feat(backend): Support authentication with ServiceAccountTokens. Part of #5138 #5286
Conversation
|
You also need to update (being able to update it in the same PR thanks to @yanniszark's work for moving them here) |
There was a problem hiding this comment.
Thank you for the super useful contribution that many users are hoping for!
I'm leaving some early comments before I finish reading all the code. I'll try to finish review tomorrow.
Note, most of them are nit pickings, so feel free to discuss about them. I don't think they are blockers.
elikatsis
force-pushed
the
feature-backend-authenticators
branch
from
0f55e91 to
2a8ca8a
Compare
|
@Bobgy: GitHub didn't allow me to request PR reviews from the following users: elikatsis. Note that only kubeflow members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Can you please resolve another conflict? |
|
/lgtm |
elikatsis
force-pushed
the
feature-backend-authenticators
branch
from
ac4936f to
5ef17ea
Compare
Introduce common utils for client initialization to factor out common code. This is a step towards fulfilling kubeflow#4738.
Extend the authenticators which the KFP apiserver applies on a request with a TokenReview authenticator. This authenticator expects a ServiceAccountToken in a header with the format: 'Authorization: Bearer <token>' Part of kubeflow#5138
Split the file into: * auth.go: contains the main entrance from the outside of the package * util.go: contains all utility functions used inside
Instead of using AuthenticateRequest to retrieve the user from the request and then use it for the expected values, allocate a variable for the username in the request and use that in the expected values. This ensures we don't hide potential errors of AuthenticateRequest.
elikatsis
force-pushed
the
feature-backend-authenticators
branch
from
5ef17ea to
3dc13dc
Compare
Have the HTTPHeaderAuthenticator first followed by the TokenReviewAuthenticator
To avoid potential race conditions when initializing the Authenticators variable, we move authenticators to a ResourceManager property and initialize it along with the initialization of the manager.
|
/lgtm |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Bobgy, elikatsis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@Bobgy and thank you for the quick and detailed review! I think the code is very improved now. |
Description of your changes:
The changes are described in detail in this comment: #5138 (comment)
In a nutshell:
Authorization: Bearer <token>ml-pipelineas audience/cc @Bobgy
/cc @yanniszark
/cc @StefanoFioravanzo
/assign @elikatsis
Checklist:
Do you want this pull request (PR) cherry-picked into the current release branch?
Learn more about cherry-picking updates into the release branch.