Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1748368

Summary: OAuth GitHub: Create custom resource fails unless optional fields organizations or team are present
Product: OpenShift Container Platform Reporter: Gilles Dubreuil <gdubreui>
Component: DocumentationAssignee: Andrea Hoffer <ahoffer>
Status: CLOSED CURRENTRELEASE QA Contact: pmali
Severity: low Docs Contact: Vikram Goyal <vigoyal>
Priority: low    
Version: 4.2.0CC: aos-bugs, jmatthew, jokerman, mfojtik, pmali, slaznick
Target Milestone: ---Keywords: Reopened
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 03:23:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gilles Dubreuil 2019-09-03 12:43:15 UTC
Description of problem:
Creating an Oauth provider for Github fails unless either the organizations or teams field is present with a value. Those fields are normally optional.

Version-Release number of selected component (if applicable):
$ oc version
oc v3.11.0+8de5c34
kubernetes v1.10.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://api.testxx1.lab.rdu2.cee.redhat.com:6443
kubernetes v1.13.4+a8c5f5b


To Reproduce:
1. Create a OAuth custom resource with empty organizations and teams fields 

--------oauth-github.yaml----------
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  creationTimestamp: null
  name: cluster
  namespace: openshift-config
spec:
  identityProviders:
  - github:
      ca:
        name: ""
      clientID: 3c76ea3f45d6777bffd7
      clientSecret:
        name: github-secret
      hostname: ""
      organizations: []
      teams: []
    mappingMethod: claim
    name: github123456789
    type: GitHub
status: {}
-----------------------------------

2. Apply the custom resource
$ oc apply -f oauth-github.yaml 


Actual results:
The OAuth "cluster" is invalid: spec.identityProviders[0].github: Invalid value: "null": one of organizations or teams must be specified unless hostname is set or lookup is used

Expected results:
oauth.config.openshift.io/cluster configured


Additional info:
If either organizations or teams field is filled up the resource is accepted and created.

Comment 1 Standa Laznicka 2019-09-03 12:57:48 UTC
Those fields are not optional in 4.x clusters as that would mean any user from the whole github would be allowed to access your cluster. To get your Github IdP working, you need to follow the steps in the validation error "The OAuth "cluster" is invalid: spec.identityProviders[0].github: Invalid value: "null": one of organizations or teams must be specified unless hostname is set or lookup is used".

Is there any reason you would like to have all github users be allowed to access your cluster?

Comment 2 Standa Laznicka 2019-09-04 08:57:09 UTC
I can see that this was opened solely because a migration tool was not able to migrate an insecure config, closing as NOTABUG.

Comment 3 Gilles Dubreuil 2019-09-04 11:03:31 UTC
I'm re-opening this BZ because the documentation [1] references organizations and teams fields as optional.

So either the documentation or the API service is wrong but this needs to be addressed.

[1] https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-github-identity-provider.html#identity-provider-github-CR_configuring-github-identity-provider.


Also because this issue initially came from a migration tool is completely irrelevant and even discriminatory towards IMS teams.
But beyond that we have customers currently have started migration programs and engaged with our professional services.

And beyond please explain why this looks insecure as the description test set is a simple example to reproduce the issue.

Comment 4 Michal Fojtik 2019-09-04 12:09:55 UTC
Agree, we should update the documentation. This is not 4.2 blocking bugs. Standa can you open a pull against docs?

Comment 5 Standa Laznicka 2019-09-05 07:31:11 UTC
Gilles,

the explanation of this being insecure is contained in the first sentence of Comment 1, namely "any user from the whole github would be allowed to access your cluster".

I did not mean to diminish the importance of the migration effort, my point was that trying to have a migration path of such an insecure config which would require no user interaction is by itself not a good enough reason to have a bug about this behavior - I want a clear reason about why anyone would want this, until then it's not a bug for me.

I do agree that the documentation should probably be made clearer on when the organizations/teams fields are optional, the mention that these are actually required in some cases at a description of a different field might be confusing for people who don't read the documentation fully.

Andrea, could you please see to it?

Comment 6 Gilles Dubreuil 2019-09-05 12:38:45 UTC
Standa,

For the insecure part, I can't see why "any user form the whole github would be allowed to access your cluster".
Because each OAuth GitHub provider entry is bound to an uniquely defined github user name through its unique ID, see gidhubidp number (1) in [1],
and it goes along with a client ID which requires to register with GitHub OAuth application.
That allows a given GitHub user to authenticate independently of any restriction added (or not) by using organizations and teams as those fields only allow more filtering for a given user.

Regarding the organizations and teams fields, the documentation definitely needs to be revisited.
But there are currently issues as the behaviour is not as expected, independently of what the documentation means.

If those 2 fields are mandatory for non GitHub Enterprise then yes the documentation needs to be revisited.
Because description (7) and (8) says they're optionals no matter the mode (Enterprise or not). The only clearly stated restriction is that they are exclusive of each others.

What is, I think, wrong is the fact that behaviour from OCP 3.x [2] to OCP 4 is not supported, which doesn't make sense as I've explained above, it doesn't make anything more secure, as both fields are just allowing to filter out a given GitHub user to make them authenticated only if they belong to some organization(s) or team(s).

So in short, besides the documentation clarification, I believe the API server should make those fields optional in a non GitHub Enterprise case.


[1] https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-github-identity-provider.html#identity-provider-github-CR_configuring-github-identity-provider
[2] https://docs.openshift.com/container-platform/3.11/install_config/configuring_authentication.html#config-github-auth-on-master

Comment 7 Standa Laznicka 2019-09-05 13:53:21 UTC
Gilles,

I believe you're looking at it from the perspective of a user, not the administrator of the cluster.

It's not very typical that you would like your organization's cluster be accessed by a random person from the internet who could then start creating namespaces and run workloads on it. Quite contrary - you usually want to limit the users of your cluster so that it's only people from your organizations using it. This is achieved by specifying teams/organizations or by having a GitHub Enterprise, which allows you to have your very own GitHub instance.

Believe me that we were aware of the changes that we were doing, and you will see that we've done some more security tightening in other identity provider configurations as well, beside some convenience improvements for the OIDC IdP. These are features from security perspective, not bugs.

Comment 8 Gilles Dubreuil 2019-09-06 09:47:47 UTC
Standa,

I perfectly understand changes are needed whether security driven or not.

Tests I did with OCP 3.x showed that the OAuth binding between OCP GitHub provider and GitHub app of a given user didn't let *a random* github user to authenticate bu I'm no security expert and maybe there was loopholes.
Just that this specific change still doesn't make sense and you have not convinced me.

But if that's the way it's from now on with OCP 4.2 then that's fine, we just need the documentation to be aligned and clearer.

Thanks

Comment 15 Andrea Hoffer 2020-09-08 20:38:06 UTC
PRs have been merged.