Skip to content
This repository has been archived by the owner on Oct 23, 2023. It is now read-only.

Feat: Enable proxy-authorization in admin client #437

Closed
wants to merge 16 commits into from
Closed

Feat: Enable proxy-authorization in admin client #437

wants to merge 16 commits into from

Conversation

fg91
Copy link
Member

@fg91 fg91 commented Sep 10, 2023
edited
Loading

TL;DR

Part of an effort to integrate Flyte with GCP Identity Aware Proxy, see flyteorg/flyte#3965.

Allows the flyteidl admin client to sent a "proxy-authorization" header with every request to flyteadmin. Tokens for this header are created using an external command which is configured via the new proxyCommand config entry.

Same logic as was introduced in flytekit in flyteorg/flytekit#1787.

I replicated the existing logic in MaterializeCredentials and NewAuthInterceptor for the second token. The external command is called a single time per flytectl call.

Type

  • Bug Fix
  • Feature
  • Plugin

Are all requirements met?

  • Code completed
  • Smoke tested
  • Unit tests added
  • Code documentation added
  • Any pending items have an associated Issue

Complete description

See flyteorg/flyte#3965

Tracking Issue

Closes flyteorg/flyte#3965

Follow-up issue

NA

@fg91 fg91 self-assigned this Sep 10, 2023
@codecov
Copy link

codecov bot commented Sep 10, 2023
edited
Loading

Codecov Report

Patch coverage: 73.01% and project coverage change: +2.46% 🎉

Comparison is base (7f62a15) 75.92% compared to head (4141f5e) 78.39%.
Report is 2 commits behind head on master.

❗ Current head 4141f5e differs from pull request most recent head 89ab23c. Consider uploading reports for the commit 89ab23c to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #437      +/-   ##
==========================================
+ Coverage   75.92%   78.39%   +2.46%     
==========================================
  Files          18       18              
  Lines        1458     1296     -162     
==========================================
- Hits         1107     1016      -91     
+ Misses        294      217      -77     
- Partials       57       63       +6
Flag Coverage Δ
unittests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
clients/go/admin/config.go 50.00% <ø> (ø)
clients/go/admin/client.go 84.68% <70.00%> (-2.54%) ⬇️
clients/go/admin/auth_interceptor.go 73.75% <71.73%> (+8.93%) ⬆️
clients/go/admin/pkce/auth_flow_orchestrator.go 51.02% <75.00%> (-13.98%) ⬇️
clients/go/admin/pkce/handle_app_call_back.go 94.11% <100.00%> (-0.76%) ⬇️

... and 13 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Fabio Grätz added 9 commits September 22, 2023 18:33
Add proxyCommand to client config
9b80f4d 
Signed-off-by: Fabio Grätz <[email protected]>
Add proxy auth unary interceptor
d6a2ac8 
Signed-off-by: Fabio Grätz <[email protected]>
Use proxy auth in http client for oauth
410e3bd 
Signed-off-by: Fabio Grätz <[email protected]>
Cache tokens obtained from external commands
e435a3a 
Signed-off-by: Fabio Grätz <[email protected]>
Make tests pass
cd5cc57 
Signed-off-by: Fabio Grätz <[email protected]>
Add tests for proxy auth interceptor
27b8e75 
Signed-off-by: Fabio Grätz <[email protected]>
Make work without 2nd token cache but instead with 2nd credentials fu…
ea9090e 
…ture

Signed-off-by: Fabio Grätz <[email protected]>
Adapt existing tests to not using a 2nd token cache but a 2nd credent…
7bce3d9 
…ials future

Signed-off-by: Fabio Grätz <[email protected]>
Adapt new tests to not using a 2nd token cache but a 2nd credentials …
132dbb9 
…future

Signed-off-by: Fabio Grätz <[email protected]>
@fg91 fg91 force-pushed the fg91/feat/proxy-authorization branch from 4a9735b to 132dbb9 Compare September 22, 2023 16:33
fg91
fg91 commented Sep 22, 2023
View reviewed changes
clients/go/admin/auth_interceptor.go
return proxyTokenSource, nil
}

func MaterializeProxyAuthCredentials(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) error {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adapted from MaterializeAuthCredentials.

fg91
fg91 commented Sep 22, 2023
View reviewed changes
clients/go/admin/auth_interceptor.go
@@ -102,3 +156,18 @@ func NewAuthInterceptor(cfg *Config, tokenCache cache.TokenCache, credentialsFut
return err
}
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adapted from NewAuthInterceptor.

fg91
fg91 commented Sep 22, 2023
View reviewed changes
clients/go/admin/pkce/handle_app_call_back.go
@@ -43,7 +43,8 @@ func getAuthServerCallbackHandler(c *oauth.Config, codeVerifier string, tokenCha
var opts []oauth2.AuthCodeOption
opts = append(opts, oauth2.SetAuthURLParam("code_verifier", codeVerifier))

token, err := c.Exchange(context.Background(), req.URL.Query().Get("code"), opts...)
ctx := context.WithValue(context.Background(), oauth2.HTTPClient, client)
token, err := c.Exchange(ctx, req.URL.Query().Get("code"), opts...)
if err != nil {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If using a proxy, we need to use the http client created in auth_interceptor.go to retrieve the token. So far, this client wasn't used.

fg91
fg91 commented Sep 22, 2023
View reviewed changes
clients/go/admin/auth_interceptor.go

err := invoker(ctx, method, req, reply, cc, opts...)
if err != nil {
newErr := MaterializeProxyAuthCredentials(ctx, cfg, proxyCredentialsFuture)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The external command is called a single time per call of flytectl. After the call of the external command, the credentials future is initialized and can be reused for further grpc calls.

Make tests pass again
fd10310 
Signed-off-by: Fabio Grätz <[email protected]>
@fg91 fg91 mentioned this pull request Sep 22, 2023
Closed
2 tasks
@fg91 fg91 marked this pull request as ready for review September 22, 2023 17:17
Lint
89ab23c 
Signed-off-by: Fabio Grätz <[email protected]>
@fg91 fg91 added the enhancement New feature or request label Sep 22, 2023
wild-endeavor
wild-endeavor approved these changes Oct 4, 2023
View reviewed changes
Copy link
Contributor

@wild-endeavor wild-endeavor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks okay by me. tested with existing aws clusters as well - client credentials, pkce, device flow all continue to work

@eapolinario eapolinario mentioned this pull request Oct 9, 2023
Merged
3 tasks
@eapolinario
Copy link
Contributor

I moved this PR to the monorepo: flyteorg/flyte#4189.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wild-endeavor wild-endeavor wild-endeavor approved these changes

@EngHabu EngHabu Awaiting requested review from EngHabu

Assignees

@fg91 fg91

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Core feature] Make Flyte work with GCP Identity Aware Proxy (IAP)
3 participants
@fg91 @eapolinario @wild-endeavor