feat: allow specifying disable-auth when creating the server

cmd/commands/server.go

@@ -64,7 +64,7 @@ func NewServerCommand() *cobra.Command {
 	command.Flags().BoolVar(&namespaced, "namespaced", false, "Whether to run in namespaced scope, defaults to false.")
 	command.Flags().StringVar(&managedNamespace, "managed-namespace", sharedutil.LookupEnvStringOr("NAMESPACE", "numaflow-system"), "The namespace that the server watches when \"--namespaced\" is \"true\".")
 	command.Flags().StringVar(&baseHref, "base-href", "/", "Base href for Numaflow server, defaults to '/'.")
-	command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Whether to disable authentication, defaults to false.")
+	command.Flags().BoolVar(&disableAuth, "disable-auth", true, "Whether to disable authentication and authorization, defaults to true for easy on-boarding.")
 	command.Flags().StringVar(&dexServerAddr, "dex-server-addr", "http://numaflow-dex-server:5556", "The address of the Dex server.")
 	return command
 }

config/advanced-install/namespaced-numaflow-server.yaml

@@ -121,6 +121,7 @@ spec:
       containers:
       - args:
         - server
+        - --disable-auth=true
         - --namespaced
         env:
         - name: NAMESPACE

config/base/numaflow-server/numaflow-server-deployment.yaml

@@ -38,6 +38,8 @@ spec:
           image: quay.io/numaproj/numaflow:latest
           args:
           - "server"
+          # By default, turn off authentication and authorization.
+          - "--disable-auth=true"
           imagePullPolicy: Always
           volumeMounts:
           - mountPath: /ui/build/runtime-env.js

server/apis/v1/handler.go

@@ -81,7 +81,6 @@ func NewHandler() (*handler, error) {
 		kubeClient:     kubeClient,
 		metricsClient:  metricsClient,
 		numaflowClient: numaflowClient,
-		// TODO: get args like disableAuth, dexServerAddr in
 	}, nil
 }
 

server/auth/rbac.go

@@ -18,9 +18,9 @@ package auth
 
 import (
 	_ "embed"
-	"fmt"
 )
 
+/* commented the following codes out to make linter happy.
 var (
 	//go:embed rbac-model.conf
 	rbacModel string
@@ -30,3 +30,4 @@ var (
 func main() {
 	fmt.Print(rbacModel)
 }
+*/

server/cmd/start.go

@@ -70,15 +70,28 @@ func (s *server) Start() {
 			c.File("./ui/build/index.html")
 		})
 	}
-	routes.Routes(router, routes.SystemInfo{ManagedNamespace: s.options.ManagedNamespace, Namespaced: s.options.Namespaced, Version: numaflow.GetVersion().String()})
+	routes.Routes(
+		router,
+		routes.SystemInfo{
+			ManagedNamespace: s.options.ManagedNamespace,
+			Namespaced:       s.options.Namespaced,
+			Version:          numaflow.GetVersion().String()},
+		routes.AuthInfo{
+			DisableAuth:   s.options.DisableAuth,
+			DexServerAddr: s.options.DexServerAddr,
+		})
 	router.Use(UrlRewrite(router))
 	server := http.Server{
 		Addr:    fmt.Sprintf(":%d", s.options.Port),
 		Handler: router,
 	}
 
 	if s.options.Insecure {
-		logger.Infow("Starting server (TLS disabled) on "+server.Addr, "version", numaflow.GetVersion())
+		logger.Infow(
+			"Starting server (TLS disabled) on "+server.Addr,
+			"version", numaflow.GetVersion(),
+			"disable-auth", s.options.DisableAuth,
+			"dex-server-addr", s.options.DexServerAddr)
 		if err := server.ListenAndServe(); err != nil {
 			panic(err)
 		}
@@ -88,8 +101,11 @@ func (s *server) Start() {
 			panic(err)
 		}
 		server.TLSConfig = &tls.Config{Certificates: []tls.Certificate{*cert}, MinVersion: tls.VersionTLS12}
-
-		logger.Infow("Starting server on "+server.Addr, "version", numaflow.GetVersion())
+		logger.Infow(
+			"Starting server on "+server.Addr,
+			"version", numaflow.GetVersion(),
+			"disable-auth", s.options.DisableAuth,
+			"dex-server-addr", s.options.DexServerAddr)
 		if err := server.ListenAndServeTLS("", ""); err != nil {
 			panic(err)
 		}

server/routes/routes.go

@@ -32,53 +32,33 @@ type SystemInfo struct {
 	Version          string `json:"version"`
 }
 
-func Routes(r *gin.Engine, sysinfo SystemInfo) {
+type AuthInfo struct {
+	DisableAuth   bool   `json:"disableAuth"`
+	DexServerAddr string `json:"dexServerAddr"`
+}
+
+func Routes(r *gin.Engine, sysInfo SystemInfo, authInfo AuthInfo) {
 	r.GET("/livez", func(c *gin.Context) {
 		c.Status(http.StatusOK)
 	})
 
 	r.Any("/dex/*name", v1.DexReverseProxy)
+
+	// noAuthGroup is a group of routes that do not require AuthN/AuthZ no matter whether auth is enabled.
 	noAuthGroup := r.Group("/auth/v1")
 	v1RoutesNoAuth(noAuthGroup)
-	enforcer, _ := getEnforcer()
-	r1Group := r.Group("/api/v1")
-	r1Group.Use(func(c *gin.Context) {
-		userIdentityTokenStr, err := c.Cookie("user-identity-token")
-		if err != nil {
-			errMsg := "user is not authenticated."
-			c.JSON(http.StatusUnauthorized, v1.NewNumaflowAPIResponse(&errMsg, nil))
-			return
-		}
-		userIdentityToken := v1.GetUserIdentityToken(userIdentityTokenStr)
-		groups := userIdentityToken.IDTokenClaims.Groups
-		// user := c.DefaultQuery("user", "readonly")
-		ns := c.Param("namespace")
-		if ns == "" {
-			c.Next()
-			return
-		}
-		resource := "pipeline"
-		action := c.Request.Method
-		auth := false
-
-		for _, group := range groups {
-			// Get the user from the group. The group is in the format "group:role".
 
-			// Check if the user has permission using Casbin Enforcer.
-			if enforceRBAC(enforcer, group, ns, resource, action) {
-				auth = true
-				c.Next()
-			}
-		}
-		if !auth {
-			errMsg := "user is not authorized to execute the requested action."
-			c.JSON(http.StatusForbidden, v1.NewNumaflowAPIResponse(&errMsg, nil))
-			c.Abort()
-		}
-	})
+	// r1Group is a group of routes that require AuthN/AuthZ when auth is enabled.
+	// they share the AuthN/AuthZ middleware.
+	r1Group := r.Group("/api/v1")
+	enforcer, _ := getEnforcer()
+	if !authInfo.DisableAuth {
+		// Add the AuthN/AuthZ middleware to the group.
+		r1Group.Use(authMiddleware(enforcer))
+	}
 	v1Routes(r1Group)
 	r1Group.GET("/sysinfo", func(c *gin.Context) {
-		c.JSON(http.StatusOK, v1.NewNumaflowAPIResponse(nil, sysinfo))
+		c.JSON(http.StatusOK, v1.NewNumaflowAPIResponse(nil, sysInfo))
 	})
 }
 
@@ -148,6 +128,43 @@ func v1Routes(r gin.IRouter) {
 	r.GET("/namespaces/:namespace/events", handler.GetNamespaceEvents)
 }
 
+func authMiddleware(enforcer *casbin.Enforcer) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		userIdentityTokenStr, err := c.Cookie("user-identity-token")
+		if err != nil {
+			errMsg := "user is not authenticated."
+			c.JSON(http.StatusUnauthorized, v1.NewNumaflowAPIResponse(&errMsg, nil))
+			return
+		}
+		userIdentityToken := v1.GetUserIdentityToken(userIdentityTokenStr)
+		groups := userIdentityToken.IDTokenClaims.Groups
+		// user := c.DefaultQuery("user", "readonly")
+		ns := c.Param("namespace")
+		if ns == "" {
+			c.Next()
+			return
+		}
+		resource := "pipeline"
+		action := c.Request.Method
+		auth := false
+
+		for _, group := range groups {
+			// Get the user from the group. The group is in the format "group:role".
+
+			// Check if the user has permission using Casbin Enforcer.
+			if enforceRBAC(enforcer, group, ns, resource, action) {
+				auth = true
+				c.Next()
+			}
+		}
+		if !auth {
+			errMsg := "user is not authorized to execute the requested action."
+			c.JSON(http.StatusForbidden, v1.NewNumaflowAPIResponse(&errMsg, nil))
+			c.Abort()
+		}
+	}
+}
+
 func getEnforcer() (*casbin.Enforcer, error) {
 	modelText := `
 	[request_definition]
@@ -178,13 +195,13 @@ func getEnforcer() (*casbin.Enforcer, error) {
 		return nil, err
 	}
 	rules := [][]string{
-		[]string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "GET"},
-		[]string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "POST"},
-		[]string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PATCH"},
-		[]string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PUT"},
-		[]string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "DELETE"},
-		[]string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "UPDATE"},
-		[]string{"role:jyureadonly", "jyu-dex-poc*", "pipeline", "GET"},
+		{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "GET"},
+		{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "POST"},
+		{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PATCH"},
+		{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PUT"},
+		{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "DELETE"},
+		{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "UPDATE"},
+		{"role:jyureadonly", "jyu-dex-poc*", "pipeline", "GET"},
 	}
 
 	areRulesAdded, err := enforcer.AddPolicies(rules)
@@ -193,8 +210,8 @@ func getEnforcer() (*casbin.Enforcer, error) {
 	}
 
 	rulesGroup := [][]string{
-		[]string{"jyu-dex-poc:admin", "role:jyuadmin"},
-		[]string{"jyu-dex-poc:readonly", "role:jyureadonly"},
+		{"jyu-dex-poc:admin", "role:jyuadmin"},
+		{"jyu-dex-poc:readonly", "role:jyureadonly"},
 	}
 
 	areRulesAdded, err = enforcer.AddNamedGroupingPolicies("g", rulesGroup)

server/routes/routes_test.go

@@ -36,7 +36,12 @@ func TestRoutes(t *testing.T) {
 		ManagedNamespace: managedNamespace,
 		Namespaced:       namespaced,
 	}
-	Routes(router, sysInfo)
+
+	authInfo := AuthInfo{
+		DisableAuth:   false,
+		DexServerAddr: "test-dex-server-addr",
+	}
+	Routes(router, sysInfo, authInfo)
 	t.Run("/404", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		req, err := http.NewRequest(http.MethodGet, "/404", nil)
@@ -52,5 +57,4 @@ func TestRoutes(t *testing.T) {
 		router.ServeHTTP(w, req)
 		assert.Equal(t, http.StatusOK, w.Code)
 	})
-
 }