Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(backend): enforce SA Token based auth b/w Persistence Agent and Pipeline API Server #9957

Merged
merged 2 commits into from
Sep 7, 2023
Merged

feat(backend): enforce SA Token based auth b/w Persistence Agent and Pipeline API Server #9957

merged 2 commits into from
Sep 7, 2023

Conversation

difince
Copy link
Member

@difince difince commented Sep 4, 2023
edited
Loading

Fixes: #9937

Enforce Service Account(SA) Token-based auth between the Persistence Agent and the Pipeline API Server for all the requests.
SA Token auth has already been introduced and applied for ReportWorkflow and ReportScheduledWorkflow by this PR.

Current PR enforces the SA token authentication for readArtifacts and ReportMetrics calls as well, which currently authenticates as a user.

Description of your changes:

This PR :

  • reverts changes done by this PR
  • Enforce the use the SA token authentiaction

Checklist:

@difince difince changed the title Force SA Token based auth b/w Persistence Agent and Pipeline API Server feat(hackendForce SA Token based auth b/w Persistence Agent and Pipeline API Server Sep 4, 2023
@difince difince changed the title feat(hackendForce SA Token based auth b/w Persistence Agent and Pipeline API Server feat(hackend) Force SA Token based auth b/w Persistence Agent and Pipeline API Server Sep 4, 2023
@difince difince changed the title feat(hackend) Force SA Token based auth b/w Persistence Agent and Pipeline API Server feat(backend): enforce SA Token based auth b/w Persistence Agent and Pipeline API Server Sep 4, 2023
@difince
Fix persistence agent license file
0959197 
Signed-off-by: Diana Atanasova <[email protected]>
@difince
Copy link
Member Author

difince commented Sep 5, 2023

/retest

@difince
Copy link
Member Author

difince commented Sep 5, 2023

Can someone help me with the failing test - TestCreatePipelineV1_LargeFile ?

difince
difince commented Sep 5, 2023
View reviewed changes
Copy link
Member Author

@difince difince left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To simplify the review process, the changes in pipelines_client.go ReadArtifact and ReportRunMetrics are the most meaningful ones. Here, the PA is forced to use SA Token, instead of authenticating as a user.

@chensun chensun self-assigned this Sep 5, 2023
@chensun chensun removed the request for review from Linchin September 5, 2023 16:54
@chensun
Copy link
Member

chensun commented Sep 7, 2023
edited
Loading

Can someone help me with the failing test - TestCreatePipelineV1_LargeFile ?

Seems like it could be some transient issue?

    pipeline_server_test.go:99: 
        	Error Trace:	/home/prow/go/src/github.com/kubeflow/pipelines/backend/src/apiserver/server/pipeline_server_test.go:99
        	Error:      	Expected nil, but got: &util.UserError{internalError:(*errors.withStack)(0xc00127e090), externalMessage:"error fetching pipeline spec from https://raw.githubusercontent.com/kubeflow/pipelines/master/sdk/python/test_data/pipelines/xgboost_sample_pipeline.yaml - request returned 503 Service Unavailable", externalStatusCode:0x3}
        	Test:       	TestCreatePipelineV1_LargeFile
    pipeline_server_test.go:100:

@chensun
Copy link
Member

chensun commented Sep 7, 2023

/retest

chensun
chensun approved these changes Sep 7, 2023
View reviewed changes
Copy link
Member

@chensun chensun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thanks!

@google-oss-prow google-oss-prow bot added the lgtm label Sep 7, 2023
@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chensun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 760c158 into kubeflow:master Sep 7, 2023
1 check passed
@difince difince mentioned this pull request Sep 8, 2023
Closed
stijntratsaertit pushed a commit to stijntratsaertit/kfp that referenced this pull request Feb 16, 2024
@difince @stijntratsaertit
feat(backend): enforce SA Token based auth b/w Persistence Agent and …
4bf1334 
…Pipeline API Server (kubeflow#9957)

* Enforece SA-Toben auth b/n Persistence agent & Pipeline server for all reqs

Signed-off-by: Diana Atanasova <[email protected]>

* Fix persistence agent license file

Signed-off-by: Diana Atanasova <[email protected]>

---------

Signed-off-by: Diana Atanasova <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chensun chensun chensun approved these changes

@gkcalat gkcalat Awaiting requested review from gkcalat

Assignees

@chensun chensun

Labels
approved lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature] Make Persistence Agent use SA Token when calling KF APIServer endpoints
2 participants
@difince @chensun