Authentication Support for Java & Go SDKs #971

mrzzy · 2020-09-01T04:27:51Z

What this PR does / why we need it:

Implements support for authentication to Go and Java SDKs, which is required for interacting with a authentication enabled Feast Serving:

Update Feast clients to attach OIDC token used for authentication into metadata when enabled.
Allows users to provide credentials via Google, OAuth Client Credentials request, or a Static token.
- Google: Uses user provided Service Account Credentials (ie JSON) to obtain token.
- OAuth Client Credentials: Makes a client credentials request to obtain token.
- Static: Uses a user provided static token.

Continuation of #504

Which issue(s) this PR fixes:

Fixes #950

Does this PR introduce a user-facing change?:

Adds authentication support to Go and Java SDKs via Google, OAuth Client Credentials request, or a Static token.

mrzzy · 2020-09-02T10:49:03Z

/retest

.prow/config.yaml

woop · 2020-09-03T06:22:28Z

common/src/main/java/feast/common/auth/credentials/GoogleAuthCredentials.java

 */
 public class GoogleAuthCredentials extends CallCredentials {
  private final IdTokenCredentials credentials;
  private static final String BEARER_TYPE = "Bearer";
  private static final Metadata.Key<String> AUTHORIZATION_METADATA_KEY =
      Metadata.Key.of("Authorization", ASCII_STRING_MARSHALLER);

+  /**
+   * Constructa new GoogleAuthCredentials with given options.


infra/scripts/setup-common-functions.sh

woop · 2020-09-03T06:40:29Z

infra/scripts/test-end-to-end.sh

@@ -5,11 +5,13 @@ set -o pipefail
 [[ $1 == "True" ]] && ENABLE_AUTH="true" || ENABLE_AUTH="false"
 echo "Authenication enabled : ${ENABLE_AUTH}"

-test -z ${GOOGLE_APPLICATION_CREDENTIALS} && GOOGLE_APPLICATION_CREDENTIALS="/etc/gcloud/service-account.json"
+test -z ${GOOGLE_APPLICATION_CREDENTIALS} && GOOGLE_APPLICATION_CREDENTIALS=""


Why are we clearing that configuration? Isn't that a default?

install_gcloud_sdk() tries to activate service account credential if this variable is set. Under the current .prow/config.yaml test-end-to-end does not expose the service account key.json and the end to end test fails because it cant find key.json. I added a if conditional to install_gcloud_sdk() to check this variable is set before trying to activate service account credentials.

infra/scripts/test-end-to-end.sh

tests/e2e/java/pom.xml

tests/e2e/go/e2e_test.go

mrzzy · 2020-09-04T01:00:57Z

Reverted the E2E test changes for another PR.

…d for feast authentication

…entials as they are to become user facing apis.

…s implementation.

…entations.

…horization instead of authentication options.

…pcMessageInterceptor

feast-ci-bot · 2020-09-04T08:27:20Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrzzy, pyalex

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [pyalex]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

pyalex · 2020-09-04T08:27:26Z

/lgtm

mrzzy requested review from davidheryanto, khorshuheng, pyalex, woop and zhilingc as code owners September 1, 2020 04:27

feast-ci-bot added do-not-merge/work-in-progress needs-kind size/XL size/XXL and removed size/XL labels Sep 1, 2020

mrzzy changed the title ~~WIP: Authentication Support for Java & Go SDKs.~~ Authentication Support for Java & Go SDKs. Sep 3, 2020

feast-ci-bot removed the do-not-merge/work-in-progress label Sep 3, 2020

mrzzy added area/sdks kind/feature New feature or request labels Sep 3, 2020

feast-ci-bot removed the needs-kind label Sep 3, 2020

mrzzy changed the title ~~Authentication Support for Java & Go SDKs.~~ Authentication Support for Java & Go SDKs Sep 3, 2020