sdk/client/auth - refactor GCP auth into a module #4683
Comments
|
Hi @Bobgy! We find this issue interesting because we have actually implemented something like this for our purposes. What we have done in our own fork of the KFP client, is to add a To make this concrete, this is the abstract class we used: class TokenCredentials(object):
__metaclass__ = abc.ABCMeta
def refresh_api_key_hook(self, config):
"""Refresh the api key.
This is a helper function for registering token refresh with swagger
generated clients.
"""
config.api_key["authorization"] = self.get_token()
@abc.abstractmethod
def get_token(self):
raise NotImplementedError()It has a # config is the swagger client config
credentials = MyCredentialClass()
config.refresh_api_key_hook = credentials.refresh_api_key_hookFinally, add an extra argument to the client's In the GCP example, you could implement different credential classes for different GCP auth methods (GCP ServiceAccount, Default App Credentials, IAP). What do you think? |
|
Thanks @yanniszark! I think that sounds like a clean and abstract interface. Will you be willing to contribute? /cc @chensun @numerology @Ark-kun |
|
@Bobgy sure, we could open a PR for it. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
As presented in kubeflow#4683, in this commit we introduce a TokenCredentials abstract class which encapsulates the retrieval and refresh of token credentials. The reason we are using a class for the credentials is the fact that usually tokens are short-lived and the client needs to refresh them. All subclasses should define a 'get_token()' method responsible for fetching and refreshing (if needed) a token for authentication.
As presented in kubeflow#4683, in this commit we introduce a TokenCredentials abstract class which encapsulates the retrieval and refresh of token credentials. The reason we are using a class for the credentials is the fact that usually tokens are short-lived and the client needs to refresh them. All subclasses should define a 'get_token()' method responsible for fetching and refreshing (if needed) a token for authentication.
As presented in kubeflow#4683, in this commit we introduce a TokenCredentials abstract class which encapsulates the retrieval and refresh of token credentials. The reason we are using a class for the credentials is the fact that usually tokens are short-lived and the client needs to refresh them. All subclasses should define a 'get_token()' method responsible for fetching and refreshing (if needed) a token for authentication.
…5287) * Introduce TokenCredentials abstract class As presented in #4683, in this commit we introduce a TokenCredentials abstract class which encapsulates the retrieval and refresh of token credentials. The reason we are using a class for the credentials is the fact that usually tokens are short-lived and the client needs to refresh them. All subclasses should define a 'get_token()' method responsible for fetching and refreshing (if needed) a token for authentication. * Configure credentials when initializing KFP client
|
This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. |
There are many types of auth features in KFP SDK, they are injected kind of ad-hoc in code.
I think we need to refactor it into auth modules, so that
Another common proposal is to make the auth parameters explicit, right now we are doing the auth part automatically based on host url regex matching, but users may set up their own dns name. We should try to make it more controllable.
The text was updated successfully, but these errors were encountered: