Skip to content
This repository has been archived by the owner on Oct 23, 2023. It is now read-only.

Feat: Enable proxy-authorization in admin client #437

Closed
wants to merge 16 commits into from

Conversation

fg91
Copy link
Member

@fg91 fg91 commented Sep 10, 2023

TL;DR

Part of an effort to integrate Flyte with GCP Identity Aware Proxy, see flyteorg/flyte#3965.

Allows the flyteidl admin client to sent a "proxy-authorization" header with every request to flyteadmin. Tokens for this header are created using an external command which is configured via the new proxyCommand config entry.

Same logic as was introduced in flytekit in flyteorg/flytekit#1787.

I replicated the existing logic in MaterializeCredentials and NewAuthInterceptor for the second token. The external command is called a single time per flytectl call.

Type

  • Bug Fix
  • Feature
  • Plugin

Are all requirements met?

  • Code completed
  • Smoke tested
  • Unit tests added
  • Code documentation added
  • Any pending items have an associated Issue

Complete description

See flyteorg/flyte#3965

Tracking Issue

Closes flyteorg/flyte#3965

Follow-up issue

NA

@fg91 fg91 self-assigned this Sep 10, 2023
@codecov
Copy link

codecov bot commented Sep 10, 2023

Codecov Report

Patch coverage: 73.01% and project coverage change: +2.46% 🎉

Comparison is base (7f62a15) 75.92% compared to head (4141f5e) 78.39%.
Report is 2 commits behind head on master.

❗ Current head 4141f5e differs from pull request most recent head 89ab23c. Consider uploading reports for the commit 89ab23c to get more accurate results

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #437      +/-   ##
==========================================
+ Coverage   75.92%   78.39%   +2.46%     
==========================================
  Files          18       18              
  Lines        1458     1296     -162     
==========================================
- Hits         1107     1016      -91     
+ Misses        294      217      -77     
- Partials       57       63       +6     
Flag Coverage Δ
unittests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
clients/go/admin/config.go 50.00% <ø> (ø)
clients/go/admin/client.go 84.68% <70.00%> (-2.54%) ⬇️
clients/go/admin/auth_interceptor.go 73.75% <71.73%> (+8.93%) ⬆️
clients/go/admin/pkce/auth_flow_orchestrator.go 51.02% <75.00%> (-13.98%) ⬇️
clients/go/admin/pkce/handle_app_call_back.go 94.11% <100.00%> (-0.76%) ⬇️

... and 13 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@fg91 fg91 force-pushed the fg91/feat/proxy-authorization branch from 4a9735b to 132dbb9 Compare September 22, 2023 16:33
return proxyTokenSource, nil
}

func MaterializeProxyAuthCredentials(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) error {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adapted from MaterializeAuthCredentials.

@@ -102,3 +156,18 @@ func NewAuthInterceptor(cfg *Config, tokenCache cache.TokenCache, credentialsFut
return err
}
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adapted from NewAuthInterceptor.

@@ -43,7 +43,8 @@ func getAuthServerCallbackHandler(c *oauth.Config, codeVerifier string, tokenCha
var opts []oauth2.AuthCodeOption
opts = append(opts, oauth2.SetAuthURLParam("code_verifier", codeVerifier))

token, err := c.Exchange(context.Background(), req.URL.Query().Get("code"), opts...)
ctx := context.WithValue(context.Background(), oauth2.HTTPClient, client)
token, err := c.Exchange(ctx, req.URL.Query().Get("code"), opts...)
if err != nil {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If using a proxy, we need to use the http client created in auth_interceptor.go to retrieve the token. So far, this client wasn't used.


err := invoker(ctx, method, req, reply, cc, opts...)
if err != nil {
newErr := MaterializeProxyAuthCredentials(ctx, cfg, proxyCredentialsFuture)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The external command is called a single time per call of flytectl. After the call of the external command, the credentials future is initialized and can be reused for further grpc calls.

Signed-off-by: Fabio Grätz <[email protected]>
@fg91 fg91 marked this pull request as ready for review September 22, 2023 17:17
Signed-off-by: Fabio Grätz <[email protected]>
@fg91 fg91 added the enhancement New feature or request label Sep 22, 2023
Copy link
Contributor

@wild-endeavor wild-endeavor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks okay by me. tested with existing aws clusters as well - client credentials, pkce, device flow all continue to work

@eapolinario
Copy link
Contributor

I moved this PR to the monorepo: flyteorg/flyte#4189.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Core feature] Make Flyte work with GCP Identity Aware Proxy (IAP)
3 participants