Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Make Persistence Agent use SA Token when calling KF APIServer endpoints #9937

Closed
difince opened this issue Aug 28, 2023 · 1 comment · Fixed by #9957
Closed

[feature] Make Persistence Agent use SA Token when calling KF APIServer endpoints #9937

difince opened this issue Aug 28, 2023 · 1 comment · Fixed by #9957
Assignees
@difince
Labels
kind/feature

Comments

@difince
Copy link
Member

difince commented Aug 28, 2023

Feature Area

</area backend>

What feature would you like to see?

Currently, when the Persistence Agent (PA) calls KFPipeline APIs - readArtifacts and ReportMetrics - It authenticates as a user.
See:

pipelines/backend/src/agent/persistence/client/pipeline_client.go

Lines 196 to 204 in 110e082

pctx := context.Background()
if user != "" {
pctx = metadata.AppendToOutgoingContext(pctx, getKubeflowUserIDHeader(),
getKubeflowUserIDPrefix()+user)
}
ctx, cancel := context.WithTimeout(pctx, time.Minute)
defer cancel()
response, err := p.runServiceClient.ReportRunMetricsV1(ctx, request)

The proper way for service-to-service authentication/authorization is the use of a Service Account Token. PA SA token has been already introduced by this PR .
My suggestion is to use the PA SA token for readArtifacts and ReportMetrics as well.
Thus the communication between PA and KFPipeline Api service will be done in the correct way. The code will become clearer/shorter and the unnecessary requests to the kubeapi will be removed.

What is the use case or pain point?

Is there a workaround currently?

Love this idea? Give it a 👍.
@difince difince changed the title [feature] Persistence Agent to use its SA Token when calling KFAPIServer [feature] Persistence Agent to use its SA Token when calling KF APIServer endpoints Aug 28, 2023
@difince
Copy link
Member Author

difince commented Aug 28, 2023

/assign @difince

@difince difince changed the title [feature] Persistence Agent to use its SA Token when calling KF APIServer endpoints [feature] Make Persistence Agent use SA Token when calling KF APIServer endpoints Aug 28, 2023
@difince difince mentioned this issue Sep 4, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@difince difince

Labels
kind/feature
Projects
KFP Runtime Triage
Status: Closed
Milestone
No milestone
1 participant
@difince