From 8faf8b20e15773f524262a6cf58d4d9062b4e960 Mon Sep 17 00:00:00 2001 From: Samhita Alla Date: Fri, 28 Oct 2022 11:56:48 +0530 Subject: [PATCH] Fix mermaid diagrams (#3033) * Update auth_appendix.rst Signed-off-by: Utsav Paul <91927689+Smartmind12@users.noreply.github.com> * fix mermaid diagrams Signed-off-by: Samhita Alla * fix mermaid diagrams Signed-off-by: Samhita Alla Signed-off-by: Utsav Paul <91927689+Smartmind12@users.noreply.github.com> Signed-off-by: Samhita Alla Co-authored-by: Utsav Paul <91927689+Smartmind12@users.noreply.github.com> --- .../cluster_config/auth_appendix.rst | 145 ++++++++++-------- 1 file changed, 77 insertions(+), 68 deletions(-) diff --git a/rsts/deployment/cluster_config/auth_appendix.rst b/rsts/deployment/cluster_config/auth_appendix.rst index 99eeb8887d..bdc6a79256 100644 --- a/rsts/deployment/cluster_config/auth_appendix.rst +++ b/rsts/deployment/cluster_config/auth_appendix.rst @@ -1,13 +1,14 @@ .. _deployment-cluster-config-auth-appendix: +###################################### Understanding Authentication in Detail ---------------------------------------- +###################################### .. _auth-openid-appendix: -############## +************** OpenID Connect -############## +************** Flyte supports OpenID Connect. A defacto standard for user authentication. After configuring OpenID Connect, users accessing flyte console or flytectl (or other 3rd party apps) will be prompted to authenticate using the configured @@ -39,9 +40,9 @@ provider. .. _auth-oauth2-appendix: -######## +****** OAuth2 -######## +****** Flyte supports OAuth2 to control access to 3rd party and native apps. FlyteAdmin comes with a built in Authorization Server that can perform 3-legged and 2-legged OAuth2 flows. It also supports delegating these responsibilities to an @@ -50,28 +51,34 @@ external Authorization Server. Service Authentication using OAuth2 =================================== -Propeller (and potentially other non-user facing services) can also authenticate using client_credentials to the Idp and -be granted an access_token valid to be used with admin and other backend services. +Propeller (and potentially other non-user facing services) can also authenticate using ``client_credentials`` to the IdP and +be granted an ``access_token`` to be used with admin and other backend services. -.. tabbed:: FlyteAdmin's builtin Authorization Server +FlyteAdmin's builtin Authorization Server +----------------------------------------- - .. mermaid:: - :alt: Service Authentication Swimlane +.. mermaid:: + :alt: Service Authentication Swimlane - sequenceDiagram - Propeller->>+Admin: /token?client_creds&scope=https://admin/ - Admin->>-Propeller: access_token - Propeller->>+Admin: /list_projects?token=access_token + sequenceDiagram + %%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%% + autonumber + Propeller->>+Admin: /token?client_creds&scope=https://admin/ + Admin->>-Propeller: access_token + Propeller->>+Admin: /list_projects?token=access_token -.. tabbed:: External Authorization Server +External Authorization Server +----------------------------- - .. mermaid:: - :alt: Service Authentication Swimlane +.. mermaid:: + :alt: Service Authentication Swimlane - sequenceDiagram - Propeller->>+External Authorization Server: /token?client_creds&scope=https://admin/ - External Authorization Server->>-Propeller: access_token - Propeller->>+Admin: /list_projects?token=access_token + sequenceDiagram + %%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%% + autonumber + Propeller->>+External Authorization Server: /token?client_creds&scope=https://admin/ + External Authorization Server->>-Propeller: access_token + Propeller->>+Admin: /list_projects?token=access_token User Authentication in other clients (e.g. Cli) using OAuth2-Pkce ================================================================== @@ -79,50 +86,52 @@ User Authentication in other clients (e.g. Cli) using OAuth2-Pkce Users accessing backend services through Cli should be able to use OAuth2-Pkce flow to authenticate (in a browser) to the Idp and be issued an access_token valid to communicate with the intended backend service on behalf of the user. -.. tabbed:: FlyteAdmin's builtin Authorization Server - - .. mermaid:: - :alt: CLI Authentication with Admin's own Authorization Server - - sequenceDiagram - %%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%% - autonumber - User->>+Cli: flytectl list-projects - Cli->>+Admin: admin/client-config - Admin->>-Cli: Client_id=, ... - Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope - Browser->>+Admin: /oauth2/authorize?pkce... - Admin->>-Browser: 302 idp.com/login - Note over Browser,Admin: The prior OpenID Connect flow - Browser->>+Admin: admin/logged_in - Note over Browser,Admin: Potentially show custom consent screen - Admin->>-Browser: localhost/?authCode= - Browser->>+Cli: localhost/authCode= - Cli->>+Admin: /token?code,code_verifier - Admin->>-Cli: access_token - Cli->>+Admin: /projects/ + access_token - Admin->>-Cli: project1, project2 - -.. tabbed:: External Authorization Server - - .. mermaid:: - :alt: CLI Authentication with an external Authorization Server - - sequenceDiagram - %%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%% - autonumber - User->>+Cli: flytectl list-projects - Cli->>+Admin: admin/client-config - Admin->>-Cli: Client_id=, ... - Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope - Browser->>+ExternalIdp: /oauth2/authorize?pkce... - ExternalIdp->>-Browser: 302 idp.com/login - Note over Browser,ExternalIdp: The prior OpenID Connect flow - Browser->>+ExternalIdp: /logged_in - Note over Browser,ExternalIdp: Potentially show custom consent screen - ExternalIdp->>-Browser: localhost/?authCode= - Browser->>+Cli: localhost/authCode= - Cli->>+ExternalIdp: /token?code,code_verifier - ExternalIdp->>-Cli: access_token - Cli->>+Admin: /projects/ + access_token - Admin->>-Cli: project1, project2 +FlyteAdmin's builtin Authorization Server +----------------------------------------- + +.. mermaid:: + :alt: CLI Authentication with Admin's own Authorization Server + + sequenceDiagram + %%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%% + autonumber + User->>+Cli: flytectl list-projects + Cli->>+Admin: admin/client-config + Admin->>-Cli: Client_id=, ... + Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope + Browser->>+Admin: /oauth2/authorize?pkce... + Admin->>-Browser: 302 idp.com/login + Note over Browser,Admin: The prior OpenID Connect flow + Browser->>+Admin: admin/logged_in + Note over Browser,Admin: Potentially show custom consent screen + Admin->>-Browser: localhost/?authCode= + Browser->>+Cli: localhost/authCode= + Cli->>+Admin: /token?code,code_verifier + Admin->>-Cli: access_token + Cli->>+Admin: /projects/ + access_token + Admin->>-Cli: project1, project2 + +External Authorization Server +----------------------------- + +.. mermaid:: + :alt: CLI Authentication with an external Authorization Server + + sequenceDiagram + %%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%% + autonumber + User->>+Cli: flytectl list-projects + Cli->>+Admin: admin/client-config + Admin->>-Cli: Client_id=, ... + Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope + Browser->>+ExternalIdp: /oauth2/authorize?pkce... + ExternalIdp->>-Browser: 302 idp.com/login + Note over Browser,ExternalIdp: The prior OpenID Connect flow + Browser->>+ExternalIdp: /logged_in + Note over Browser,ExternalIdp: Potentially show custom consent screen + ExternalIdp->>-Browser: localhost/?authCode= + Browser->>+Cli: localhost/authCode= + Cli->>+ExternalIdp: /token?code,code_verifier + ExternalIdp->>-Cli: access_token + Cli->>+Admin: /projects/ + access_token + Admin->>-Cli: project1, project2