Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(backend) Enable auth between pesistence agent and pipelineAPI (ReportServer) #9699

Merged
merged 3 commits into from
Aug 17, 2023
Merged

feat(backend) Enable auth between pesistence agent and pipelineAPI (ReportServer) #9699

merged 3 commits into from
Aug 17, 2023

Conversation

difince
Copy link
Member

@difince difince commented Jul 3, 2023
edited
Loading

  1. Add authentication and authorization logic to PipelineAPI ReportServer's methods - reportworkflow & reportSheduledWorkflow and
  2. Force Persistence Agent to authenticate itself through Service Account Token Volume Projection when calling the above methods.

Issue: #8074

Description of your changes:

Checklist:

@difince
Copy link
Member Author

difince commented Jul 4, 2023

/retest

@chensun
Copy link
Member

chensun commented Jul 5, 2023

/retest

chensun
chensun reviewed Jul 6, 2023
View reviewed changes
backend/src/agent/persistence/client/pipeline_client.go
} else if statusCode.Code() == codes.Unauthenticated && strings.Contains(err.Error(), "service account token has expired") {
//if unauthenticated because SA token is expired, re-read/refresh the token and try again
p.tokenRefresher.RefreshToken()
return util.NewCustomError(err, util.CUSTOM_CODE_TRANSIENT,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although I see you're following an existing pattern, for my education how would user discover such error? Would this be surfaced back by apiserver?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! Sorry for my late response.
The user could observe the status of the Run and inspect the logs of the persistent agent. The errors are not directly displayed on the UI.
If a "transient" error occurs the Persistent Agent will retry with an exponential delay

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here, If an error occurs on token refresh, I just log the error and let the worker thread retries. Any other suggestions on what to do if the refresh token fails?

backend/src/agent/persistence/client/token_refresher.go Outdated Show resolved Hide resolved
@zijianjoy
Copy link
Collaborator

/assign @chensun

@difince
Enable auth between pesistence agent and pipelineAPI (ReportServer)
5c0df51 
1. Add authentication and authorization logic to PipelineAPI's PeportServer &
2. Make Persistence Agent authenticate itself through Service Account Token
Volume Projection.

Signed-off-by: diana <[email protected]>
@difince
Do not use MULTIUSER on report weorkflows
1de9bd0 
Only Persistent agent can KFPipeline API "Report (Scheduled)Workflows" no matter
the namespace workflows belongs to.

Signed-off-by: diana <[email protected]>
@juliusvonkohout
Copy link
Member

@difince is any help needed?

@difince difince force-pushed the auth_report_server branch 2 times, most recently from 4333fc2 to 19e6d60 Compare August 16, 2023 13:48
@difince
Add unit tests
bc9e1e0 
- unit tests added
- do not stop the ticker on stopCh

Signed-off-by: diana <[email protected]>
difince
difince commented Aug 16, 2023
View reviewed changes
backend/src/agent/persistence/client/token_refresher.go

ticker := time.NewTicker(*tr.seconds)
go func() {
for range ticker.C {
Copy link
Member Author

@difince difince Aug 16, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unsure about the use of the stopCh, so I removed it. WDYT? Please inspect the changes introduced by my third commit.

chensun
chensun approved these changes Aug 16, 2023
View reviewed changes
Copy link
Member

@chensun chensun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thanks!

@google-oss-prow google-oss-prow bot added the lgtm label Aug 16, 2023
@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chensun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@chensun
Copy link
Member

chensun commented Aug 16, 2023

I'm investigating the test failure, which is likely unrelated to this change.
#9883

@juliusvonkohout
Copy link
Member

/retest-required

@juliusvonkohout
Copy link
Member

@difince maybe you have to rebase to #9885 if the test fails again

@google-oss-prow google-oss-prow bot merged commit cb18d00 into kubeflow:master Aug 17, 2023
1 check passed
@difince difince mentioned this pull request Aug 17, 2023
Closed
chensun pushed a commit that referenced this pull request Aug 17, 2023
@difince @chensun
feat(backend) Enable auth between pesistence agent and pipelineAPI (R…
f232d0b 
…eportServer) (#9699)

* Enable auth between pesistence agent and pipelineAPI (ReportServer)

1. Add authentication and authorization logic to PipelineAPI's PeportServer &
2. Make Persistence Agent authenticate itself through Service Account Token
Volume Projection.

Signed-off-by: diana <[email protected]>

* Do not use MULTIUSER on report weorkflows

Only Persistent agent can KFPipeline API "Report (Scheduled)Workflows" no matter
the namespace workflows belongs to.

Signed-off-by: diana <[email protected]>

* Add unit tests

- unit tests added
- do not stop the ticker on stopCh

Signed-off-by: diana <[email protected]>

---------

Signed-off-by: diana <[email protected]>
@difince difince mentioned this pull request Aug 17, 2023
Closed
connor-mccarthy pushed a commit to connor-mccarthy/pipelines that referenced this pull request Aug 24, 2023
@difince @connor-mccarthy
feat(backend) Enable auth between pesistence agent and pipelineAPI (R…
0719539 
…eportServer) (kubeflow#9699)

* Enable auth between pesistence agent and pipelineAPI (ReportServer)

1. Add authentication and authorization logic to PipelineAPI's PeportServer &
2. Make Persistence Agent authenticate itself through Service Account Token
Volume Projection.

Signed-off-by: diana <[email protected]>

* Do not use MULTIUSER on report weorkflows

Only Persistent agent can KFPipeline API "Report (Scheduled)Workflows" no matter
the namespace workflows belongs to.

Signed-off-by: diana <[email protected]>

* Add unit tests

- unit tests added
- do not stop the ticker on stopCh

Signed-off-by: diana <[email protected]>

---------

Signed-off-by: diana <[email protected]>
@difince difince mentioned this pull request Aug 28, 2023
Closed
@difince difince mentioned this pull request Sep 4, 2023
Merged
1 task
stijntratsaertit pushed a commit to stijntratsaertit/kfp that referenced this pull request Feb 16, 2024
@difince @stijntratsaertit
feat(backend) Enable auth between pesistence agent and pipelineAPI (R…
cc4b02c 
…eportServer) (kubeflow#9699)

* Enable auth between pesistence agent and pipelineAPI (ReportServer)

1. Add authentication and authorization logic to PipelineAPI's PeportServer &
2. Make Persistence Agent authenticate itself through Service Account Token
Volume Projection.

Signed-off-by: diana <[email protected]>

* Do not use MULTIUSER on report weorkflows

Only Persistent agent can KFPipeline API "Report (Scheduled)Workflows" no matter
the namespace workflows belongs to.

Signed-off-by: diana <[email protected]>

* Add unit tests

- unit tests added
- do not stop the ticker on stopCh

Signed-off-by: diana <[email protected]>

---------

Signed-off-by: diana <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chensun chensun chensun approved these changes

@gkcalat gkcalat Awaiting requested review from gkcalat

@zijianjoy zijianjoy Awaiting requested review from zijianjoy

Assignees

@chensun chensun

Labels
approved lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@difince @chensun @zijianjoy @juliusvonkohout