[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-36760 yes, i think worth having, i will go on to finish it recently This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-344109024 @rabbah , actually, i am working on `doing some benchmark test on openwhisk`, after doing that, i will go on this PR. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323979330 @rabbah I added a temp commit on this pr to `turn on the client certificate auth` to run all test cases, the travis-ci running result is failed, i will check it. PS: currently, i turn on the `client certificate auth` using below configuration: ``` nginx.ssl.verify_client: "{{ nginx_ssl_verify_client | default('optional') }}" ``` Why i use `optional` instead of `on` temporarily? because currently `ansible version:2.3.0.0`'s `get_url` module doesn't support passing client cert/key file. so if use `on`, the `download CLI ansible task will be failed`: https://github.com/apache/incubator-openwhisk/blob/master/ansible/roles/cli/tasks/download_cli.yml#L5 if use `optional`, it will ignore the client cert/key file verification when cert/file don't exist. but this has a good news that `ansible version:2.4.0.0` will support it. please refer to: https://github.com/ansible/ansible/pull/18141 if `ansible version:2.4.0.0` is released , we can use `on` instead of `optional` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323979330 @rabbah I added a temp commit on this pr to `turn on the client certificate auth` to run all test cases, the travis-ci running result is failed, i will check it. PS: currently, i turn on the `client certificate auth` using below configuration: ``` nginx.ssl.verify_client: "{{ nginx_ssl_verify_client | default('optional') }}" ``` Why i use `optional` instead of `on` temporarily? because currently `ansible version:2.3.0.0`'s `get_url` module doesn't support passing client cert/key file. so if use `on`, the `download CLI ansible task will be failed`: https://github.com/apache/incubator-openwhisk/blob/master/ansible/roles/cli/tasks/download_cli.yml#L5 if use `optional`, it will ignore the client cert/key file verification when cert/file don't exist. but this has a good news that `ansible version:2.4.0.0` will support it. please refer to: https://github.com/ansible/ansible/pull/18141 if `ansible version:2.4.0.0` , we can use `on` instead of `optional` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah 1.catalog installation will be failed when turn on the client certificate. how to deal it? `answer`: currently, `incubator-openwhisk-catalog` project doesn't support client certificate auth, so it is failed when execute `ansible-playbook -i environments/ postdeploy.yml`. Then how to deal it? i think we can add the client certificate auth logic on `incubator-openwhisk-catalog` project. after merged this pr: https://github.com/apache/incubator-openwhisk-catalog/pull/238, i will add it, you can review.(you can review a temp commit for it: https://github.com/ningyougang/incubator-openwhisk-catalog/commit/4f465e9a4681ca76113f59bb89c720bfd32da23f) 2.You are adding the subject to the whisk.system namespace? `answer`: i just tested it whether success when turn on client certficate, why it success, because `wskadmin` send request to couchdb directly when execute `wskadmin user create -ns ` 3.Why would this be acceptable? `answer`:`client certificate certification` is a very common auth mode like `username/password`, the client certificate auth is also using in `aws lambda` and `openstack` and so on. So it is necessary to support this feature in our openwhisk also. (client certificat auth is more security than auth key) you can see i execute `wskadmin user create jack -ns whisk.namespace`, it will insert this user:`jack` to couchdb regardless of whether the client authentication is turned on or off then, the user `jack` can use auth key auth when turn off client certificate. In some condition, If the company has a better security certification needs , the company can turn on the client certificate. just generate corresponding user's the client certificate which its `CN` equal with `subject:jack`. here, have an extra benefit, the client cerfitifate can be shared under different namespaces, which means, if `jack` wants to access another namespace:`namespaceB`, there has no need to generate `namespaceB`'s `jack` client certificate, only do `wskadmin user create jack -ns namespaceB` is ok. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah 1.catalog installation will be failed when turn on the client certificate. how to deal it? `answer`: currently, `incubator-openwhisk-catalog` project doesn't support client certificate auth, so it is failed when execute `ansible-playbook -i environments/ postdeploy.yml`. Then how to deal it? i think we can add the client certificate auth logic on `incubator-openwhisk-catalog` project. after merged this pr: https://github.com/apache/incubator-openwhisk-catalog/pull/238, i will add it, you can review. 2.You are adding the subject to the whisk.system namespace? `answer`: i just tested it whether success when turn on client certficate, why it success, because `wskadmin` send request to couchdb directly when execute `wskadmin user create -ns ` 3.Why would this be acceptable? `answer`:`client certificate certification` is a very common auth mode like `username/password`, the client certificate auth is also using in `aws lambda` and `openstack` and so on. So it is necessary to support this feature in our openwhisk also. (client certificat auth is more security than auth key) you can see i execute `wskadmin user create jack -ns whisk.namespace`, it will insert this user:`jack` to couchdb regardless of whether the client authentication is turned on or off then, the user `jack` can use auth key auth when turn off client certificate. In some condition, If the company has a better security certification needs , the company can turn on the client certificate. just generate corresponding user's the client certificate which its `CN` equal with `subject:jack`. here, have an extra benefit, the client cerfitifate can be shared under different namespaces, which means, if `jack` wants to access another namespace:`namespaceB`, there has no need to generate `namespaceB`'s `jack` client certificate, only do `wskadmin user create jack -ns namespaceB` is ok. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah 1.catalog installation will be failed when turn on the client certificate. how to deal it? `answer`: currently, `incubator-openwhisk-catalog` project doesn't support client certificate auth, so it is failed when execute `ansible-playbook -i environments/ postdeploy.yml`. Then how to deal it? i think we can add the client certificate auth logic on `incubator-openwhisk-catalog` project. after merged this pr: https://github.com/apache/incubator-openwhisk-catalog/pull/238, i will add it, you can review. 2.You are adding the subject to the whisk.system namespace? `answer`: i just tested it whether success when turn on client certficate, why it success, because `wskadmin` send request to couchdb directly when execute `wskadmin user create -ns ` 3.Why would this be acceptable? `answer`:`client certificate certification` is a very common auth mode like `username/password`, the client certificate auth is also using in `aws lambda` and `openstack` and so on. So it is necessary to support this feature in our openwhisk also. (client certificat auth is more security than auth key) you can see i execute `wskadmin user create jack -ns whisk.namespace`, it will insert this user:`jack` to couchdb regardless of whether the client authentication is turned on or off then, the user `jack` can use auth key auth when turn off client certificate. In some condition, If the company has a better security certification needs , the company can turn on the client certificate. just generate corresponding user's the client certificate which its `CN` equal with `subject:jack`. here, have an extra benefit, the client cerfitifate can be shared under different namespaces, , which means, if `jack` wants to access another namespace:`namespaceB`, there has no need to generate `namespaceB`'s `jack` client certificate, only do `wskadmin user create jack -ns namespaceB` is ok. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah 1.catalog installation will be failed when turn on the client certificate. how to deal it? `answer`: currently, `incubator-openwhisk-catalog` project doesn't support client certificate auth, so it is failed when execute `ansible-playbook -i environments/ postdeploy.yml`. Then how to deal it? i think we can add the client certificate auth logic on `incubator-openwhisk-catalog` project. after merged this pr: https://github.com/apache/incubator-openwhisk-catalog/pull/238, i will add it, you can review. 2.You are adding the subject to the whisk.system namespace? `answer`: i just tested it whether success when turn on client certficate, why it success, because `wskadmin` send request to couchdb directly when execute `wskadmin user create -ns ` 3.Why would this be acceptable? `answer`:`client certificate certification` is a very common auth mode like `username/password`, the client certificate auth is also using in `aws lambda` and `openstack` and so on. So it is necessary to support this feature in our openwhisk also. (client certificat auth is more security than auth key) you can see i execute `wskadmin user create jack -ns whisk.namespace`, it will insert this user:`jack` to couchdb regardless of whether the client authentication is turned on or off then, the user `jack` can use auth key auth when turn off client certificate. In some condition, If the company has a better security certification needs , the company can turn on the client certificate. just generate corresponding user's the client certificate which its `CN` equal with `subject`. here, have an extra benefit, the client cerfitifate can be shared under different namespaces. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah 1.catalog installation will be failed when turn on the client certificate. how to deal it? `answer`: currently, `incubator-openwhisk-catalog` project doesn't support client certificate auth, so it is failed when execute `ansible-playbook -i environments/ postdeploy.yml`. Then how to deal it? i think we can add the clinet certificate auth logic on `incubator-openwhisk-catalog` project. after merged this pr: https://github.com/apache/incubator-openwhisk-catalog/pull/238, i will add it, you can review. 2.You are adding the subject to the whisk.system namespace? `answer`: i just tested it whether success when turn on client certficate, why it success, because `wskadmin` send request to couchdb directly when execute `wskadmin user create -ns ` 3.Why would this be acceptable? `answer`:`client certificate certification` is a very common auth mode like `username/password`, the client certificate auth is also using in `aws lambda` and `openstack` and so on. So it is necessary to support this feature in our openwhisk also. (client certificat auth is more security than auth key) you can see i execute `wskadmin user create jack -ns whisk.namespace`, it will insert this user:`jack` to couchdb regardless of whether the client authentication is turned on or off then, the user `jack` can use auth key auth when turn off client certificate. In some condition, If the company has a better security certification needs , the company can turn on the client certificate. just generate corresponding user's the client certificate which its `CN` equal with `subject`. here, have an extra benefit, the client cerfitifate can be shared under different namespaces. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah 1.catalog installation will be failed when turn on the client certificate. how to deal it? `answer`: currently, `incubator-openwhisk-catalog` project doesn't support client certificate auth, so it is failed when execute `ansible-playbook -i environments/ postdeploy.yml`. Then how to deal it? i think we can add the clinet certificate auth logic on `incubator-openwhisk-catalog` project. after merged above `apache/incubator-openwhisk-catalog/pull/238`, i will add it, you can review. 2.You are adding the subject to the whisk.system namespace? `answer`: i just tested it whether success when turn on client certficate, why it success, because `wskadmin` send request to couchdb directly when execute `wskadmin user create -ns ` 3.Why would this be acceptable? `answer`:`client certificate certification` is a very common auth mode like `username/password`, the client certificate auth is also using in `aws lambda` and `openstack` and so on. So it is necessary to support this feature in our openwhisk also. (client certificat auth is more security than auth key) you can see i execute `wskadmin user create jack -ns whisk.namespace`, it will insert this user:`jack` to couchdb regardless of whether the client authentication is turned on or off then, the user `jack` can use auth key auth when turn off client certificate. In some condition, If the company has a better security certification needs , the company can turn on the client certificate. just generate corresponding user's the client certificate which its `CN` equal with `subject`. here, have an extra benefit, the client cerfitifate can be shared under different namespaces. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah After test again in my local 1. catalog installation will be failed when turn on the client certificate. this question is easy to solve, but should add the logic of client certificate on `https://github.com/apache/incubator-openwhisk-catalog.git` too. 2. wskadmin has on influences on `wskadmin`, execute below command success when turn on the client certificate ``` [irteam@lambda-nyg bin]$ ./wskadmin user create ningyougang -ns whisk.system eecfa0a4-b95e-4cb0-9fa3-854ae8a1432f:7zSfpkXnqQRgNqKZZ9ZYED7S8Xtw5NcTXX3viPSSPVQbUYBEcv9vd0jxqn5hYl2H ``` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-318229831 @mdeuser What is the expected behavior when both the authkey and cert property values are set? answer: Only set --auth or (--cert and --key), it both set, it will report error if set `ssl_verify_client=on`, only support client certificate verification. if set `ssl_verify_client=off`, only support auth key verfification. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-320134074 @rabbah What's mean for `do you have an Apache SLA already on file`? I use `google` to search it, seems mean: `Service-Level Agreement` The `Apache SLA` has relation with this PR? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-318315743 @rabbah @mdeuser , i have modified the codes. please review. The changes logic is that pass namespace by http header from wsk to controller, because namesapce + `CN`(it is subject) can determine a unique Identity, so it works well. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-318229831 What is the expected behavior when both the authkey and cert property values are set? answer: if both set, if set to `optional` or `off`, it will only use the `--auth key` if both set, if set to `on`, it will only use the `--cert/key` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-318229831 What is the expected behavior when both the authkey and cert property values are set? answer: if both set, if set to `optional` and `off`, it will only use the `--auth key` if both set, if set to `on`, it will only use the `--cert/key` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-318229190 When authenticating with just the cert, can the namespace property value still be "_"? Possibly related to a discussion thread above.. Answer: can the namespace property value still be "_"?What's mean for this? i have replied above, may be exist your answer there. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-318229190 When authenticating with just the cert, can the namespace property value still be "_"? Possibly related to a discussion thread above.. Answer: @mdeuser ,can the namespace property value still be "_"?What's mean for this? i have replied above, may be exist your answer there. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ningyougang commented on issue #2517: Support client certificate verify on server side
ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-317945045 @rabbah , this pr can be merged? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services