Add AuthN support using Nested Cred #30
Conversation
gouthamMN
requested review from
niontive,
weinong,
bennerv,
cadenmarchese,
carvalhe,
hlipsig and
kimorris27
as code owners
pkg/dataplane/identity.go
Outdated
|
|
||
| // Constructor for Nested Credentials Object UserAssignedIdentities | ||
| func NewNestedCredentialsObjectUAIdentities(c swagger.NestedCredentialsObject, cloud string) (*NestedCredentialsObject, error) { | ||
| return &NestedCredentialsObject{NestedCredentialsObject: c, cloud: cloud}, nil |
There was a problem hiding this comment.
I'm surprised to see an exported member field set by a constructor - either omit the constructor and export all the members or hide them and close over object initialization with the constructor.
There was a problem hiding this comment.
Updated to omit the constructor and export all the members.
| // Clients can use the credential to get a token for the user-assigned identity | ||
| func (u UserAssignedIdentities) GetCredential(requestedResourceID string) (*azidentity.ClientCertificateCredential, error) { | ||
| func (c CredentialsObject) GetCredential(requestedResourceID string) (*azidentity.ClientCertificateCredential, error) { |
There was a problem hiding this comment.
Let's go ahead and implement this interface instead:
// TokenCredential represents a credential capable of providing an OAuth token.
// Exported as azcore.TokenCredential.
type TokenCredential interface {
// GetToken requests an access token for the specified set of scopes.
GetToken(ctx context.Context, options TokenRequestOptions) (AccessToken, error)
}
We know that reloading the value from disk is critically important and every client will need to do it. A method off of a credentials object that returns a static *azidentity.ClientCertificateCredential is insufficient.
There was a problem hiding this comment.
(The higher-level construct should take a path as input and can use the code you have here as the implementation for loading the credential. Look at the azidentity.WorkloadIdentityCredential as prior art here. )
There was a problem hiding this comment.
I already see an implementation of GetToken() func for Object azidentity.ClientCertificateCredential under azidentity.client_certificate_credential. Client could directly use that to get token? The implementation logic is exactly similar to azidentity.WorkloadIdentityCredential. Doesn't this suffice the ask?
There was a problem hiding this comment.
We chatted about this out-of-band but just for posterity - no, it doesn't, since the code here is loading the credential once, and what clients will need is to refresh it from disk when it changes.
…Nested Cred Obj Type
JIRA link:
https://issues.redhat.com/browse/ARO-11172
What does this PR do?
This PR adds following interfaces to support AuthN operations on nested credentials as outlined in the DDR.
By moving the authentication logic here, we can ensure consistency for authenticating (i.e. setting regional endpoint, disabling instance metadata discovery, etc.)
GetNestedCredentialsObjectUserAssignedIdentitiesGetCredentialsObjectUserAssignedIdentities(c CredentialsObject) GetCredential()(n NestedCredentialsObject) GetCredential()Testing:
Update the existing unit tests.