Hi,
I am working on a Secretless Broker POC for our JupyterHub application. Backend is Conjur Enterprise. JuputerHub spawns a new pod for a Jupyter Notebook to run whenever a new request for a Notebook is created by a user. That also means a number of Notebooks is running in the same namespace in the OpenShift environment, and they have the same service account.
I am using authn-k8s for authentication, secret entitlement in Conjur. But I find it is impossible to create groups as those Notebooks are lacking unique identity: they only have a single identity: same-namespace+same-serviceaccount.
Do you have any suggestion in this situation if we do want to form the groups/roles so that different groups/roles can have different credentials?
I see there is a Host Factory authentication method, Do you think it can help the above situation? do you think I should use it instead of authn-k8s, or can they work together?
<Editing my earlier response which wasn’t quite accurate.>
If I understand correctly, in your platform, whenever a Notebook is being created, JupyterHub is spawning new Pods that:
Use a common Namespace
Use a common ServiceAccount
But, require access to user/group specific credentials in Conjur
I believe that you can use authn-k8s authentication to grant access to secrets with the granularity that you’re looking for in this scenario. What you would need to do is define a Conjur host for each user or group of users that require their own credentials. Then when you deploy a Pod when a Notebook is created, include that host ID in the CONJUR_AUTHN_LOGIN environment variable that gets set for the authn-k8s client init container.
Your Conjur policy could be loaded using files that look something like the following. Here, I’m assuming a simple example of 3 users that need credentials that are set up for 2 separate user groups:
File app-identities.yml:
# This policy defines a layer of whitelisted identities permitted to authenticate to the authn-k8s endpoint.
- !policy
id: conjur/authn-k8s/my-authenticator-id/notebook-users
owner: !group devops
annotations:
description: Identities permitted to authenticate
body:
- !layer
annotations:
description: Layer of authenticator identities permitted to call authn svc
- &hosts
# Annotation-based authentication (host ID is a user name, and
# permitted application identities are listed as annotations)
- !host
id: user-1
annotations:
authn-k8s/namespace: notebook-namespace
authn-k8s/service-account: notebook-sa
authn-k8s/deployment: notebook-deployment
authn-k8s/authentication-container-name: authenticator
- !host
id: user-2
annotations:
authn-k8s/namespace: notebook-namespace
authn-k8s/service-account: notebook-sa
authn-k8s/deployment: notebook-deployment
authn-k8s/authentication-container-name: authenticator
- !host
id: user-3
annotations:
authn-k8s/namespace: notebook-namespace
authn-k8s/service-account: notebook-sa
authn-k8s/deployment: notebook-deployment
authn-k8s/authentication-container-name: authenticator
- !grant
role: !layer
members: *hosts
File app-grants.yml:
# Grant permission for hosts in the notebook-users group to authenticate via kubernetes authenticator
- !grant
role: !group conjur/authn-k8s/my-authenticator-id/consumers
members:
- !group conjur/authn-k8s/my-authenticator-id/notebook-users
# Grant permission for the appropriate hosts to read and execute app variables
- !grant
role: !group user-group-a
members:
- !host conjur/authn-k8s/my-authenticator-id/notebook-users/user-1
- !host conjur/authn-k8s/my-authenticator-id/notebook-users/user-2
- !grant
role: !group user-group-b
members:
- !host conjur/authn-k8s/my-authenticator-id/notebook-users/user-3
File app-policy.yml:
- !policy
id: user-group-a
annotations:
description: This policy contains the credentials for users group A
body:
- !group
- &credential-variables
- !variable username
- !variable password
- !permit
role: !group
privileges: [ read, execute ]
resources: *credential-variables
- !policy
id: user-group-b
annotations:
description: This policy contains the credentials for users group B
body:
- !group
- &credential-variables
- !variable username
- !variable password
- !permit
role: !group
privileges: [ read, execute ]
resources: *credential-variables
With the policy above, when you deploy a Notebook Pod, you would set the CONJUR_AUTHN_LOGIN environment variable for the authn-k8s init container to e.g. one of the following: