Comments (2)
I think we cannot simply fail to start Observatorium API, since we OIDC config is per tenant and we do not want one misconfigured tenant to bring the whole API down at the start-up. But there is a loop which tries to initiate the OIDC authenticator (with backoff), so if this keeps failing it should be logged + there's also a metric for that.
On second thought, this sounds like the OIDC provider initiation actually succeeded, which should not have been the case without client ID / secret.
from api.
It would also be helpful if Observatorium-API failed to start without clientID or clientSecret.
I don't fully agree with this. This will mean one tenant's borked configuration breaks the API for everyone else. Ideally, if one tenant rolls out invalid configuration, other tenants can continue to use their API and even make changes of their own.
In fact, we've had issues with this in the past and implemented something that tries to isolate the auth configurations of various tenants so that one tenant's misconfigured OIDC issuer (or correctly configured issuer but maybe not responding for any reason) doesn't block startup of the API for other tenants:
https://github.com/observatorium/api/blob/main/main.go#L514-L525
Maybe it would be useful instead to have a utility to statically validate a tenant's configuration and be able to assert if they are valid before being applied to the server? This could be nice feature of the CLI.
Observatorium-API refuses to start if IssuerURL is empty
I'm having a hard time imaging how the Observatorium fails to start up entirely if one tenant's OIDC config is missing an issuerURL. AFAICT:
- the empty issuer check only happens here: https://github.com/observatorium/api/blob/main/authentication/oidc.go#L84
- the bounding function,
newOIDCAuthenticator
, is only called here:api/authentication/authentication.go
Line 84 in 078b7ce
- and this bounding function,
InitializeProvider
, is called asynchronously for every tenant to avoid one tenant breaking the API for other tenants: https://github.com/observatorium/api/blob/main/main.go#L515
from api.
Related Issues (20)
- tenant logout handler HOT 2
- Expose flag traces.read.endpoint in jsonnet HOT 2
- Trace Read tenancy architecture and implementation HOT 1
- What Claim Name in openid tokens is used for representing groups? HOT 3
- Add OpenAPI spec for logs HOT 1
- HTTP handler monitoring middleware isn't the topmost in the middleware stack HOT 2
- Start versioning API releases HOT 11
- Update oapi spec for better API documentation
- Consider adopting the Prometheus JSON format for error responses HOT 2
- oidcConfig: is ClientSecret used? HOT 2
- OIDC authenticator skips identity check if no username or group claim are present HOT 5
- Support Certificate Revocation Lists for mTLS Authentication
- Rules API spec has non-optional fields
- Optional endpoints for beta deployments HOT 3
- Logs Gateway corrupts query HOT 2
- Breaking change in rate limiting endpoint matching
- Make e2e tests arm64 friendly
- support reading configs from environment variables HOT 3
- Intorducing testify library for unit tests
- support otlp trace exporter
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api.