[app] Implement Authentication (#406)

Instead of relying on a third party service like OAtuh2 Proxy for
authenticating users, we are now supporting authentication of users
directly within kobs.

Users can be authenticated using a static list of email and password
combinations or via OIDC.

Author: ricoberger

CHANGELOG.md

@@ -20,6 +20,7 @@ NOTE: As semantic versioning states all 0.y.z releases can contain breaking chan
 - [#399](https://github.com/kobsio/kobs/pull/399): [github] Add new `usernotifications` panel and allow users to use the plugin within the Notifications.
 - [#401](https://github.com/kobsio/kobs/pull/401): [app] Add integrations for Kubernetes Resource, which allows administrators to define a set of default dashboards, which are added to each resource.
 - [#402](https://github.com/kobsio/kobs/pull/402): [app] Add `mongodb` driver as alternative to the existing `bolt` driver.
+- [#406](https://github.com/kobsio/kobs/pull/406): [app] :warning: _Breaking change:_ :warning: Implement authentication, so that no third party service like [OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) is required to grant users access to kobs.
 - [#407](https://github.com/kobsio/kobs/pull/407): [sql] Add `singlestats` chart to render single values returned by a query.
 - [#411](https://github.com/kobsio/kobs/pull/411): [sql] Add `yAxisGroup` property for charts.
 

README.md

@@ -21,7 +21,7 @@ kobs brings your metrics, logs, traces and Kubernetes into one place, to provide
 - **Prometheus:** Access your Prometheus directly in kobs next to your Kubernetes resources.
 - **Elasticsearch and Jaeger:** View the logs from Elasticsearch and traces from Jaeger, where it matters.
 - **Istio:** Get the topology graph from Kiali for your Istio service mesh directly in kobs.
-- **Authentication and Authorization:** Manage the access to kobs via [OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) and provide your developers the permissions they need via Teams and Users CRs.
+- **Authentication and Authorization:** Manage the access to kobs via OIDC and provide your developers the permissions they need via Teams and Users CRs.
 
 ## Contributing
 

cmd/kobs/hub/config/config.go

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/kobsio/kobs/pkg/hub/api"
+	"github.com/kobsio/kobs/pkg/hub/auth"
 	"github.com/kobsio/kobs/pkg/hub/satellites"
 
 	"sigs.k8s.io/yaml"
@@ -13,6 +14,7 @@ import (
 // Config is the complete configuration for kobs.
 type Config struct {
 	Satellites satellites.Config `json:"satellites"`
+	Auth       auth.Config       `json:"auth"`
 	API        api.Config        `json:"api"`
 }
 
@@ -25,11 +27,21 @@ func Load(file string) (*Config, error) {
 		return nil, err
 	}
 
+	// For the hub we have to unmarshal the configuration file twice. The first time we do not replace the file content
+	// with environment variables and the seconde time we replace the environment variables. This is required, because
+	// the hashed user passwords will not be usabe after replacing.
+	cfgNotReplaced := &Config{}
+	if err := yaml.Unmarshal(configContent, cfgNotReplaced); err != nil {
+		return nil, err
+	}
+
 	configContent = []byte(os.ExpandEnv(string(configContent)))
 	cfg := &Config{}
 	if err := yaml.Unmarshal(configContent, cfg); err != nil {
 		return nil, err
 	}
 
+	cfg.Auth.Users = cfgNotReplaced.Auth.Users
+
 	return cfg, nil
 }

cmd/kobs/hub/hub.go

@@ -10,6 +10,7 @@ import (
 	"github.com/kobsio/kobs/cmd/kobs/hub/config"
 	"github.com/kobsio/kobs/pkg/app"
 	"github.com/kobsio/kobs/pkg/hub"
+	"github.com/kobsio/kobs/pkg/hub/auth"
 	"github.com/kobsio/kobs/pkg/hub/satellites"
 	"github.com/kobsio/kobs/pkg/hub/store"
 	"github.com/kobsio/kobs/pkg/hub/watcher"
@@ -34,12 +35,6 @@ func Command() *cobra.Command {
 	var hubWatcherInterval time.Duration
 	var hubWatcherWorker int64
 	var metricsAddress string
-	var authEnabled bool
-	var authHeaderUser string
-	var authHeaderTeams string
-	var authLogoutRedirect string
-	var authSessionToken string
-	var authSessionInterval time.Duration
 
 	defaultAppAddress := ":15219"
 	if os.Getenv("KOBS_APP_ADDRESS") != "" {
@@ -97,34 +92,6 @@ func Command() *cobra.Command {
 		defaultMetricsAddress = os.Getenv("KOBS_METRICS_ADDRESS")
 	}
 
-	defaultAuthHeaderUser := "X-Auth-Request-Email"
-	if os.Getenv("KOBS_AUTH_HEADER_USER") != "" {
-		defaultAuthHeaderUser = os.Getenv("KOBS_AUTH_HEADER_USER")
-	}
-
-	defaultAuthHeaderTeams := "X-Auth-Request-Groups"
-	if os.Getenv("KOBS_AUTH_HEADER_TEAMS") != "" {
-		defaultAuthHeaderTeams = os.Getenv("KOBS_AUTH_HEADER_TEAMS")
-	}
-
-	defaultAuthLogoutRedirect := "/oauth2/sign_out"
-	if os.Getenv("KOBS_AUTH_LOGOUT_REDIRECT") != "" {
-		defaultAuthLogoutRedirect = os.Getenv("KOBS_AUTH_LOGOUT_REDIRECT")
-	}
-
-	defaultAuthSessionToken := ""
-	if os.Getenv("KOBS_AUTH_SESSION_TOKEN") != "" {
-		defaultAuthSessionToken = os.Getenv("KOBS_AUTH_SESSION_TOKEN")
-	}
-
-	defaultAuthSessionInterval := time.Duration(48 * time.Hour)
-	if os.Getenv("KOBS_AUTH_SESSION_INTERVAL") != "" {
-		parsedDefaultAuthSessionInterval, err := time.ParseDuration(os.Getenv("KOBS_AUTH_SESSION_INTERVAL"))
-		if err == nil && parsedDefaultAuthSessionInterval > 60*time.Second {
-			defaultAuthSessionInterval = parsedDefaultAuthSessionInterval
-		}
-	}
-
 	hubCmd := &cobra.Command{
 		Use:   "hub",
 		Short: "Hub component of kobs.",
@@ -174,6 +141,11 @@ func Command() *cobra.Command {
 				log.Fatal(nil, "Could not create store", zap.Error(err))
 			}
 
+			authClient, err := auth.NewClient(cfg.Auth, storeClient)
+			if err != nil {
+				log.Fatal(nil, "Could not create auth client", zap.Error(err))
+			}
+
 			var watcherClient watcher.Client
 			if hubMode == "default" || hubMode == "watcher" {
 				watcherClient, err = watcher.NewClient(hubWatcherInterval, hubWatcherWorker, satellitesClient, storeClient)
@@ -191,7 +163,7 @@ func Command() *cobra.Command {
 			var appServer app.Server
 
 			if hubMode == "default" || hubMode == "server" {
-				hubSever, err = hub.New(cfg.API, debugUsername, debugPassword, hubAddress, authEnabled, authHeaderUser, authHeaderTeams, authLogoutRedirect, authSessionToken, authSessionInterval, satellitesClient, storeClient)
+				hubSever, err = hub.New(cfg.API, debugUsername, debugPassword, hubAddress, authClient, satellitesClient, storeClient)
 				if err != nil {
 					log.Fatal(nil, "Could not create hub server", zap.Error(err))
 				}
@@ -249,12 +221,6 @@ func Command() *cobra.Command {
 	hubCmd.PersistentFlags().DurationVar(&hubWatcherInterval, "hub.watcher.interval", defaultHubWatcherInterval, "The interval for the watcher to sync the satellite configuration.")
 	hubCmd.PersistentFlags().Int64Var(&hubWatcherWorker, "hub.watcher.worker", defaultHubWatcherWorker, "The number of parallel sync processes for the watcher.")
 	hubCmd.PersistentFlags().StringVar(&metricsAddress, "metrics.address", defaultMetricsAddress, "The address, where the metrics server is listen on.")
-	hubCmd.PersistentFlags().BoolVar(&authEnabled, "auth.enabled", false, "Enable the authentication and authorization middleware.")
-	hubCmd.PersistentFlags().StringVar(&authHeaderUser, "auth.header.user", defaultAuthHeaderUser, "The header, which contains the user id.")
-	hubCmd.PersistentFlags().StringVar(&authHeaderTeams, "auth.header.teams", defaultAuthHeaderTeams, "The header, which contains the team ids.")
-	hubCmd.PersistentFlags().StringVar(&authLogoutRedirect, "auth.logout.redirect", defaultAuthLogoutRedirect, "The redirect url which should be used, when the user clicks on the logout button.")
-	hubCmd.PersistentFlags().StringVar(&authSessionToken, "auth.session.token", defaultAuthSessionToken, "The token to encrypt the session cookie.")
-	hubCmd.PersistentFlags().DurationVar(&authSessionInterval, "auth.session.interval", defaultAuthSessionInterval, "The interval for how long a session is valid.")
 
 	return hubCmd
 }

deploy/helm/hub/Chart.yaml

@@ -4,5 +4,5 @@ description: Kubernetes Observability Platform
 type: application
 home: https://kobs.io
 icon: https://kobs.io/assets/images/logo.svg
-version: 0.17.0
+version: 0.18.0
 appVersion: v0.9.1

deploy/helm/hub/templates/deployment.yaml

@@ -43,11 +43,6 @@ spec:
             - --hub.store.uri={{ .Values.hub.settings.store.uri }}
             - --hub.watcher.interval={{ .Values.hub.settings.watcher.interval }}
             - --hub.watcher.worker={{ .Values.hub.settings.watcher.worker }}
-            - --auth.enabled={{ .Values.hub.settings.auth.enabled }}
-            - --auth.header.user={{ .Values.hub.settings.auth.headerUser }}
-            - --auth.header.teams={{ .Values.hub.settings.auth.headerTeams }}
-            - --auth.logout.redirect={{ .Values.hub.settings.auth.logoutRedirect }}
-            - --auth.session.interval={{ .Values.hub.settings.auth.sessiontInterval }}
           {{- with .Values.env }}
           env:
             {{- toYaml . | nindent 12 }}

deploy/helm/hub/values.yaml

@@ -132,12 +132,6 @@ hub:
     watcher:
       interval: 300s
       worker: 10
-    auth:
-      enabled: false
-      headerUser: X-Auth-Request-Email
-      headerTeams: X-Auth-Request-Groups
-      logoutRedirect: /oauth2/sign_out
-      sessiontInterval: 48h0m0s
 
   ## Set the content of the config.yaml file, which is used by kobs. The configuration file is used to specify the
   ## cluster providers and the configuration for the plugins.
@@ -165,8 +159,7 @@ istio:
 
     timeout: 300s
 
-    ## You can also add your own routes to the VirtualService. This can be used to add an oauth2-proxy to handle the
-    ## authentication for the dashboard.
+    ## You can also add your own routes to the VirtualService.
     ##
     additionalRoutes: []
 

deploy/helm/satellite/Chart.yaml

@@ -4,5 +4,5 @@ description: Kubernetes Observability Platform
 type: application
 home: https://kobs.io
 icon: https://kobs.io/assets/images/logo.svg
-version: 0.17.0
+version: 0.18.0
 appVersion: v0.9.1

deploy/helm/satellite/values.yaml

@@ -154,8 +154,7 @@ istio:
 
     timeout: 300s
 
-    ## You can also add your own routes to the VirtualService. This can be used to add an oauth2-proxy to handle the
-    ## authentication for the dashboard.
+    ## You can also add your own routes to the VirtualService.
     ##
     additionalRoutes: []
 

deploy/kustomize/hub/deployment.yaml

@@ -32,11 +32,6 @@ spec:
             - --hub.store.uri=/tmp/kobs.db
             - --hub.watcher.interval=300s
             - --hub.watcher.worker=10
-            - --auth.enabled=false
-            - --auth.header.user=X-Auth-Request-Email
-            - --auth.header.teams=X-Auth-Request-Groups
-            - --auth.logout.redirect=/oauth2/sign_out
-            - --auth.session.interval=48h0m0s
           ports:
             - name: http-web
               containerPort: 15219

docs/getting-started/configuration/auth.md

@@ -0,0 +1,43 @@
+# Authentication and Authorization
+
+kobs supports the authentication and authorization of users. Users can be authenticated using a static list of configured email and password combinations or using OIDC. Authorization is handled via the permissions set in a [User CR](../../resources/users.md) or a [Team CR](../../resources/teams.md). An authenticated user is connected a corresponding User CR and Team CR via the email and groups claim from the OIDC flow.
+
+```yaml
+auth:
+  # Enable authentication and authorization of of users.
+  enabled: true
+  # OIDC configuration for kobs. OIDC can be used next to the static user list to authenticate and authorize users. The OIDC provider must be enabled explizit. If the configuration is wrong kobs will crash during the startup process.
+  oidc:
+    enabled: true
+    # The issuer (e.g. "https://accounts.google.com"), client id and client secret for your OIDC provider.
+    issuer:
+    clientID:
+    clientSecret:
+    # The url where the OIDC provider redirects a user after login. Must be the URL where your kobs instance is running at.
+    redirectURL:
+    # A random string to mitigate CSRF attacks.
+    state:
+    # The scopes for the OIDC provider. By default we need the "openid", "profile", "email", "groups" scope. If your OIDC provider (e.g. Google) does not support the "groups" scope you can also omit it.
+    # The "groups" scope is needed to connect a user with a team, so that you can set the permissions of users in a team and not for each single user.
+    # If you are using Google and want to use Google Groups to connect your users with teams, you can use a tool like Dex (https://dexidp.io) to get the groups of a user.
+    scopes: ["openid", "profile", "email", "groups"]
+  # Session configuration for kobs.
+  session:
+    # The token must be a random string which is used to sign the JWT token, which is generated when a user is authenticated.
+    token:
+    # The interval defines the lifetime of the generated token. When the token is expired the user must authenticate again.
+    interval: 48m
+  # A static list of users which can be access kobs. Each user must have a email address and password.
+  # ATTENTION: Substitution of environment variables is not supported for the user configuration. Instead you can directly use the hashed password within the configuration.
+  users:
+    - email:
+      # The hashed password of the user. The password can be generated using htpasswd (https://httpd.apache.org/docs/2.4/programs/htpasswd.html).
+      #     htpasswd -nBC 10 "" | tr -d ':\n'
+      # That command will prompt you for a password and output the hashed password, which will look something like:
+      #     $2y$10$dqqr3NIClzy4.jDQ3bHpveqVVxSqmpeP8oRI.eTZd91KxL8EyZx0e
+      password:
+      # An optional list of groups to authorize a user to access resources based on the permissions of the corresponding Team CRs.
+      #     groups: ["dia@kobs.io"]
+      # See https://kobs.io/main/resources/teams/#example for an example Team CR.
+      groups:
+```