e0fddee386
Upcoming work to instrument the rate of RPC requests by consumer (and eventually rate limit) require that we authenticate a RPC request before forwarding. Add a new top-level `Authenticate` method to the server and have it return an `AuthenticatedIdentity` struct. RPC handlers will use the relevant fields of this identity for performing authorization. This changeset includes: * The main implementation of `Authenticate` * Provide a new RPC `ACL.WhoAmI` for debugging authentication. This endpoint returns the same `AuthenticatedIdentity` that will be used by RPC handlers. At some point we might want to give this an equivalent HTTP endpoint but I didn't want to add that to our public API until some of the other Workload Identity work is solidified, especially if we don't need it yet. * A full coverage test of the `Authenticate` method. This sets up two server nodes with mTLS and ACLs, some tokens, and some allocations with workload identities. * Wire up an example of using `Authenticate` in the `Namespace.Upsert` RPC and see how authorization happens after forwarding. * A new semgrep rule for `Authenticate`, which we'll need to update once we're ready to wire up more RPC endpoints with authorization steps. |
||
|---|---|---|
| .. | ||
| ca-bad-csr.json | ||
| ca-bad-key.pem | ||
| ca-bad.csr | ||
| ca-bad.pem | ||
| ca-config.json | ||
| ca-csr.json | ||
| ca-key.pem | ||
| ca-whitespace.pem | ||
| ca.csr | ||
| ca.pem | ||
| global-ca.pem | ||
| global-client-key.pem | ||
| global-client.pem | ||
| global-server-key.pem | ||
| global-server.pem | ||
| nomad-bad-csr.json | ||
| nomad-bad-key.pem | ||
| nomad-bad.csr | ||
| nomad-bad.pem | ||
| nomad-foo-client-key.pem | ||
| nomad-foo-client.pem | ||
| nomad-foo-csr.json | ||
| nomad-foo-key.pem | ||
| nomad-foo.csr | ||
| nomad-foo.pem | ||
| README.md | ||
Nomad Test Certificate
Using cfssl 1.6.0
| File | Description |
|---|---|
ca.pem |
CA certificate |
ca-key.pem |
CA Key |
nomad-foo.pem |
Nomad cert for foo region |
nomad-foo-key.pem |
Nomad key for foo region |
ca-bad.pem |
CA cert for bad region |
ca-key-bad.pem |
CA key for bad region |
nomad-bad.pem |
Nomad cert for bad region |
nomad-bad-key.pem |
Nomad key for bad region |
global-*.pem |
For global region |
Generating self-signed certs
# Write defaults and update.
# NOTE: this doesn't need to be run if regenerating old certificates and
# shouldn't as it overrides non-default values.
cfssl print-defaults csr > ca-csr.json
cfssl print-defaults csr > ca-bad-csr.json
cfssl print-defaults config > ca-config.json
# Generate CA certificates and keys.
#
# 1. Generates ca.csr, ca.pem, and ca-key.pem.
# 2. Generates ca-bad.csr, ca-bad.pem, and ca-bad-key.pem.
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-bad-csr.json | cfssljson -bare ca-bad -
# Generate certificates and keys.
#
# 1. Generates nomad-foo.csr, nomad-foo.pem, and nomad-foo-key.pem.
# 1. Generates nomad-bad.csr, nomad-bad.pem, and nomad-bad-key.pem.
cfssl gencert -loglevel=5 -ca ca.pem -ca-key ca-key.pem -config ca-config.json nomad-foo-csr.json | cfssljson -bare nomad-foo
cfssl gencert -loglevel=5 -ca ca-bad.pem -ca-key ca-bad-key.pem -config ca-config.json nomad-bad-csr.json | cfssljson -bare nomad-bad