Skip to content
This repository has been archived by the owner on Nov 30, 2022. It is now read-only.

Update StorageConfig to handle multiple auth methods #1140

Merged
merged 16 commits into from
Aug 30, 2022
Merged

Update StorageConfig to handle multiple auth methods #1140

merged 16 commits into from
Aug 30, 2022

Conversation

TheAndrewJackson
Copy link
Contributor

@TheAndrewJackson TheAndrewJackson commented Aug 24, 2022
edited
Loading

Purpose

StorageConfig now supports multiple auth methods for S3. One is the previous secret key method and the second is an automatic method.

Changes

  • Update get_s3_session to create a boto3 session based on the S3AuthMethod method enum
  • Update tests to handle the new auth_method key

Checklist

  • Update CHANGELOG.md file
    • Merge in main so the most recent CHANGELOG.md file is being appended to
    • Add description within the Unreleased section in an appropriate category. Add a new category from the list at the top of the file if the needed one isn't already there.
    • Add a link to this PR at the end of the description with the PR number as the text. example: #1
  • Applicable documentation updated (guides, quickstart, postman collections, tutorial, fidesdemo, database diagram.
  • If docs updated (select one):
    • documentation complete, or draft/outline provided (tag docs-team to complete/review on this branch)
    • documentation issue created (tag docs-team to complete issue separately)
  • Good unit test/integration test coverage
  • This PR contains a DB migration. If checked, the reviewer should confirm with the author that the down_revision correctly references the previous migration before merging
  • The Run Unsafe PR Checks label has been applied, and checks have passed, if this PR touches any external services

Ticket

Fixes #1100

@TheAndrewJackson TheAndrewJackson changed the title Initial automatic impl Update StorageConfig to handle multiple auth methods Aug 25, 2022
@TheAndrewJackson TheAndrewJackson marked this pull request as ready for review August 25, 2022 18:55
@TheAndrewJackson TheAndrewJackson requested a review from a team August 25, 2022 18:55
@TheAndrewJackson
Copy link
Contributor Author

@seanpreston Do you have any opinions on backwards compatibility for this ticket? Now the codebase assumes that the new auth_method field will be filled out. Any StorageConfigs that were made before this will be missing it. I've considered having it assume that if it's empty they'll want to use the original auth method but that may not be true.

sanders41
sanders41 reviewed Aug 26, 2022
View reviewed changes
docs/fidesops/docs/guides/storage.md Outdated
@@ -56,6 +57,7 @@ Params:

Additional params needed for S3:

- `auth_method`: Authentication method for creating a session with S3.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we specify the methods we support or do we support them all?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like the only accepted methods are "automatic" or "secret_keys"? We should definitely note that here.

Suggested change
- `auth_method`: Authentication method for creating a session with S3.
- `auth_method`: Authentication method for creating a session with S3, either `automatic` or `secret_keys`.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sanders41 Are you referring to the 8 methods mentioned on the boto3 documentation? All boto3 auth methods

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, does the 2 ways you have here work with all 8? Or will it only work with certain ones?

Copy link
Contributor Author

@TheAndrewJackson TheAndrewJackson Aug 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't work with all 8. I haven't verified every option that automatic covers but it should handle anything that supports automatically creating a session based on the container environment.

docs/fidesops/docs/guides/storage.md Outdated
- `aws_access_key_id`: AWS access key id, obtained from AWS console.
- `aws_secret_access_key`: AWS secret access key, obtained from AWS console.

Fidesops also supports automatically creating a session for S3. When this authentication method is selected no secrets need to be provided. Boto3 will look for credentials on the server.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe point the the S3 docs explaining what they need to do on the server for this to work.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Fidesops also supports automatically creating a session for S3. When this authentication method is selected no secrets need to be provided. Boto3 will look for credentials on the server.
Fidesops also supports automatically creating a session for S3. If your `auth_method` is set to `automatic`, no secrets need to be provided. Boto3 will look for credentials on the server.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@conceptualshark How does this look for pointing users to the boto3 docs?

Please refer to the boto3 credentials documentation for how to configure credentials for AWS.

src/fidesops/ops/util/storage_authenticator.py Outdated Show resolved Hide resolved
src/fidesops/ops/util/storage_authenticator.py Show resolved Hide resolved
tests/ops/api/v1/endpoints/test_storage_endpoints.py Show resolved Hide resolved
tests/ops/service/storage_uploader_service_test.py Outdated Show resolved Hide resolved
sanders41
sanders41 approved these changes Aug 29, 2022
View reviewed changes
Copy link
Contributor

@sanders41 sanders41 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. @conceptualshark I'll let you merge when the docs are good.

@conceptualshark
Copy link
Contributor

👍 lgtm!

@conceptualshark conceptualshark merged commit 6cba544 into main Aug 30, 2022
@conceptualshark conceptualshark deleted the 1100_storageconfig_multiple_auth_methods branch August 30, 2022 17:54
sanders41 pushed a commit that referenced this pull request Sep 22, 2022
@TheAndrewJackson
Update StorageConfig to handle multiple auth methods (#1140)
170f962 
* Initial automatic impl

* Lints

* disable pylint error

* Fix unit tests

* fix imports

* Update fixture

* Fix config tests

* Covert type to enum

* Add new unit tests

* Update changelong

* Update docs

* Update phone number

* patch task scheduler

* remove pylint ignore and add exception

* Update docs
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@conceptualshark conceptualshark conceptualshark approved these changes

@sanders41 sanders41 sanders41 approved these changes

Assignees

@sanders41 sanders41

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update StorageConfig to handle multiple auth methods
3 participants
@TheAndrewJackson @conceptualshark @sanders41