implement plugin authentication, finer-grained restrictions/validation. #183
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
klihub
force-pushed
the
devel/plugin-authentication
branch
4 times, most recently
from
d47b6d6 to
34a751d
Compare
klihub
changed the title
klihub
force-pushed
the
devel/plugin-authentication
branch
from
34a751d to
1e28cf6
Compare
klihub
force-pushed
the
devel/plugin-authentication
branch
from
1e28cf6 to
3997cb8
Compare
klihub
force-pushed
the
devel/plugin-authentication
branch
2 times, most recently
from
c7f97fc to
99fec92
Compare
klihub
force-pushed
the
devel/plugin-authentication
branch
from
99fec92 to
63d8c5d
Compare
klihub
changed the title
chrishenzie
reviewed
Sep 15, 2025
pkg/adaptation/plugin.go
Outdated
| } | ||
|
|
||
| p.role.algo = algo | ||
| chal, key, err := p.role.algo.Challenge([]byte("XXtmpXXX"), req.PublicKey) |
There was a problem hiding this comment.
Judging by the name, I'm assuming this will be replaced? Should this be a random seed?
There was a problem hiding this comment.
Argh... that was already supposed to be replaced by a random seed. Thanks for spotting it !
klihub
force-pushed
the
devel/plugin-authentication
branch
from
63d8c5d to
cceb324
Compare
klihub
force-pushed
the
devel/plugin-authentication
branch
from
cceb324 to
8fe3f62
Compare
Neither assume that we have a single proto definition nor hardcode proto file locations for post-processing actions based on such an assumption. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add a service and protocol for challenge-response authentication. Define an interface for authentication implementations. Implement a default authentication, mostly based on the ideas described in containerd#152, the proposal for plugin authentication. Add examples/keygen.go for generating key pairs for this default implementation. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add optional authentication-related information to the list of plugin instances for validation. This should allow finer- grained validation including loser or stricter restrictions for authenticated vs. unauthenticated plugins. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add a new option for acquiring a public/private key pair from an external source for authenticating with the runtime. Using this option implicitly enables plugin authentication prior to registration. Also add a new environment variable to read keys from files. Together with bind-mounted secrets, this should provide enough plumbing to enable transparent authentication of containerized plugins. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add support for plugin authentication. Authenticating a plugin associates it with a role. A role has a unique name and it can have an optional set of associated tags. These tags are opaque, carrying no semantic meaning for authentication or NRI itself. However, tags can have associated semantics during validation and authorize plugins to perform otherwise restricted actions. This is the primary intended usage for tags: allow validators to associate rights with tags instead of role names. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Implement role based overrides for authenticated plugins. This allows setting a restrictive default configuration and override it with more liberal configuration for some plugins/roles. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Update documentation for plugin authentication and validation. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
klihub
force-pushed
the
devel/plugin-authentication
branch
from
8fe3f62 to
7739284
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements plugin authentication. The sole purpose of authenticated plugins is to allow finer-grained restrictions of selected NRI features than just a global on/off. This PR also updates the builtin default validator to allow finer-grained restrictions using overrides for authenticated plugins.
In particular the patch series
Here are working trees of updated runtimes with support for authenticated NRI plugins and finer-grained validation using an NRI tree with this PR: