Hi both, RE: Slack - thanks, I'll join once it's merged/available. To the auth problem. We're using Spring Boot's OAuth server impl. so if there was a generic OAuth impl. it should work for us too. We're looking at CAS <https://apereo.github.io/cas/6.2.x/index.html> but it's 12 months away at best. It'd be interesting to hear the approach the IBM team took.
What we started playing with was to put our service in front of the nginx that proxies to the various wsk components (we're using the k8s helm chart). The idea is we get all requests to wsk svcs, perform authentication and authorisation then reconstruct the request with an actual wsk user and forward. So our developers would do something like this: wsk property set --apihost 'http://api.hypi.app/fn' --auth 'hypi:<our-API-token>' >From that point they use wsk CLI as usual. /fn hits a k8s ingress which routes to our service, which handles authz, takes our user token and map it to a wsk user that is then replaced in the request that is forwarded to wsk. A few things came from this: 1. The helm chart assumes wsk will be publically accessible directly. Our test configured it with a domain that doesn't resolve to anything (is it used by any components?) 2. The bigger issue is there doesn't seem to be an API to create subjects and their entitlements - we would want to generate a wsk subject and give them access to a namespace but the only way seems to be via wskadmin CLI 3. Then there is the double authz being done - adding a way make wsk trust the incoming request could help. We've thought of just using the system user after our authz is complete but it's unclear what the full scope of security implications this carries Regarding contributions, we're open to exploring that. We also looked at providing an implementation of some of the Spi impls in core but a couple of things off that 1. The core isn't published in maven so it's not possible to develop against the API trait out of tree as far as we could find. 2. Many sub-types of Spi are package private I'd be interested in the PoC that was done around this and any comments feedback on the above. Right now the approach of intercepting and proxying wsk seems like the one we think will work for us. Regards, Courtney Robinson Founder and CEO, Hypi Tel: ++44 208 123 2413 (GMT+0) <https://hypi.io> <https://hypi.io> https://hypi.io On Mon, Apr 12, 2021 at 4:12 AM Rodric Rabbah <rod...@gmail.com> wrote: > I created a PR https://github.com/apache/openwhisk-website/pull/478 that > should fix the Slack inviter, based on Carlos' original implementation [1]. > > The PR contributes the file slack-invite.js which implements an OpenWhisk > web action and uses the Slack invite API > <https://api.slack.com/methods/admin.users.invite> to send an email > invitation to join the OpenWhisk Slack team. The action requires a Slack > token <https://api.slack.com/authentication/token-types#user> to work > correctly. > > The API call is made in _layouts/slack.html using Nimbella's anonymous > action invocation <https://nimbella.com>: no accounts needed, and the API > can be maintained by any of the project committers without requiring > extrinsic accounts or resources. The token for the API call is uniquely > encrypted for this action. Should this token change, the encrypted value > can be regenerated with the following Nimbella encryption API, replacing > the placeholder <token> with the actual Slack App token. > > curl > https://encrypt.nimbella.io/github.com/apache/openwhisk-website/blob/slack/apis/slack-invite.js?slacktoken= > <token> > > [1] https://github.com/csantanapr/openwhisk-slackinvite > > -r > > > On Apr 11, 2021, at 10:28 AM, Rodric Rabbah <rod...@gmail.com> wrote: > > > > > > Hi Courtney - I'm sorry you're having trouble with the slack auto > > signup. I > > > opened a defect to investigate [1]. > > > > > > It is possible to implement external authentication. My understanding > is > > > that IBM Cloud Function for example implemented an integration with > their > > > IAM (someone from IBM would be better speak to this). > > > > > > There are two parts to this: authentication and use management, and > > > entitlement. Can you share more details about which identity provider > you > > > are interested in using? > > > > > > This would certainly be an area we'd also welcome contributions if > that's > > > something you're interested in. > > > > > > [1] https://github.com/apache/openwhisk-website/issues/477 > > > > > >> On Sat, Apr 10, 2021 at 7:03 AM Courtney Robinson < > > courtney.robin...@hypi.io> > > >> wrote: > > >> > > >> I've been trying to join slack now for over a week but was unable to. > > >> Finally thought I'd investigate and found the issue is the inviter fn > is > > >> using an old version of node > > >> https://openwhisk.apache.org/slack.html > > >> [image: Screenshot 2021-04-10 at 10.59.00.png] > > >> [image: Screenshot 2021-04-10 at 10.58.34.png] > > >> > > >> What I've been wanting to ask about is how to integrate an external > > >> authentication and authorisation provider? > > >> I can see from the codebase that there are a number of Spi impls but > > also > > >> found > > >> https://github.com/apache/openwhisk/pull/1914 > > >> https://github.com/apache/openwhisk/issues/1152 > > >> which suggests the this isn't supported. > > >> > > >> Regards, > > >> Courtney Robinson > > >> Founder and CEO, Hypi > > >> Tel: ++44 208 123 2413 (GMT+0) <https://hypi.io> > > >> > > >> <https://hypi.io> > > >> https://hypi.io > > >> > > >
