2024-11-28 17:01:29 UTC Pre-commit check linux-x86_64-release-asan for 1aee218 has started.
2024-11-28 17:02:03 UTC Artifacts will be uploaded here
2024-11-28 17:05:02 UTC ya make is running...
🟢 2024-11-28 17:06:02 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-28 17:06:09 UTC Build successful.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 28, 2024
edited
Loading

2024-11-28 17:04:42 UTC Pre-commit check linux-x86_64-relwithdebinfo for 1aee218 has started.
2024-11-28 17:04:55 UTC Artifacts will be uploaded here
2024-11-28 17:07:23 UTC ya make is running...
🟢 2024-11-28 17:08:20 UTC Tests successful.

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28 28 0 0 0 0

🟢 2024-11-28 17:08:29 UTC Build successful.

@StekPerepolnen StekPerepolnen merged commit 45733eb into ydb-platform:main Dec 2, 2024
10 checks passed
@StekPerepolnen StekPerepolnen deleted the oidc-impersonation branch December 2, 2024 13:07
@GrigoriyPA GrigoriyPA mentioned this pull request Dec 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UgnineSirdis UgnineSirdis UgnineSirdis approved these changes

@molotkov-and molotkov-and Awaiting requested review from molotkov-and

Assignees
No one assigned
Labels
new-feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@StekPerepolnen @molotkov-and @UgnineSirdis