Skip to content

Commit

Permalink
Fix mermaid diagrams (#3033)
Browse files Browse the repository at this point in the history 
* Update auth_appendix.rst

Signed-off-by: Utsav Paul <[email protected]>

* fix mermaid diagrams

Signed-off-by: Samhita Alla <[email protected]>

* fix mermaid diagrams

Signed-off-by: Samhita Alla <[email protected]>

Signed-off-by: Utsav Paul <[email protected]>
Signed-off-by: Samhita Alla <[email protected]>
Co-authored-by: Utsav Paul <[email protected]>
  • Loading branch information
@samhita-alla @Smartmind12
samhita-alla and Smartmind12 authored Oct 28, 2022
1 parent 0b6ddec commit 8faf8b2
Showing 1 changed file with 77 additions and 68 deletions.
145 changes: 77 additions & 68 deletions rsts/deployment/cluster_config/auth_appendix.rst
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
.. _deployment-cluster-config-auth-appendix:

######################################
Understanding Authentication in Detail
---------------------------------------
######################################

.. _auth-openid-appendix:

##############
**************
OpenID Connect
##############
**************

Flyte supports OpenID Connect. A defacto standard for user authentication. After configuring OpenID Connect, users
accessing flyte console or flytectl (or other 3rd party apps) will be prompted to authenticate using the configured
Expand Down Expand Up @@ -39,9 +40,9 @@ provider.

.. _auth-oauth2-appendix:

########
******
OAuth2
########
******

Flyte supports OAuth2 to control access to 3rd party and native apps. FlyteAdmin comes with a built in Authorization
Server that can perform 3-legged and 2-legged OAuth2 flows. It also supports delegating these responsibilities to an
Expand All @@ -50,79 +51,87 @@ external Authorization Server.
Service Authentication using OAuth2
===================================

Propeller (and potentially other non-user facing services) can also authenticate using client_credentials to the Idp and
be granted an access_token valid to be used with admin and other backend services.
Propeller (and potentially other non-user facing services) can also authenticate using ``client_credentials`` to the IdP and
be granted an ``access_token`` to be used with admin and other backend services.

.. tabbed:: FlyteAdmin's builtin Authorization Server
FlyteAdmin's builtin Authorization Server
-----------------------------------------

.. mermaid::
:alt: Service Authentication Swimlane
.. mermaid::
:alt: Service Authentication Swimlane

sequenceDiagram
Propeller->>+Admin: /token?client_creds&scope=https://admin/
Admin->>-Propeller: access_token
Propeller->>+Admin: /list_projects?token=access_token
sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
Propeller->>+Admin: /token?client_creds&scope=https://admin/
Admin->>-Propeller: access_token
Propeller->>+Admin: /list_projects?token=access_token

.. tabbed:: External Authorization Server
External Authorization Server
-----------------------------

.. mermaid::
:alt: Service Authentication Swimlane
.. mermaid::
:alt: Service Authentication Swimlane

sequenceDiagram
Propeller->>+External Authorization Server: /token?client_creds&scope=https://admin/
External Authorization Server->>-Propeller: access_token
Propeller->>+Admin: /list_projects?token=access_token
sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
Propeller->>+External Authorization Server: /token?client_creds&scope=https://admin/
External Authorization Server->>-Propeller: access_token
Propeller->>+Admin: /list_projects?token=access_token

User Authentication in other clients (e.g. Cli) using OAuth2-Pkce
==================================================================

Users accessing backend services through Cli should be able to use OAuth2-Pkce flow to authenticate (in a browser) to the Idp and be issued
an access_token valid to communicate with the intended backend service on behalf of the user.

.. tabbed:: FlyteAdmin's builtin Authorization Server

.. mermaid::
:alt: CLI Authentication with Admin's own Authorization Server

sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
User->>+Cli: flytectl list-projects
Cli->>+Admin: admin/client-config
Admin->>-Cli: Client_id=<abc>, ...
Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope
Browser->>+Admin: /oauth2/authorize?pkce...
Admin->>-Browser: 302 idp.com/login
Note over Browser,Admin: The prior OpenID Connect flow
Browser->>+Admin: admin/logged_in
Note over Browser,Admin: Potentially show custom consent screen
Admin->>-Browser: localhost/?authCode=<abc>
Browser->>+Cli: localhost/authCode=<abc>
Cli->>+Admin: /token?code,code_verifier
Admin->>-Cli: access_token
Cli->>+Admin: /projects/ + access_token
Admin->>-Cli: project1, project2

.. tabbed:: External Authorization Server

.. mermaid::
:alt: CLI Authentication with an external Authorization Server

sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
User->>+Cli: flytectl list-projects
Cli->>+Admin: admin/client-config
Admin->>-Cli: Client_id=<abc>, ...
Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope
Browser->>+ExternalIdp: /oauth2/authorize?pkce...
ExternalIdp->>-Browser: 302 idp.com/login
Note over Browser,ExternalIdp: The prior OpenID Connect flow
Browser->>+ExternalIdp: /logged_in
Note over Browser,ExternalIdp: Potentially show custom consent screen
ExternalIdp->>-Browser: localhost/?authCode=<abc>
Browser->>+Cli: localhost/authCode=<abc>
Cli->>+ExternalIdp: /token?code,code_verifier
ExternalIdp->>-Cli: access_token
Cli->>+Admin: /projects/ + access_token
Admin->>-Cli: project1, project2
FlyteAdmin's builtin Authorization Server
-----------------------------------------

.. mermaid::
:alt: CLI Authentication with Admin's own Authorization Server

sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
User->>+Cli: flytectl list-projects
Cli->>+Admin: admin/client-config
Admin->>-Cli: Client_id=<abc>, ...
Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope
Browser->>+Admin: /oauth2/authorize?pkce...
Admin->>-Browser: 302 idp.com/login
Note over Browser,Admin: The prior OpenID Connect flow
Browser->>+Admin: admin/logged_in
Note over Browser,Admin: Potentially show custom consent screen
Admin->>-Browser: localhost/?authCode=<abc>
Browser->>+Cli: localhost/authCode=<abc>
Cli->>+Admin: /token?code,code_verifier
Admin->>-Cli: access_token
Cli->>+Admin: /projects/ + access_token
Admin->>-Cli: project1, project2

External Authorization Server
-----------------------------

.. mermaid::
:alt: CLI Authentication with an external Authorization Server

sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
User->>+Cli: flytectl list-projects
Cli->>+Admin: admin/client-config
Admin->>-Cli: Client_id=<abc>, ...
Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope
Browser->>+ExternalIdp: /oauth2/authorize?pkce...
ExternalIdp->>-Browser: 302 idp.com/login
Note over Browser,ExternalIdp: The prior OpenID Connect flow
Browser->>+ExternalIdp: /logged_in
Note over Browser,ExternalIdp: Potentially show custom consent screen
ExternalIdp->>-Browser: localhost/?authCode=<abc>
Browser->>+Cli: localhost/authCode=<abc>
Cli->>+ExternalIdp: /token?code,code_verifier
ExternalIdp->>-Cli: access_token
Cli->>+Admin: /projects/ + access_token
Admin->>-Cli: project1, project2

0 comments on commit 8faf8b2

Please sign in to comment.