2021-04-13 02:02:22 UTC - zcourts: I started this discussion on the dev mailing list because slack invitation wasn’t working but I’ll repost here now that I’m in. We’re investigating how best to do external authentication and authorisation. We found a few PRs which lead us to believe it wasn’t supported: <https://github.com/apache/openwhisk/pull/1914> <https://github.com/apache/openwhisk/issues/1152> In the dev mailing list response it was suggested that someone had prototyped an OAuth impl + that the IBM team’s done it with their IAM. This says that it is doable but other than these hints of others having done it, we couldn’t find anything else.
What we’ve attempted is basically (using a k8s deployment) created an ingress which sends the wsk cli requests to our own service which then performs our authz before mapping to a wsk subject’s credentials that are sent to the real wsk nginx proxy. Our customer flow ends up being along the lines of `wsk property set --apihost '<http://api.hypi.app/fn>' --auth 'hypi:<our-API-token>'` /fn hits a k8s ingress which routes to our service, which handles authz, takes our user token and map it to a wsk user that is then replaced in the request that is forwarded to wsk. A few things came from this: 1. The helm chart assumes wsk will be publicly accessible directly. Our test configured it with a domain that doesn’t resolve to anything (is it used by any components?) 2. The bigger issue is there doesn’t seem to be an API to create subjects and their entitlements - we would want to generate a wsk subject and give them access to a namespace but the only way seems to be via wskadmin CLI 3. Then there is the double authz being done - adding a way make wsk trust the incoming request could help. We’ve thought of just using the system user after our authz is complete but it’s unclear what the full scope of security implications this carries We also looked at providing an implementation of some of the Spi impls in core but a couple of things off that 1. The core isn’t published in maven so it’s not possible to develop against the API trait out of tree as far as we could find. I guess we’d have to publish to our internal repo. 2. Many sub-types of Spi are package private https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1618279342128600?thread_ts=1618279342.128600&cid=C3TPCAQG1 ---- 2021-04-13 20:06:46 UTC - Alexander Verkest: Hi everyone, I have a small question about invoking actions. Currently, OpenWhisk is deployed on a bare metal kubernetes cluster and I have been able to successfully create my action and invoke it from inside the cluster. My question is how can I invoke this action from outside the cluster (for instance via the kubectl proxy)? https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1618344406132200?thread_ts=1618344406.132200&cid=C3TPCAQG1 ---- 2021-04-13 22:38:10 UTC - Rodric Rabbah: Welcome to the community @Alexander Verkest :tada: https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1618353490133300 ----
