Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KFP SDK should support gcloud credential #1104

Closed
hongye-sun opened this issue Apr 8, 2019 · 14 comments · Fixed by #1443
Closed

KFP SDK should support gcloud credential #1104

hongye-sun opened this issue Apr 8, 2019 · 14 comments · Fixed by #1443
Assignees
Labels
area/sdk/client help wanted The community is welcome to contribute. kind/bug priority/p1

Comments

@hongye-sun
Copy link
Contributor

This is required when user wants to talk to a remote KFP endpoint which is protected by IAP from a local environment.

The current support we have is to look for GCE service account credentials in the machine and send them to pass the IAP auth. We also need to support to use user's gcloud credential to support local command line experience.

@Ark-kun
Copy link
Contributor

Ark-kun commented Apr 9, 2019

/cc @kevinbache

@jlewi
Copy link
Contributor

jlewi commented Apr 10, 2019

For GCP IAP see here for how to obtain a JWT and attach it to the request.
https://cloud.google.com/iap/docs/authentication-howto

You can't use the gcloud credential e.g. gcloud auth print-access-token.

This is by design because gcloud has a credential with cloud platform scope whereas with IAP a user is accessing web services separate from Google cloud.

@IronPan
Copy link
Member

IronPan commented May 16, 2019

Update -
The python client library need to expose the option to set the request header.
https://github.com/kubeflow/pipelines/blob/master/sdk/python/kfp/_client.py#L226

@Ark-kun
Copy link
Contributor

Ark-kun commented May 16, 2019

The python client library need to expose the option to set the request header.

Can you elaborate? Dose the client need to add Authorization: Bearer to all requests?

@Ark-kun
Copy link
Contributor

Ark-kun commented May 16, 2019

Update -
The python client library need to expose the option to set the request header.
https://github.com/kubeflow/pipelines/blob/master/sdk/python/kfp/_client.py#L226

We're already setting the header here: https://github.com/kubeflow/pipelines/blob/master/sdk/python/kfp/_client.py#L64

The Client class has client_id paramater that's used to fetch the token: https://github.com/kubeflow/pipelines/blob/master/sdk/python/kfp/_auth.py#L28

Do we need to add something extra?

@hongye-sun
Copy link
Contributor Author

The current implementation only supports auth from service account. In order to support auth from desktop, we will need to implement a flow which is similar with cloud sdk:

  1. Allow user to provide IAP client id and other client id and secret.
  2. Print out a link which will open a browser for user to login with google account and the code can get the authorization code. (Not sure how cloud sdk supports to get data from browser, but it should be doable).
  3. Use other client id, secret, auth code to get the refresh token
  4. Persist refresh token to local disk
  5. Use IAP client id, other client id, other client secret and refresh token to exchange an ID token, which may only last for a short period.
  6. Set the ID token in header to each request to KFP endpoint until it expires, then repeat from step 5.

It seems not trivial to implement. Not sure if there is an easier way to support the whole flow.

@Ark-kun Ark-kun self-assigned this May 20, 2019
@Ark-kun
Copy link
Contributor

Ark-kun commented May 21, 2019

2. Print out a link which will open a browser for user to login with google account and the code can get the authorization code. (Not sure how cloud sdk supports to get data from browser, but it should be doable).

Isn't this what gcloud auth login is doing?
It then persists the credentials locally and allows some tools to use them.

@daikeshi
Copy link
Contributor

daikeshi commented Jul 23, 2019

Is there any plan to add gcloud credential support for IAP endpoint? We are building a managed kubeflow cluster for multiple teams to use. It'll be super helpful if glcoud credential is supported for the IAP endpoint. OW, teams will have to download a service account key to connect kfp.Client, or we will need to grant them kubernetes engine developer role. If there's anything I can help please let me know. I'm happy to contribute! Thanks!

@hongye-sun hongye-sun added help wanted The community is welcome to contribute. priority/p1 and removed priority/p0 labels Jul 23, 2019
@hongye-sun
Copy link
Contributor Author

/reopen

Reopen the bug to support IAP auth token from desktop. The original fix can only support if user is in k8s developer role, which doesn't work for "managed kubeflow" use case.

@daikeshi, the details on how to get auth token is in https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_desktop_app.

Please refer to me previous comment on a rough idea on how to get it support in SDK. It seems non-trivial.

@k8s-ci-robot
Copy link
Contributor

@hongye-sun: Reopened this issue.

In response to this:

/reopen

Reopen the bug to support IAP auth token from desktop. The original fix can only support if user is in k8s developer role, which doesn't work for "managed kubeflow" use case.

@daikeshi, the details on how to get auth token is in https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_desktop_app.

Please refer to me previous comment on a rough idea on how to get it support in SDK. It seems non-trivial.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Jul 23, 2019
@daikeshi
Copy link
Contributor

daikeshi commented Jul 23, 2019

@hongye-sun thanks! It does seem complicated. I'll give a try and see how much I can help with :-)

@Ark-kun Ark-kun removed their assignment Jul 25, 2019
@jlewi
Copy link
Contributor

jlewi commented Aug 4, 2019

What does gcloud credential mean?

Do you mean using gcloud auth print access-token? The access token generated by gcloud won't work with IAP enabled endpoints; this is by design.

You can use IAP with end user credentials and don't need to use a service account. I think the way this works is the SDK should generate a JWT to attach to requests. To generate the JWT you direct the user through the OAuth web flow.

@jlewi
Copy link
Contributor

jlewi commented Sep 8, 2019

@IronPan Is this issue still relevant? I believe you tested 0.6 with IAP and were able to successfully submit pipelines (see #1080) via the SDK using IAP.

@gaoning777
Copy link
Contributor

It is supported in #2626.
Feel free to reopen the issue.

magdalenakuhn17 pushed a commit to magdalenakuhn17/pipelines that referenced this issue Oct 22, 2023
HumairAK pushed a commit to red-hat-data-services/data-science-pipelines that referenced this issue Mar 11, 2024
Allow users to specify the image for `step-move-all-results-to-tekton-home`
step. Add an env variable for the custom image: `MOVERESULTS_IMAGE`
in the api server.

Signed-off-by: Yihong Wang <yh.wang@ibm.com>

Signed-off-by: Yihong Wang <yh.wang@ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/sdk/client help wanted The community is welcome to contribute. kind/bug priority/p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants