如何使用 kubernetes Ingress 执行自定义身份验证 [英] How to perform custom authentication with kubernetes Ingress
问题描述
I have deployed few services in kubernetes and using NGINX ingress to access outside.(Using EC2 instance for all cluster setup). Able to access service through host tied with ingress. Now instead of accessing the svc directly I am trying to add authentication and before accessing the service. And redirecting to login page , user enters credentials and should redirect to the asked page. The following code snipet I I tried so far. Please guide to find solution.
my-ingress.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
namespace: mynamespace
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/session-cookie-name: JSESSIONID
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
kubernetes.io/ingress.class: "nginx"
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/auth-signin: "https://auth.mysite.domain/api/auth/login" #will show login page
nginx.ingress.kubernetes.io/auth-url: "https://auth.mysite.domain/api/auth/token/validate"
nginx.ingress.kubernetes.io/auth-response-headers: "authorization"
spec:
tls:
- hosts:
- mysite.domain
#secretName: ${TLS_TOKEN_NAME}
rules:
- host: a.mysite.domain
http:
paths:
- path: /
backend:
serviceName: myservice1
servicePort: 9090
so first it will call "/token/validate" and will get unauthorized then got to "auth/login" and login page will show after entering credentials going to "/token/validate" and again login page. Actually should redirect to the called page.
How to achieve this?[If after successful auth if we can add header in called ling I think can solve but not sure how]
backend: Java Spring
@RequestMapping("login")
public String login() {
return "login.html";
}
login.html
<form action="validate-user" method="post" enctype="application/x-www-form-urlencoded">
<label for="username">Username</label>
<input type="text" id="username" value="admin" name="username" autofocus="autofocus" /> <br>
<label for="password">Password</label>
<input type="password" id="password" value="password" name="password" /> <br>
<input id="submit" type="submit" value="Log in" />
</form>
backend: Java Spring
@PostMapping("validate-user")
@ResponseBody
public ResponseEntity<?> validateUser(HttpServletRequest request, HttpServletResponse response) throws Exception {
...
HttpStatus httpStatus=HttpStatus.FOUND;
//calling authentication api and validating
//else
httpStatus=HttpStatus.UNAUTHORIZED;
HttpHeaders responseHeaders= new HttpHeaders();
responseHeaders.set("Authoriztion", token);
//responseHeaders.setLocation(new URI("https://a.mysite.domain")); ALSO TRIED BUT NOT WORKED
return new ResponseEntity<>(responseHeaders,httpStatus);
}
UPDATE1: I am using my own custom auth api, if I am hitting the url with custom header "Authorization":"bearer token" from postman then response is ok, but from from browser not possible, So from upstream svc only(after successfull login) the header should include in redirect page that how can we do?
ANY ANNOTATION AM I MISSING?
UPDATE2: While redirecting after successful auth I am passing token as query string like responseHeaders.setLocation(new URI("https://a.mysite.domain/?access_token="+token) and after redirecting its going to validate. After successful validation going to downstream svc[expected]. But when that svc is routing say a.mysite.domain/route1 then query string is gone and auth svc not able to get token hence 401 again. It should be like a.mysite.domain/route1/?access_token=token. Any way is there to do that? If every route will have same query string then will work.[This is my PLAN-B...but still passwing token is header is my priority]
UPDATE3: I tried with annotations like:
nginx.ingress.kubernetes.io/auth-signin: 'https://auth.example.com/api/auth-service-ui/login'
nginx.ingress.kubernetes.io/auth-response-headers: 'UserID, Authorization, authorization'
nginx.ingress.kubernetes.io/auth-snippet: |
auth_request_set $token $upstream_http_authorization;
proxy_set_header Foo-Header1 $token; //not showing as request header AND this value only need LOOKS $token val is missed
proxy_set_header Foo-Header headerfoo1; //showing as request header OK
more_set_input_headers 'Authorization: $token';//not showing as request header AND this value only need LOOKS $token val is missed
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $token1 $upstream_http_authorization;
add_header authorization2 QQQAAQ1; //showing as response header OK no use
add_header authorization $token; //showing as response header OK how to send as request header on next call
more_set_input_headers 'Authorization11: uuu1';//showing as request header in next call
more_set_input_headers 'Authorization: $token1';//not showing as request header and need this val ONLY
**What annotation I missed?
UPDATE4 PLAN-C: Now trying to store jwt token in cookies.
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $token5 $upstream_http_authorization;
add_header Set-Cookie "JWT_TOKEN=$token5";
In every request the same cookie is set but in browser its storing everytime. ie multiple cookies of same. How to set only once?
the following worked for me
put in your values yaml:
nginx.ingress.kubernetes.io/auth-url: "url service here"
then for this url you must implement a GET service that returs 200 if authorization was success or 401 in other case.
I implemented in flask, with Basic Authorization, but you can use whatever you want
def auth():
request_path = request.headers.get("X-Auth-Request-Redirect")
authorization_header = request.headers.get('Authorization')
if ServiceImp.auth(authorization_header,request_path):
return Response(
response="authorized",
status=200,
mimetype="application/json"
)
else:
resp = Response()
resp.headers['WWW-Authenticate'] = 'Basic'
return resp, 401
这篇关于如何使用 kubernetes Ingress 执行自定义身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
