Re: [Dev] Integrating WSO2 IS with Kubernetes

2016-02-16 Thread Isuru Haththotuwa 
Hi,

Had an offline chat with Nishadi on this.

On Tue, Feb 16, 2016 at 1:55 PM, Imesh Gunaratne  wrote:

> Hi Nishadi,
>
> On Tue, Feb 16, 2016 at 12:10 PM, Nishadi Kirielle 
> wrote:
>
>> Hi,
>>
>> As of now, it seems LDAP integration of Kuberenetes with IS has two basic
>> approaches.
>>
>> First approach is to directly integrate LDAP with Kubernetes. It requires
>> the authentication and authorization process to go through a LDAP
>> connector. Although Kismatic has a LDAP/AD integration, it does not seem to
>> be a complete implementation. [1]
>>
>>  IMO this is the best approach. Why do you say Kismatic K8S LDAP
> integration is not complete?
>
As pointed out by Nishadi, [1] seems to be the relevant github repository,
but it has not been updated since mid 2015. However, Kismatic has announced
that they actually support AD/LDAP integration with K8s [3].

>
> Alternatively, we can do user provisioning through a client. The client
>> can retrieve users from LDAP server and create contexts per user in K8s. A
>> context includes a namespace that is specific to a user group, a user and
>> the cluster that the user needs to access. Users can be given access to the
>> context with tokens / username password credentials or through authorizing
>> certificates. This configuration can be done via kube config file. [2] But
>> this approach replicates user data in K8s.
>>
>
> It would be difficult to manage if we replicate user data in two different
> systems.
>
Agree that first approach is the best way, but inbound user provisioning is
also a standard way of managing user AFAIK. We can discuss this more with
Identity & Security experts.

>
> Thanks
>

[3]. https://kismatic.com/product/production-plugins/

>
>> Suggestions are highly appreciated.
>>
>> [1]. https://github.com/kismatic/kubernetes-ldap
>> [2]. http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html
>>
>> On Tue, Feb 9, 2016 at 11:40 AM, Nishadi Kirielle 
>> wrote:
>>
>>> @Imesh : This configuration has to be done in kube api server. It
>>> provides options to set the authorization mode in 'always allow', 'always
>>> deny' or 'ABAC' modes. In using ABAC mode, it provides an option 
>>> --authorization-policy-file
>>>   to set the user configured authorization policy. [1]
>>>
>>> kube-apiserver --authorization-mode=""
>>> kube-apiserver --authorization-policy-file=""
>>>
>>> @Chamila:
>>> +1 for OpenLDAP.
>>>
>>> [1].
>>> https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl
>>>
>>>
>>> On Tue, Feb 9, 2016 at 7:00 AM, Chamila De Alwis 
>>> wrote:
>>>
 Hi Nishadi,


 On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle 
 wrote:

> My initial plan is to connect a LDAP implementation like OpenDS or
> ApacheDS with Kubernetes.
>

 Is OpenLDAP[1] not an option? It has a long track record and is the
 case when most user scenarios are considered.


 [1] - http://www.openldap.org/

 Regards,
 Chamila de Alwis
 Committer and PMC Member - Apache Stratos
 Software Engineer | WSO2 | +94772207163
 Blog: code.chamiladealwis.com



>>>
>>>
>>> --
>>> *Nishadi Kirielle*
>>> *Software Engineering Intern*
>>> Mobile : +94 (0) 714722148
>>> Blog : http://nishadikirielle.blogspot.com/
>>> nish...@wso2.com
>>>
>>
>>
>>
>> --
>> *Nishadi Kirielle*
>> *Software Engineering Intern*
>> Mobile : +94 (0) 714722148
>> Blog : http://nishadikirielle.blogspot.com/
>> nish...@wso2.com
>>
>
>
>
> --
> *Imesh Gunaratne*
> Senior Technical Lead
> WSO2 Inc: http://wso2.com
> T: +94 11 214 5345 M: +94 77 374 2057
> W: http://imesh.gunaratne.org
> Lean . Enterprise . Middleware
>
>


-- 
Thanks and Regards,

Isuru H.
+94 716 358 048* *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Integrating WSO2 IS with Kubernetes

2016-02-16 Thread Imesh Gunaratne 
Hi Nishadi,

On Tue, Feb 16, 2016 at 12:10 PM, Nishadi Kirielle  wrote:

> Hi,
>
> As of now, it seems LDAP integration of Kuberenetes with IS has two basic
> approaches.
>
> First approach is to directly integrate LDAP with Kubernetes. It requires
> the authentication and authorization process to go through a LDAP
> connector. Although Kismatic has a LDAP/AD integration, it does not seem to
> be a complete implementation. [1]
>
>  IMO this is the best approach. Why do you say Kismatic K8S LDAP
integration is not complete?

Alternatively, we can do user provisioning through a client. The client can
> retrieve users from LDAP server and create contexts per user in K8s. A
> context includes a namespace that is specific to a user group, a user and
> the cluster that the user needs to access. Users can be given access to the
> context with tokens / username password credentials or through authorizing
> certificates. This configuration can be done via kube config file. [2] But
> this approach replicates user data in K8s.
>

It would be difficult to manage if we replicate user data in two different
systems.

Thanks

>
> Suggestions are highly appreciated.
>
> [1]. https://github.com/kismatic/kubernetes-ldap
> [2]. http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html
>
> On Tue, Feb 9, 2016 at 11:40 AM, Nishadi Kirielle 
> wrote:
>
>> @Imesh : This configuration has to be done in kube api server. It
>> provides options to set the authorization mode in 'always allow', 'always
>> deny' or 'ABAC' modes. In using ABAC mode, it provides an option 
>> --authorization-policy-file
>>   to set the user configured authorization policy. [1]
>>
>> kube-apiserver --authorization-mode=""
>> kube-apiserver --authorization-policy-file=""
>>
>> @Chamila:
>> +1 for OpenLDAP.
>>
>> [1].
>> https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl
>>
>>
>> On Tue, Feb 9, 2016 at 7:00 AM, Chamila De Alwis 
>> wrote:
>>
>>> Hi Nishadi,
>>>
>>>
>>> On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle 
>>> wrote:
>>>
 My initial plan is to connect a LDAP implementation like OpenDS or
 ApacheDS with Kubernetes.

>>>
>>> Is OpenLDAP[1] not an option? It has a long track record and is the case
>>> when most user scenarios are considered.
>>>
>>>
>>> [1] - http://www.openldap.org/
>>>
>>> Regards,
>>> Chamila de Alwis
>>> Committer and PMC Member - Apache Stratos
>>> Software Engineer | WSO2 | +94772207163
>>> Blog: code.chamiladealwis.com
>>>
>>>
>>>
>>
>>
>> --
>> *Nishadi Kirielle*
>> *Software Engineering Intern*
>> Mobile : +94 (0) 714722148
>> Blog : http://nishadikirielle.blogspot.com/
>> nish...@wso2.com
>>
>
>
>
> --
> *Nishadi Kirielle*
> *Software Engineering Intern*
> Mobile : +94 (0) 714722148
> Blog : http://nishadikirielle.blogspot.com/
> nish...@wso2.com
>



-- 
*Imesh Gunaratne*
Senior Technical Lead
WSO2 Inc: http://wso2.com
T: +94 11 214 5345 M: +94 77 374 2057
W: http://imesh.gunaratne.org
Lean . Enterprise . Middleware
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Integrating WSO2 IS with Kubernetes

2016-02-15 Thread Nishadi Kirielle 
Hi,

As of now, it seems LDAP integration of Kuberenetes with IS has two basic
approaches.

First approach is to directly integrate LDAP with Kubernetes. It requires
the authentication and authorization process to go through a LDAP
connector. Although Kismatic has a LDAP/AD integration, it does not seem to
be a complete implementation. [1]

Alternatively, we can do user provisioning through a client. The client can
retrieve users from LDAP server and create contexts per user in K8s. A
context includes a namespace that is specific to a user group, a user and
the cluster that the user needs to access. Users can be given access to the
context with tokens / username password credentials or through authorizing
certificates. This configuration can be done via kube config file. [2] But
this approach replicates user data in K8s.

Suggestions are highly appreciated.

[1]. https://github.com/kismatic/kubernetes-ldap
[2]. http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html

On Tue, Feb 9, 2016 at 11:40 AM, Nishadi Kirielle  wrote:

> @Imesh : This configuration has to be done in kube api server. It provides
> options to set the authorization mode in 'always allow', 'always deny' or
> 'ABAC' modes. In using ABAC mode, it provides an option 
> --authorization-policy-file
>   to set the user configured authorization policy. [1]
>
> kube-apiserver --authorization-mode=""
> kube-apiserver --authorization-policy-file=""
>
> @Chamila:
> +1 for OpenLDAP.
>
> [1].
> https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl
>
>
> On Tue, Feb 9, 2016 at 7:00 AM, Chamila De Alwis 
> wrote:
>
>> Hi Nishadi,
>>
>>
>> On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle 
>> wrote:
>>
>>> My initial plan is to connect a LDAP implementation like OpenDS or
>>> ApacheDS with Kubernetes.
>>>
>>
>> Is OpenLDAP[1] not an option? It has a long track record and is the case
>> when most user scenarios are considered.
>>
>>
>> [1] - http://www.openldap.org/
>>
>> Regards,
>> Chamila de Alwis
>> Committer and PMC Member - Apache Stratos
>> Software Engineer | WSO2 | +94772207163
>> Blog: code.chamiladealwis.com
>>
>>
>>
>
>
> --
> *Nishadi Kirielle*
> *Software Engineering Intern*
> Mobile : +94 (0) 714722148
> Blog : http://nishadikirielle.blogspot.com/
> nish...@wso2.com
>



-- 
*Nishadi Kirielle*
*Software Engineering Intern*
Mobile : +94 (0) 714722148
Blog : http://nishadikirielle.blogspot.com/
nish...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Integrating WSO2 IS with Kubernetes

2016-02-08 Thread Nishadi Kirielle 
@Imesh : This configuration has to be done in kube api server. It provides
options to set the authorization mode in 'always allow', 'always deny' or
'ABAC' modes. In using ABAC mode, it provides an option
--authorization-policy-file
  to set the user configured authorization policy. [1]

kube-apiserver --authorization-mode=""
kube-apiserver --authorization-policy-file=""

@Chamila:
+1 for OpenLDAP.

[1].
https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl


On Tue, Feb 9, 2016 at 7:00 AM, Chamila De Alwis  wrote:

> Hi Nishadi,
>
>
> On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle 
> wrote:
>
>> My initial plan is to connect a LDAP implementation like OpenDS or
>> ApacheDS with Kubernetes.
>>
>
> Is OpenLDAP[1] not an option? It has a long track record and is the case
> when most user scenarios are considered.
>
>
> [1] - http://www.openldap.org/
>
> Regards,
> Chamila de Alwis
> Committer and PMC Member - Apache Stratos
> Software Engineer | WSO2 | +94772207163
> Blog: code.chamiladealwis.com
>
>
>


-- 
*Nishadi Kirielle*
*Software Engineering Intern*
Mobile : +94 (0) 714722148
Blog : http://nishadikirielle.blogspot.com/
nish...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Integrating WSO2 IS with Kubernetes

2016-02-08 Thread Chamila De Alwis 
Hi Nishadi,


On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle  wrote:

> My initial plan is to connect a LDAP implementation like OpenDS or
> ApacheDS with Kubernetes.
>

Is OpenLDAP[1] not an option? It has a long track record and is the case
when most user scenarios are considered.


[1] - http://www.openldap.org/

Regards,
Chamila de Alwis
Committer and PMC Member - Apache Stratos
Software Engineer | WSO2 | +94772207163
Blog: code.chamiladealwis.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Integrating WSO2 IS with Kubernetes

2016-02-08 Thread Imesh Gunaratne 
Hi Nishadi,

On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle  wrote:

> Hi All,
>
> As a initial step to be familiar with Kubernetes, I have set up a
> Kubernetes cluster and deployed some sample applications. [1] [2]
>
> In K8s, authorization and authentication happen as two separate steps.
> Available authorization implementations are as follows;
>
>- --authorization-mode=AlwaysDeny
>- --authorization-mode=AlwaysAllow
>- --authorization-mode=ABAC (user configured authorization policy)
>
> Where do we make this configuration?

Thanks

> Authentication policy basically uses client certificates, tokens or http
> basic auth to authenticate users for API calls.
>
> In accessing K8s API, although the provided command line interface is
> *kubectl*, in programmatic approach there are several client libraries
> for accessing K8s API from several languages. [3]
>
> My initial plan is to connect a LDAP implementation like OpenDS or
> ApacheDS with Kubernetes.
> Any suggestions are highly appreciated.
>
> Thanks
>
> [1].
> http://nishadikirielle.blogspot.com/2016/02/getting-started-with-kubernetes.html
> [2].
> http://nishadikirielle.blogspot.com/2016/02/kubernetes-at-first-glance.html
> [3]. http://kubernetes.io/v1.1/docs/devel/client-libraries.html
>
> --
> Nishadi Kirielle
> *Software Engineering Intern*
> Mobile : +94 (0) 714722148
> nish...@wso2.com
>



-- 
*Imesh Gunaratne*
Senior Technical Lead
WSO2 Inc: http://wso2.com
T: +94 11 214 5345 M: +94 77 374 2057
W: http://imesh.gunaratne.org
Lean . Enterprise . Middleware
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev