diff --git a/doc-requirements.txt b/doc-requirements.txt index dd07b5639a..dae57cf76f 100644 --- a/doc-requirements.txt +++ b/doc-requirements.txt @@ -6,11 +6,11 @@ # alabaster==0.7.13 # via sphinx -astroid==2.14.1 +astroid==2.15.4 # via sphinx-autoapi -babel==2.11.0 +babel==2.12.1 # via sphinx -beautifulsoup4==4.11.2 +beautifulsoup4==4.12.2 # via # furo # sphinx-code-include @@ -18,7 +18,7 @@ certifi==2022.12.7 # via requests cfgv==3.3.1 # via pre-commit -charset-normalizer==3.0.1 +charset-normalizer==3.1.0 # via requests distlib==0.3.6 # via virtualenv @@ -27,11 +27,11 @@ docutils==0.17.1 # sphinx # sphinx-panels # sphinx-tabs -filelock==3.9.0 +filelock==3.12.0 # via virtualenv furo @ git+https://github.com/flyteorg/furo@main # via -r doc-requirements.in -googleapis-common-protos==1.58.0 +googleapis-common-protos==1.59.0 # via grpcio-status grpcio==1.48.2 # via @@ -39,13 +39,13 @@ grpcio==1.48.2 # grpcio-status grpcio-status==1.48.2 # via -r doc-requirements.in -identify==2.5.17 +identify==2.5.23 # via pre-commit idna==3.4 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==6.0.0 +importlib-metadata==6.6.0 # via sphinx jinja2==3.0.3 # via @@ -58,26 +58,22 @@ markupsafe==2.1.2 # via jinja2 nodeenv==1.7.0 # via pre-commit -packaging==23.0 +packaging==23.1 # via sphinx -pbr==5.11.1 - # via sphinxcontrib-video -platformdirs==2.6.2 +platformdirs==3.3.0 # via virtualenv -pre-commit==3.0.4 +pre-commit==3.2.2 # via sphinx-tags -protobuf==4.21.12 +protobuf==4.22.3 # via # googleapis-common-protos # grpcio-status -pygments==2.14.0 +pygments==2.15.1 # via # furo # sphinx # sphinx-prompt # sphinx-tabs -pytz==2022.7.1 - # via babel pyyaml==6.0 # via # pre-commit @@ -93,7 +89,7 @@ six==1.16.0 # sphinxext-remoteliteralinclude snowballstemmer==2.2.0 # via sphinx -soupsieve==2.3.2.post1 +soupsieve==2.4.1 # via beautifulsoup4 sphinx==4.5.0 # via @@ -109,14 +105,15 @@ sphinx==4.5.0 # sphinx-prompt # sphinx-tabs # sphinx-tags - # sphinxcontrib-youtube + # sphinxcontrib-video + # sphinxcontrib-yt sphinx-autoapi==2.0.1 # via -r doc-requirements.in sphinx-basic-ng==1.0.0b1 # via furo sphinx-code-include==1.1.1 # via -r doc-requirements.in -sphinx-copybutton==0.5.1 +sphinx-copybutton==0.5.2 # via -r doc-requirements.in sphinx-fontawesome==0.0.6 # via -r doc-requirements.in @@ -138,29 +135,29 @@ sphinxcontrib-htmlhelp==2.0.1 # via sphinx sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-mermaid==0.7.1 +sphinxcontrib-mermaid==0.8.1 # via -r doc-requirements.in sphinxcontrib-qthelp==1.0.3 # via sphinx sphinxcontrib-serializinghtml==1.1.5 # via sphinx -sphinxcontrib-video==0.0.1.dev3 +sphinxcontrib-video==0.1.1 # via -r doc-requirements.in sphinxcontrib-youtube==1.2.0 # via -r doc-requirements.in sphinxext-remoteliteralinclude==0.4.0 # via -r doc-requirements.in -typing-extensions==4.4.0 +typing-extensions==4.5.0 # via astroid unidecode==1.3.6 # via sphinx-autoapi -urllib3==1.26.14 +urllib3==1.26.15 # via requests -virtualenv==20.17.1 +virtualenv==20.22.0 # via pre-commit -wrapt==1.14.1 +wrapt==1.15.0 # via astroid -zipp==3.12.0 +zipp==3.15.0 # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: diff --git a/rsts/deployment/configuration/auth_setup.rst b/rsts/deployment/configuration/auth_setup.rst index 33d80975bc..5089510998 100644 --- a/rsts/deployment/configuration/auth_setup.rst +++ b/rsts/deployment/configuration/auth_setup.rst @@ -271,45 +271,134 @@ To set up an external OAuth2 Authorization Server, follow the instructions below 5. Flytectl should be created with `Access Type Public` and standard flow enabled. 6. FlytePropeller should be created as an `Access Type Confidential`, standard flow enabled, and note the client ID and client Secrets provided. + .. group-tab:: Azure AD + + 1. Navigate to tab **Overview**, obtain ```` and ```` + 2. Navigate to tab **Authentication**, click ``+Add a platform`` + 3. Add **Web** for flyteconsole and flytepropeller, **Mobile and desktop applications** for flytectl. + 4. Add URL ``https:///callback`` as the callback for Web + 5. Add URL ``http://localhost:53593/callback`` as the callback for flytectl + 6. In **Advanced settings**, set ``Enable the following mobile and desktop flows`` to **Yes** to enable deviceflow + 7. Navigate to tab **Certificates & secrets**, click ``+New client secret`` to create ```` + 8. Navigate to tab **Token configuration**, click ``+Add optional claim`` and create email claims for both ID and Access Token + 9. Navigate to tab **API permissions**, add ``email``, ``offline_access``, ``openid``, ``profile``, ``User.Read`` + 10. Navigate to tab **Expose an API**, Click ``+Add a scope`` and ``+Add a client application`` to create ```` + + Apply Configuration ^^^^^^^^^^^^^^^^^^^ It is possible to direct FlyteAdmin to use an external authorization server. To do so, edit the same config map once more and follow these changes: -.. code-block:: yaml +.. tabs:: + .. group-tab:: Okta + .. code-block:: yaml - auth: - appAuth: - # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta) - # Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server. - authServerType: External - - # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl. - externalAuthServer: - baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 - #baseUrl: https:///auth/realms/ # Uncomment for keycloak - #metadataUrl: .well-known/openid-configuration #Uncomment for keycloak - - thirdPartyConfig: - flyteClient: - # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server. - clientId: flytectl - # This should not change + auth: + appAuth: + # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta) + # Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server. + authServerType: External + + # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl. + externalAuthServer: + baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 + + thirdPartyConfig: + flyteClient: + # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server. + clientId: flytectl + # This should not change + redirectUri: http://localhost:53593/callback + # 4. "all" is a required scope and must be configured in the custom authorization server. + scopes: + - offline + - all + + userAuth: + openId: + baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server + scopes: + - profile + - openid + # - offline_access # Uncomment if OIdC supports issuing refresh tokens. + clientId: + .. group-tab:: Keycloak + .. code-block:: yaml + + auth: + appAuth: + # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta) + # Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server. + authServerType: External + + # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl. + externalAuthServer: + baseUrl: https:///auth/realms/ + metadataUrl: .well-known/openid-configuration + + thirdPartyConfig: + flyteClient: + # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server. + clientId: flytectl + # This should not change + redirectUri: http://localhost:53593/callback + # 4. "all" is a required scope and must be configured in the custom authorization server. + scopes: + - offline + - all + + userAuth: + openId: + baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server + scopes: + - profile + - openid + # - offline_access # Uncomment if OIdC supports issuing refresh tokens. + clientId: + .. group-tab:: Azure AD + .. code-block:: yaml + + secrets: + adminOauthClientCredentials: + enabled: true + clientSecret: + clientId: + --- + configmap: + admin: + admin: + endpoint: + insecure: true + clientId: + clientSecretLocation: /etc/secrets/client_secret + scopes: + - api:///.default + useAudienceFromAdmin: true + --- + auth: + appAuth: + authServerType: External + externalAuthServer: + baseUrl: https://login.microsoftonline.com//v2.0/ + metadataUrl: .well-known/openid-configuration + AllowedAudience: + - api:// + thirdPartyConfig: + flyteClient: + clientId: redirectUri: http://localhost:53593/callback - # 4. "all" is a required scope and must be configured in the custom authorization server. scopes: - - offline - - all - - userAuth: - openId: - baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server - scopes: - - profile - - openid - # - offline_access # Uncomment if OIdC supports issuing refresh tokens. - clientId: 0oakkheteNjCMERst5d6 + - api:/// + + userAuth: + openId: + baseUrl: https://login.microsoftonline.com//v2.0 + scopes: + - openid + - profile + clientId: .. tabs::