Support function authentication with OpenFaaS IAM #996
Conversation
|
In this example, I see the
|
This is a mistake, I updated the example and I can confirm the |
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
Don't exit the program when looking up the auth config fails but print a warning instead. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
| @@ -23,14 +23,14 @@ func Test_invoke(t *testing.T) { | |||
| s := test.MockHttpServer(t, []test.Request{ | |||
| { | |||
| Method: http.MethodPost, | |||
| Uri: "/function/" + funcName, | |||
| Uri: "/function/" + funcName + ".openfaas-fn", | |||
There was a problem hiding this comment.
Why is the namespace needed now?
It should still be possible to invoke without a namespace suffix, so I'm unsure why this change was made.
There was a problem hiding this comment.
The go-sdk which, is now used to invoke functions, always needs a namespace to be specified. This is required for getting access tokens for functions if the function is authenticated (the full reference to a function, including the namespace, is required to request an access token)
This is why a function will always be invoked in the default namespace openfaas-fn if no namespace is provided explicitly.
Ensure the default sdk client reads the provider url from the stack file if the '--yaml/-f' flag is used. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
Try to lookup the function namespace in the stack file before falling back to the default namespace. This is the default behaviour for all other commands and should be implemeted for invoke as well. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
Set env variables that are normally injects by the provider like, 'OPENFAAS_NAME' and 'OPENFAAS_NAMESPACE' when running function with local-run. This change makes it possible to use built-in function authentication with local-run. The 'jwt_auth_local' env variable is to true by default to help with this. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
Description
Support invoking functions that have the OpenFaaS IAM based built in function authentication enabled.
The CLI now uses the
client.InvokeFunctionmethod from the OpenFaaS go-sdk to invoke functions. Support for IAM authentication is part of the go-sdk. The SDK will handle exchanging the OpenFaaS API access token for a function access token that is only valid for the requested function.The invoke command automatically tries to detect if a function requires authentication. This is done by invoking the function without an
Authorizationheader. If the function responds with a 401 (Unauthorized) response status the CLI looks at the realm directive in theWWW-Authenticateheader to check if the function requires authentication. The request is retried this time with authentication.This change also adds a new optional flag,
--authto the invoke command. If the flag is set the CLI will skip the check to detect if authentication is required and immediately invoke the function with a function access token.When running function with the
local-runcommand, theOPENFAAS_NAMEandOPENFAAS_NAMESPACEenvvariables are set together with
jwt_local_authto support built-in function authentication.Motivation and Context
Support IAM authentication for functions.
How Has This Been Tested?
Unit test were added to cover changes.
Verified header, query parameters, and the content type set through flags are correctly used in the request.
Verified it is possible to sign the request.
Verified functions without authentication can be invoked.
Verified functions that require authentication can be invoked.
Verified the bearer is included in the first call when the
--authflag is set.Verified functions that require authentication can be invoked asynchronously.
Types of changes
Checklist:
git commit -s