Comments (7)
karlschriek
commented on July 30, 2024
Some additional info:
Basing my distribution on https://github.com/arrikto/oidc-authservice/tree/master/e2e/manifests/authservice/base passes me through to the Kubeflow Dashboard without any authentication happening. The EnvoyFilter is still using the deprecated v2 though, so this might be the reason.
from oidc-authservice.
karlschriek
commented on July 30, 2024
After updating the EnvoyFilter to v3 as follows:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
# For some reason, INSERT_FIRST doesn't work
operation: INSERT_BEFORE
value:
name: "envoy.filters.http.ext_authz"
config:
http_service:
server_uri:
uri: http://authservice.$(NAMESPACE).svc.cluster.local
cluster: outbound|8080||authservice.$(NAMESPACE).svc.cluster.local
timeout: 10s
authorization_request:
allowed_headers:
patterns:
# XXX: MUST be lowercase!
- exact: "authorization"
- exact: "cookie"
authorization_response:
allowed_upstream_headers:
patterns:
- exact: "kubeflow-userid"
I now get the following error.
[2021-05-11T14:17:50.549Z] "GET / HTTP/2" 403 UAEX ext_authz_error - "-" 0 0 0 - "95.114.180.246" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "a747bab4-920c-4810-a1b0-22e5b361f453" "kubeflow.my-other-domain.com" "-" - - 10.10.0.215:443 95.114.180.246:57885 kubeflow.my-other-domain.com -
2021-05-11T14:17:50.564166Z error envoy envoy_bug envoy bug failure: !state_.local_complete_ || status == FilterHeadersStatus::StopIteration. Details: Filters should return FilterHeadersStatus::StopIteration after sending a local reply.
from oidc-authservice.
karlschriek
commented on July 30, 2024
After some more debugging I noticed that $(NAMESPACE) wasn't being replaced by Kustomize correctly (since the path to those vars were changed in the EnvoyFilter above). As a result, the FilterHeadersStatus::StopIteration no longer occurs, but I am now back to:
[2021-05-12T08:58:44.942Z] "GET / HTTP/2" 302 - ext_authz_denied - "-" 0 365 3 2 "95.117.25.93" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "8c801b72-e886-4582-994e-5c29e3a36878" "kubeflow.my-other-domain.com" "-" - - 10.10.1.203:443 95.117.25.93:60032 kubeflow.my-other-domain.com -
[2021-05-12T08:58:45.323Z] "GET /robots.txt?1620809925246 HTTP/2" 302 - ext_authz_denied - "-" 0 365 3 2 "95.117.25.93" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "d67677b2-7d9d-447c-a33d-604b4a106d4b" "kubeflow.my-other-domain.com" "-" - - 10.10.1.203:443 95.117.25.93:60034 kubeflow.my-other-domain.com -
from oidc-authservice.
yanniszark
commented on July 30, 2024
Hi Karl! Thanks for updating on your progress. Could you please provide more info on what your browser sees?
OIDC performs a specific set of actions to authenticate you, which we have documented in a diagram in the README: https://github.com/arrikto/oidc-authservice#readme
Can you provide more information about each step and clarify which step fails?
from oidc-authservice.
psheorangithub
commented on July 30, 2024
I am also seeing the same issue recently.We are running KF 1.3.1 with Dev OIDC.This is occurring intermittently. Does anyone found a solution.
[2021-12-06T21:52:08.367Z] "GET /jupyter/api/namespaces/NS/notebooks HTTP/1.1" 403 UAEX ext_authz_error - "-" 0 0 9773 - "100.64.128.33,10.42.139.195" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36" "eb3375d8-12ce-9765-8d53-73eed360187d" "<CLUSTER_URL>t" "-" - - 10.42.139.220:8080 10.42.139.195:34142 - -
from oidc-authservice.
celiawa
commented on July 30, 2024
We're also seeing this same issue several times. We are using KF1.3.1.
# kubectl logs istio-ingressgateway-56447fcfb4-v7cgc -n istio-system
[2022-02-08T02:40:04.254Z] "GET / HTTP/1.1" 403 UAEX ext_authz_error - "-" 0 0 9998 - "10.210.152.75,10.42.245.128"
"python-requests/2.24.0" "e3dc78b8-10fd-995d-a9ad-4a6cb31067d4" "<cluster_url>" "-" - -
10.42.30.137:8080 10.42.245.128:40742 - -
Found that when with 403 error, the authservice ip:8080 not response. While ip:8081 is responsing.
# k get po -n istio-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
authservice-0 1/1 Running 0 64d 10.42.245.145 node-10-101-101-10 <none> <none>
#
# ping 10.42.245.145
PING 10.42.245.145 (10.42.245.145) 56(84) bytes of data.
64 bytes from 10.42.245.145: icmp_seq=1 ttl=63 time=0.446 ms
64 bytes from 10.42.245.145: icmp_seq=2 ttl=63 time=0.434 ms
64 bytes from 10.42.245.145: icmp_seq=3 ttl=63 time=0.454 ms
^C
--- 10.42.245.145 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2048ms
rtt min/avg/max/mdev = 0.434/0.444/0.454/0.025 ms
#
# curl 10.42.245.145:8080 -v --max-time 5
* Rebuilt URL to: 10.42.245.145:8080/
* Trying 10.42.245.145...
* TCP_NODELAY set
* Connected to 10.42.245.145 (10.42.245.145) port 8080 (#0)
> GET / HTTP/1.1
> Host: 10.42.245.145:8080
> User-Agent: curl/7.58.0
> Accept: */*
>
* Operation timed out after 5000 milliseconds with 0 bytes received
* stopped the pause stream!
* Closing connection 0
curl: (28) Operation timed out after 5000 milliseconds with 0 bytes received
#
# curl 10.42.245.145:8081 -v --max-time 5
* Rebuilt URL to: 10.42.245.145:8081/
* Trying 10.42.245.145...
* TCP_NODELAY set
* Connected to 10.42.245.145 (10.42.245.145) port 8081 (#0)
> GET / HTTP/1.1
> Host: 10.42.245.145:8081
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 08 Feb 2022 07:41:43 GMT
< Content-Length: 0
The authservice pod manifest as below:
image: gcr.io/arrikto/kubeflow/oidc-authservice:28c59ef
imagePullPolicy: Always
name: authservice
ports:
- containerPort: 8080
name: http-api
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 8081
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
@ryandawsonuk @yanniszark, could you please help to look on this.
from oidc-authservice.
romanzdk
commented on July 30, 2024
Hi all, I am facing the same issue, any progress?
from oidc-authservice.
Related Issues (20)
- Enable oidc-authservice repository CI for power(ppc64le) architecture. HOT 4
- External Authentication with Updated OIDC authservice image HOT 1
- Wildcard support for GROUPS_ALLOWLIST
- Authservice pod "Failed to save state in store: error trying to save session: input/output error" HOT 4
- ERROR: CSRF check failed. This may happen if you opened the login form in more than 1 tabs. Please try to login again. HOT 6
- Set LOG_LEVEL not work HOT 4
- Getting access denied 403 from OIDC login with Azure AD in Kubeflow HOT 1
- all URIs are whitelisted and cannot be secured by OIDC provider HOT 1
- OIDC authentication repeating and getting session timed out HOT 2
- Support Secure and HttpOnly flags in session cookie HOT 2
- x509: certificate signed by unknown authority-While deploying Kubeflow
- STORE_PATH option isn't honoured HOT 1
- Authservice validation HOT 1
- /var/lib/authservice
- Sessions are not cleaned up when using bolt db
- Possibly memory leak HOT 2
- Update container image on gcr.io HOT 1
- Failed to exchange authorization code with token: oauth2: cannot fetch token: 400 Bad Request Using Azure AD OIDC HOT 3
- how to get user info by session token?
- Access kubeflow from path "/kubeflow" instead of "/" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc-authservice.