Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUBY-3303 Add OIDC machine workflow auth (WIP) #2873

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

RUBY-3303 Add OIDC machine workflow auth (WIP) #2873

wants to merge 1 commit into from

Conversation

durran
Copy link
Member

@durran durran commented Jun 3, 2024
edited
Loading

Adds support for MONGODB-OIDC as an authentication mechanism for MongoDB server versions 7.0+. The currently supported facets to authenticate with are custom callback authentication, Azure machine authentication, and GCP machine authentication.

Azure Machine Authentication

The Mongo::Client must be instantiated with authMechanism=MONGODB-OIDC in the URI or in the client options. Additional required auth mechanism properties of TOKEN_RESOURCE and ENVIRONMENT are required and another optional username can be provided. Example:

client = Mongo::Client.new('mongodb+srv://<username>@<host>:<port>/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:<azure_token>,ENVIRONMENT:azure')

GCP Machine Authentication

The Mongo::Client must be instantiated with authMechanism=MONGODB-OIDC in the URI or in the client options. Additional required auth mechanism properties of TOKEN_RESOURCE and ENVIRONMENT are required. Example:

client = Mongo::Client.new('mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:<gcp_token>,ENVIRONMENT:gcp')

Custom Machine Callbacks

Users can provide a custom callback that returns a token from the environment without requiring user interaction. The callback must be passed as an instantiated class that defines one method execute that takes 3 named arguments :timeout, :version, and :username and returns a hash of { access_token: <value> }. The callback is then provided as an auth mechanism property to the mongo client as :oidc_callback.

class OidcCallback
  attr_reader :token_file

  def initialize(token_file:)
    @token_file = token_file
  end

  def execute(timeout:, version:, username: nil)
    location = File.join(ENV.fetch('TOKEN_DIR'), token_file)
    token = File.read(location)
    { access_token: token }
  end
end

client = Mongo::Client.new(ENV.fetch('MONGODB_URI'),
  auth_mech_properties: {
    oidc_callback: OidcCallback.new('my_token_file')
  }
)

Notes

This is a WIP, starting as Skunkworks project and will continue adding to it during the quarter.

Updates:

  • 03.06.2024: Initial PR, flushing out design and unit tests.
  • 09.07.2024: Starting on the Evergreen task groups, setup working in EVG for Azure, GCP and AWS/Test
  • 12.07.2024: Azure prose tests passing.
  • 13.07.2024: GCP prose tests passing.
  • 16.07.2024: Starting on test custom machine callback tests.
  • 17.07.2024: More tests, refactoring callback params to keyword params.
  • 18.07.2024: Passing all test prose tests 1.x and 2.x
  • 19.07.2024: Starting on the refactoring of the auth providers to sit at cluster/client level.

https://spruce.mongodb.com/version/669aa98654b1ac0007081655/tasks?page=0&sorts=STATUS%3AASC%3BBASE_STATUS%3ADESC&variant=%5Etest-oidc-variant__mongodb-version~latest_topology~standalone_ruby~ruby-3.2_os~ubuntu2204_fle~helper%24

@durran durran changed the title RUBY-3303 Add OIDC machine workflow auth [WIP] RUBY-3303 Add OIDC machine workflow auth (WIP) Jun 3, 2024
@durran durran force-pushed the RUBY-3303 branch 3 times, most recently from f004c62 to 0805e63 Compare June 5, 2024 22:18
@durran durran mentioned this pull request Jun 5, 2024
Merged
4 tasks
@durran durran force-pushed the RUBY-3303 branch 3 times, most recently from a4f29f8 to 224167b Compare June 5, 2024 22:43
@durran durran force-pushed the RUBY-3303 branch 21 times, most recently from e498b7e to a6b8ce3 Compare July 11, 2024 20:30
@durran durran force-pushed the RUBY-3303 branch 27 times, most recently from ea2b592 to 7aeef5f Compare July 19, 2024 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@durran