[che-dev] Devworksapces and authentication & authorization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[che-dev] Devworksapces and authentication & authorization

From: Sergii Kabashniuk <skabashn@xxxxxxxxxx>
Date: Wed, 4 Aug 2021 15:10:35 +0300
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/che-dev/>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>

Hello

I would like to uncover some details [1] about the current state of the work
and share some insights about our plans

First of all why we are doing that. There are multiple reasons. Most noticeable is:
- Use standard protocols and techniques as much as possible.
- Get rid of Keycloak as a mandatory dependency
- Have the same identity in all tools. In kubectl, oc , browser.

Where we are?
We are at the stage when we are ready [2] to enable it for OpenShift with devworkspaces by default.
OpenShift was our first choice because it has OAuth and identities out of the box.
I have to admit that workspaces endpoints are not protected yet from outside [3] and inside [4].

What about Kubernetes?
There would be some prerequisites for k8s. OIDC has to be enabled [5].
That might bring additional complexity on chectl side.

What we are doing now?
- Protection from outside [3] is our first priority.
It has some dependencies [6] [7] which we hope would be resolved soon.

What is the plan with Che Workspace and Devworkspaces on the same instance?

At this point, we don't expect them to work together at the same time.
Our plan is to provide guidance on how to migrate the configuration from the stopped Che workspace to Devworkspaces. Additionally, we are going to forcable stop all
Che workspace in case if Devworkspaces engine would be turned on.

[1] Epic Simplify authentication and authorization with a more flexible and lightweight approach https://github.com/eclipse/che/issues/19182
[2] [che-auth] - enable nativeUserMode by default on openshift with devworkspaces https://github.com/eclipse/che/issues/20203
[3] [che-auth] - secure workspace subpath endpoints in new auth gateway https://github.com/eclipse/che/issues/19707
[4] [che-auth] secure workspace services https://github.com/eclipse/che/issues/20190
[5] https://kubernetes.io/docs/reference/access-authn-authz/authentication
[6] Enable subpath mode for Che Theia editor in devworkspaces https://github.com/eclipse/che/issues/20180
[7] Merge DWCO and CO in a single codebase https://github.com/eclipse/che/issues/19408

Sergii Kabashniuk

Principal Software Engineer, DevTools

Red Hat

skabashniuk@xxxxxxxxxx

Follow-Ups:
- Re: [che-dev] Devworksapces and authentication & authorization
  - From: Michal Vala

Prev by Date: [che-dev] Eclipse Che 7.34.0 is now live!
Next by Date: [che-dev] Che Community Meeting, August 09 - call for agenda
Previous by thread: [che-dev] Eclipse Che 7.34.0 is now live!
Next by thread: Re: [che-dev] Devworksapces and authentication & authorization
Index(es):
- Date
- Thread

Breadcrumbs