This issue contains my knowledge of SearchGuard configuration in image https://github.com/openshift/origin-aggregated-logging/tree/master/elasticsearch/sgconfig. Which is then used in https://github.com/openshift/elasticsearch-operator.
SearchGuard is configured in these files:
sg_action_groups.yml- ES privileges https://www.elastic.co/guide/en/shield/2.2/privileges-list.html mapped into SG groups . Note that there are cluster and index privileges. These grous are then used insg_roles.ymlsg_roles.yml- maps users with action groups - e.g.jaegercanREADsg_roles_mapping.yml- maps users/roles to authentication types
Curator will be authenticated via certificates:
sg_role_curator:
users:
- 'CN=system.logging.curator,OU=OpenShift,O=Logging'
Jaeger will use backednroles:jaeger. OpenShiftTokenAuthentication is used as backendrole.
sg_role_jaeger:
backendroles:
- 'jaeger'
sg_config.yml- overall SG configuration. It says what auth types SG should use - e.g.OpenShiftTokenAuthenticationfor service accounts, orauthentication_domain_basic_internal.
In this project we are using two auth types: client certs for curator and OpenShiftTokenAuthentication for Jaeger collector and qeury to talk to ES.
This functionality is provided as ES plugin: https://github.com/fabric8io/openshift-elasticsearch-plugin
eg_config.yml
jaeger:
verb: get
resource: jaeger
namespace: set-in-run-script
resourceAPIGroup: elasticsearch.jaegertracing.io
This config uses bearer token from service account to authorize the request. The service account has to be mapped to Role with the same verb, resource, API group and namespace.
The following command can be used to verify whether Jaeger is autorized. Bsically the same request does openshift-elasticsearch-plugin. simple-prod is name of service account maped to jaeger services. Nothe that namespace is overriden in ES run script. We could remove namespace and create ClusterRole instead of Role but then we could deploy only one ES instance in the cluster.
TOKEN=$(oc serviceaccounts get-token simple-prod)
curl -k -v -XPOST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" https://127.0.0.1:8443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews -d '{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","spec":{"resourceAttributes":{"group":"elasticsearch.jaegertracing.io","verb":"get","resource":"jaeger", "namespace":"myproject"}}}'
Role:
oc get roles simple-prod-elasticsearch -o yaml 3:58
apiVersion: authorization.openshift.io/v1
kind: Role
metadata:
annotations:
openshift.io/reconcile-protect: "false"
creationTimestamp: 2019-02-15T14:29:31Z
name: simple-prod-elasticsearch
namespace: myproject
ownerReferences:
- apiVersion: io.jaegertracing/v1alpha1
controller: true
kind: Jaeger
name: simple-prod
uid: 1b925fb1-312e-11e9-91df-8c16456c84e7
resourceVersion: "24534"
selfLink: /apis/authorization.openshift.io/v1/namespaces/myproject/roles/simple-prod-elasticsearch
uid: 1bb109f3-312e-11e9-91df-8c16456c84e7
rules:
- apiGroups:
- elasticsearch.jaegertracing.io
attributeRestrictions: null
resources:
- jaeger
verbs:
- get
SA and RoleBinding:
oc create serviceaccount simple-prod
oc create clusterrolebinding jaeger --clusterrole=simple-prod-elasticsearch --serviceaccount=myproject:jaeger