rename

Signed-off-by: byhsu <[email protected]>

auth/identity_context.go

@@ -32,11 +32,11 @@ type IdentityContext struct {
 	scopes *sets.String
 	// Raw JWT token from the IDP. Set to a pointer to support the equal operator for this struct.
 	claims *claimsType
-	// userIdentifier stores a unique string that can be used to identify the user associated with a given task.
+	// executionUserIdentifier stores a unique string that can be used to identify the user associated with a given task.
 	// This identifier is passed down to the ExecutionSpec and can be used for various purposes, such as setting the user identifier on a pod label.
-	// By default, the user identifier is filled with the value of IdentityContext.userID. However, you can customize your middleware to assign other values if needed.
+	// By default, the execution user identifier is filled with the value of IdentityContext.userID. However, you can customize your middleware to assign other values if needed.
 	// Providing a user identifier can be useful for tracking tasks and associating them with specific users, especially in multi-user environments.
-	userIdentifier string
+	executionUserIdentifier string
 }
 
 func (c IdentityContext) Audience() string {
@@ -86,13 +86,14 @@ func (c IdentityContext) AuthenticatedAt() time.Time {
 	return c.authenticatedAt
 }
 
-func (c IdentityContext) UserIdentifier() string {
-	return c.userIdentifier
+func (c IdentityContext) ExecutionUserIdentifier() string {
+	return c.executionUserIdentifier
 }
 
-// SetUserIdentifier allows you to explicitly set user identifier
-func (c *IdentityContext) SetUserIdentifier(id string) {
-	c.userIdentifier = id
+// WithExecutionUserIdentifier creates a copy of the original identity context and attach ExecutionUserIdentifier
+func (c IdentityContext) WithExecutionUserIdentifier(euid string) IdentityContext {
+	c.executionUserIdentifier = euid
+	return c
 }
 
 // NewIdentityContext creates a new IdentityContext.

auth/identity_context_test.go

@@ -5,6 +5,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 func TestGetClaims(t *testing.T) {
@@ -23,3 +24,12 @@ func TestGetClaims(t *testing.T) {
 
 	assert.NotEmpty(t, withClaimsCtx.UserInfo().AdditionalClaims)
 }
+
+func TestWithExecutionUserIdentifier(t *testing.T) {
+	idctx, err := NewIdentityContext("", "", "", time.Now(), sets.String{}, nil, nil)
+	assert.NoError(t, err)
+	newIdCtx := idctx.WithExecutionUserIdentifier("byhsu")
+	// make sure the original one is intact
+	assert.Equal(t, "", idctx.ExecutionUserIdentifier())
+	assert.Equal(t, "byhsu", newIdCtx.ExecutionUserIdentifier())
+}

auth/interceptor.go

@@ -27,7 +27,7 @@ func BlanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnarySer
 func UserIdentifierInterceptor(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (
 	resp interface{}, err error) {
 	identityContext := IdentityContextFromContext(ctx)
-	identityContext.SetUserIdentifier(identityContext.UserID())
+	identityContext = identityContext.WithExecutionUserIdentifier(identityContext.UserID())
 	ctx = identityContext.WithContext(ctx)
 	return handler(ctx, req)
 }

auth/interceptor_test.go

@@ -69,7 +69,7 @@ func TestGetUserIdentityFromContext(t *testing.T) {
 
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		identityContext := IdentityContextFromContext(ctx)
-		userIdentifier := identityContext.UserIdentifier()
+		userIdentifier := identityContext.ExecutionUserIdentifier()
 		assert.Equal(t, userIdentifier, "yeee")
 		return nil, nil
 	}

pkg/manager/impl/execution_manager.go

@@ -411,8 +411,8 @@ func (m *ExecutionManager) getExecutionConfig(ctx context.Context, request *admi
 	// In the case of reference_launch_plan subworkflow, the context comes from flytepropeller instead of the user side, so user auth is missing.
 	// We skip getUserIdentityFromContext but can still get ExecUserId because flytepropeller passes it in the execution request.
 	// https://github.com/flyteorg/flytepropeller/blob/03a6672960ed04e7687ba4f790fee9a02a4057fb/pkg/controller/nodes/subworkflow/launchplan/admin.go#L114
-	if workflowExecConfig.GetSecurityContext().GetRunAs().GetUserIdentifier() == "" {
-		workflowExecConfig.SecurityContext.RunAs.UserIdentifier = auth.IdentityContextFromContext(ctx).UserIdentifier()
+	if workflowExecConfig.GetSecurityContext().GetRunAs().GetExecutionIdentity() == "" {
+		workflowExecConfig.SecurityContext.RunAs.UserIdentifier = auth.IdentityContextFromContext(ctx).ExecutionUserIdentifier()
 	}
 
 	logger.Infof(ctx, "getting the workflow execution config from application configuration")

pkg/manager/impl/execution_manager_test.go

@@ -4320,7 +4320,7 @@ func TestGetExecutionConfigOverrides(t *testing.T) {
 		assert.Equal(t, requestOutputLocationPrefix, execConfig.RawOutputDataConfig.OutputLocationPrefix)
 		assert.Equal(t, requestLabels, execConfig.GetLabels().Values)
 		assert.Equal(t, requestAnnotations, execConfig.GetAnnotations().Values)
-		assert.Equal(t, "yeee", execConfig.GetSecurityContext().GetRunAs().GetUserIdentifier())
+		assert.Equal(t, "yeee", execConfig.GetSecurityContext().GetRunAs().GetExecutionIdentity())
 	})
 	t.Run("request with partial config", func(t *testing.T) {
 		request := &admin.ExecutionCreateRequest{

pkg/manager/impl/util/shared.go

@@ -298,7 +298,7 @@ func MergeIntoExecConfig(workflowExecConfig admin.WorkflowExecutionConfig, spec
 		if spec.GetSecurityContext().GetRunAs() != nil &&
 			(len(spec.GetSecurityContext().GetRunAs().GetK8SServiceAccount()) > 0 ||
 				len(spec.GetSecurityContext().GetRunAs().GetIamRole()) > 0 ||
-				len(spec.GetSecurityContext().GetRunAs().GetUserIdentifier()) > 0) {
+				len(spec.GetSecurityContext().GetRunAs().GetExecutionIdentity()) > 0) {
 			workflowExecConfig.SecurityContext = spec.GetSecurityContext()
 		}
 	}