Skip to content
This repository has been archived by the owner on May 31, 2024. It is now read-only.

Oauth support in flytectl #49

Merged
merged 7 commits into from
May 3, 2021
Merged

Oauth support in flytectl #49

merged 7 commits into from
May 3, 2021

Conversation

pmahindrakar-oss
Copy link
Contributor

@pmahindrakar-oss pmahindrakar-oss commented Apr 3, 2021

Signed-off-by: Prafulla Mahindrakar [email protected]

TL;DR

Config for querying admin

admin:
  # For GRPC endpoints you might want to use dns:///flyte.myexample.com
  clientId: flytectl
  endpoint: dns:///demo.nuclyde.io
  authType: Pkce
logger:
  show-source: true
  level: 6
flytectl get project
Warn: No metricsProvider set for the workqueue
INFO[0000] Using config file: [config.yaml]             
INFO[0000] Config section [root] updated. No update handler registered.  src="viper.go:318"
INFO[0000] Config section [logger] updated. Firing updated event.  src="viper.go:320"
{"json":{"src":"viper.go:320"},"level":"info","msg":"Config section [admin] updated. Firing updated event.","ts":"2021-04-28T21:10:49+05:30"}
{"json":{"src":"viper.go:318"},"level":"info","msg":"Config section [storage] updated. No update handler registered.","ts":"2021-04-28T21:10:49+05:30"}
{"json":{"src":"viper.go:318"},"level":"info","msg":"Config section [adminutils] updated. No update handler registered.","ts":"2021-04-28T21:10:49+05:30"}
{"json":{"src":"client.go:182"},"level":"info","msg":"Instantiating a token source to authenticate against Admin, ID: flytectl","ts":"2021-04-28T21:10:49+05:30"}
{"json":{"src":"token_cache_with_keyring.go:59"},"level":"debug","msg":"fetched token from cache with expiry at 2021-04-29 03:03:19.535504 +0530 IST","ts":"2021-04-28T21:10:51+05:30"}
{"json":{"src":"auth_flow_orchestrator.go:35"},"level":"debug","msg":"got a response from the refresh grant for old expiry 2021-04-29 03:03:19.535504 +0530 IST with new expiry 2021-04-29 03:03:19.535504 +0530 IST","ts":"2021-04-28T21:10:51+05:30"}
{"json":{"src":"client.go:65"},"level":"info","msg":"Initialized Admin client","ts":"2021-04-28T21:10:51+05:30"}
{"json":{"src":"project.go:87"},"level":"debug","msg":"Retrieved 4 projects","ts":"2021-04-28T21:10:51+05:30"}
 --------------- --------------- ---------------------------------- 
| ID (4)        | NAME          | DESCRIPTION                      |
 --------------- --------------- ---------------------------------- 
| flytectldemo  | flytectldemo  | Some description for the project |
 --------------- --------------- ---------------------------------- 
| flyteexamples | flyteexamples | flyteexamples description        |
 --------------- --------------- ---------------------------------- 
| flytesnacks   | flytesnacks   | flytesnacks description          |
 --------------- --------------- ---------------------------------- 
| flytetester   | flytetester   | flytetester description          |
 --------------- --------------- ---------------------------------- 
4 rows

Type

  • Bug Fix
  • Feature
  • Plugin

Are all requirements met?

  • Code completed
  • Smoke tested
  • Unit tests added
  • Code documentation added
  • Any pending items have an associated Issue

Complete description

How did you fix the bug, make the feature etc. Link to any design docs etc

Tracking Issue

flyteorg/flyte#945

Follow-up issue

NA

pkg/auth/oauth2_client.go Outdated Show resolved Hide resolved
pkg/auth/oauth2_client.go Outdated Show resolved Hide resolved
pkg/auth/oauth2_client.go Outdated Show resolved Hide resolved
pkg/auth/oauth2_client.go Outdated Show resolved Hide resolved
pkg/auth/oauth2_client.go Outdated Show resolved Hide resolved
pkg/auth/oauth2_client.go Outdated Show resolved Hide resolved
@pmahindrakar-oss pmahindrakar-oss requested a review from EngHabu April 5, 2021 12:33
@codecov
Copy link

codecov bot commented Apr 10, 2021

Codecov Report

Merging #49 (ae896c1) into master (510e46b) will increase coverage by 0.32%.
The diff coverage is 55.55%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #49      +/-   ##
==========================================
+ Coverage   50.69%   51.02%   +0.32%     
==========================================
  Files          40       42       +2     
  Lines        1150     1170      +20     
==========================================
+ Hits          583      597      +14     
- Misses        500      502       +2     
- Partials       67       71       +4     
Flag Coverage Δ
unittests 51.02% <55.55%> (+0.32%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
cmd/get/project.go 0.00% <ø> (ø)
pkg/pkce/token_cache_keyring.go 55.55% <55.55%> (ø)
pkg/filesystemutils/file_system_utils.go 100.00% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 510e46b...ae896c1. Read the comment docs.

@pmahindrakar-oss pmahindrakar-oss changed the title Draft changes for Oauth support in flytectl wip: Draft changes for Oauth support in flytectl Apr 12, 2021
cmd/root.go Outdated Show resolved Hide resolved
pkg/auth/oauth2_client.go Outdated Show resolved Hide resolved
@pmahindrakar-oss pmahindrakar-oss force-pushed the pmahindrakar/oauth branch 2 times, most recently from dc283a1 to 6644f0f Compare April 27, 2021 11:18
@pmahindrakar-oss pmahindrakar-oss changed the title wip: Draft changes for Oauth support in flytectl Oauth support in flytectl Apr 27, 2021
@pmahindrakar-oss pmahindrakar-oss marked this pull request as ready for review April 27, 2021 13:17
@@ -0,0 +1,145 @@
package auth

import (
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More Unit tests remaining for this package and will be added soon.

Copy link
Contributor

@EngHabu EngHabu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! I have some questions about the token exchange stuff and potentially simplifying the code (that surrounds each api call)... otherwise looks ready (minus those unit tests you are already adding)... thank you!

exec, err = cmdCtx.AdminClient().CreateExecution(_ctx, executionRequest, _callOptions...)
return err
}
err = auth.Do(ctx, cmdCtx.AuthClient(), grpcAPICall, callOptions)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to simplify this?
Like here
You can build the authmetadataclient without initializing that singleton connection, then call FlyteClient() and if that returns then you can setup a PerCallRPCCredentials and set it as a dial option (instead of a call option) ... and therefore, you do not need to surround every single call to admin with this...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Created new MR for this flyteorg/flyteidl#156

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will be updating this MR with just changes to flyteidl and couple of modules to be used. Rest there are no changes in flytectl side with this new movement

func Do(ctx context.Context, authMetadataClient service.AuthMetadataServiceClient, grpcAPICallContext AdminGrpcAPICallContext, callOptions []grpc.CallOption) error {
// Fetch from the cache only when usAuth is enabled.
useAuth := admin.GetConfig(ctx).UseAuth
if useAuth {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm getting rid of this... if we can attempt to setup auth before we Dial(), I think that will simplify the experience a ton....

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

type TokenOrchestrator struct {
}

// This is a copy of oauth2.internal.tokenJSON as its not accesible outside.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
// This is a copy of oauth2.internal.tokenJSON as its not accesible outside.
// This is a copy of oauth2.internal.tokenJSON as it's not accesible outside.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


func (f TokenOrchestrator) RefreshTheToken(ctx context.Context, clientConf *oauth2.Config, token *oauth2.Token) *oauth2.Token {
// ClientSecret is empty here. Basic auth is only needed to refresh the token.
client := newBasicClient(clientConf.ClientID, clientConf.ClientSecret)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is concerning.... public clients should not need or attempt to keep secrets.... if that means we can't refresh tokens, then so be it... we can make the default access token expire in 2 hours (or so) to give people a slightly improved experience...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or is the idea that this flow will be used in CI/CD system instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually internally oauth libraries do the same when they refresh the token by sending an empty client secret. I have removed this logic and instead using

/ Token returns the current token if it's still valid, else will
// refresh the current token (using r.Context for HTTP client
// information) and return the new one.
func (s *reuseTokenSource) Token() (*Token, error) {

This automatically refreshes the token if the access token is expired.

"refresh_token": {token.RefreshToken},
"scope": {"all", "offline"},
}
_, body, err := client.Post(clientConf.Endpoint.TokenURL, payload)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't we use oauth2.Config to Exchange and refresh tokens?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed this logic now and uses

_, _ = rw.Write([]byte(fmt.Sprintf(`<p>Couldn't get access token due to error: %s</p>`, err.Error())))
return
}
_, _ = rw.Write([]byte(`<p>Cool! Your authentication was successful and you can close the window.<p>`))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to go fancy, I would say we should do something like this: https://blakewilliams.me/posts/handling-macos-url-schemes-with-go
(which seems to be supported in OSX and windows... not sure about general Linux support) to silently go back to the app once the user is authenticated/authorized...

but maybe that's too fancy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks cool . Let me add try this in a followup

Signed-off-by: Prafulla Mahindrakar <[email protected]>
Signed-off-by: Prafulla Mahindrakar <[email protected]>
Signed-off-by: Prafulla Mahindrakar <[email protected]>
@EngHabu EngHabu force-pushed the pmahindrakar/oauth branch from 3bbbd29 to 0f5043c Compare April 30, 2021 01:54
EngHabu
EngHabu previously approved these changes Apr 30, 2021
@kumare3 kumare3 self-requested a review May 2, 2021 21:30
kumare3
kumare3 previously approved these changes May 2, 2021
EngHabu added 2 commits May 3, 2021 08:51
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Prafulla Mahindrakar <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Prafulla Mahindrakar <[email protected]>
@pmahindrakar-oss pmahindrakar-oss dismissed stale reviews from kumare3 and EngHabu via ae896c1 May 3, 2021 03:21
@kumare3 kumare3 self-requested a review May 3, 2021 04:44
@pmahindrakar-oss pmahindrakar-oss merged commit cf63c5c into master May 3, 2021
@pmahindrakar-oss pmahindrakar-oss deleted the pmahindrakar/oauth branch May 3, 2021 04:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants