Step 2: Generate multitenant tokens in OpenShift vSphere
Summary and Key concepts
Summary
This article outlines the steps to generate and manage authentication tokens for Portworx using the pxctl
command-line tool. It explains how to retrieve the shared secret stored in a Kubernetes secret, create tokens for storage administrators and tenants, and store those tokens securely in Kubernetes. These tokens are crucial for securing communication between Kubernetes and Portworx, ensuring that only authorized users can access storage resources. The article also covers how to manage tenant accounts by namespaces and how to prevent specific Kubernetes resources, like secrets, from being backed up by tools like Stork and PX-Backup.
Kubernetes Concepts
- Secret: Used to store sensitive data, such as authentication tokens, securely.
- Namespace: Used to isolate tenant resources and store tenant-specific tokens.
- kubectl: Command-line tool used to interact with Kubernetes clusters, including managing secrets and tokens.
- Annotation: Used to store metadata on Kubernetes objects, such as preventing certain resources from being backed up.
Portworx Concepts
- pxctl: The Portworx command-line tool used for managing clusters and generating authentication tokens.
- PX-Security: The security framework that secures communication between Kubernetes and Portworx.
- Administrator Role: A role that provides full access to manage Portworx resources, similar to the root user in Linux.
Now that the system is up and running, you can create tokens.
If you want to create your own application to generate tokens, you can base it on our open source golang example application openstorage-sdk-auth
SSH to one of your nodes and follow the steps below to use pxctl
to generate tokens:
Fetching the shared secret
Fetch the shared secret, which is stored in a
Kubernetes secret. Below, the secret is saved in the
environment variable $PORTWORX_AUTH_SHARED_SECRET
.
Get the shared secret:
PORTWORX_AUTH_SHARED_SECRET=$(oc -n kube-system get \
secret px-shared-secret -o json \
| jq -r '.data."shared-secret"' \
| base64 -d)
Generate a storage admin token
pxctl
uses YAML configuration files to create tokens.
You must create a token for the storage admin used for pxctl
to manage Portworx(like root in Linux)
-
Create a file called
admin.yaml
with the the following:name: Storage Administrator
email: the email of the storage admin
sub: ${uuid} or email of the storage admin
roles: ["system.admin"]
groups: ["*"] -
Create a token for the storage administrator using
admin.yaml
. In the example below:-
The issuer matches the setting in the Portworx manifest of
portworx.com
as the set value for-jwt-issuer
. -
The example sets the duration of the token to one year -- You may want to adjust it to a much shorter duration if you plan on refreshing the token often.
ADMIN_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
--auth-config=admin.yaml \
--issuer=portworx.com \
--shared-secret=$PORTWORX_AUTH_SHARED_SECRET \
--token-duration=1y)
-
-
Save the storage admin token in the
pxctl
context:/opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN
Generate tenant tokens
This model is based on isolating tenant accounts by namespaces. You will need to create an account for the tenant in Kubernetes and restrict it to one or more namespaces. You will then store the tenant's token in each namespace they own.
The following steps provide instructions for creating and storing the token in a namespace for the tenant:
-
Create a file called
tenant-name.yaml
with the following:name: <Tenant name>
email: <Tenant email>
sub: ${uuid} or email of the tenant
roles: ["system.user"]
groups: ["<groups the tenant participate if any"]noteThe
sub
is the unique identifier for this user and most not be shared amongst other tokens according to the JWT standard. This is the value used by Portworx to track ownership of resources. Ifemail
is also used as thesub
unique identifier, please make sure it is not used by any other tokens. You can find more information on the rules of each of the value on the openstorage-sdk-auth repo. -
Create a token for the Kubernetes using
tenant-name.yaml
:TENANT_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
--auth-config=tenant-name.yaml \
--issuer=portworx.com \
--shared-secret=$PORTWORX_AUTH_SHARED_SECRET \
--token-duration=1y)
-
Save the tenant Kubernetes token in a secret called
<tenant namespace>/px-user-token
:oc -n <tenant namespace> create secret \
generic px-user-token --from-literal=auth-token=$TENANT_TOKEN -
Annotate the Kubernetes secret so that other components like Stork and PX-Backup do not backup this resource.
oc -n <tenant namespace> annotate secret px-user-token \
stork.libopenstorage.org/skipresource=true
Kubernetes storage classes can now be set up to use this secret to get access to the token to communicate with Portworx.
Once you have completed the steps in this section, continue to the next section.