Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorize other run api #2735

Merged
merged 114 commits into from
Dec 18, 2019
Merged

Authorize other run api #2735

merged 114 commits into from
Dec 18, 2019

Conversation

gaoning777
Copy link
Contributor

@gaoning777 gaoning777 commented Dec 13, 2019
edited by jlewi
Loading

This change is Reviewable

@gaoning777
add namespace to some run APIs
75c309d
@gaoning777
update only the create run api
566cc10
@gaoning777
add resourcereference for namespace runs
1060cbb
@gaoning777
pass user identity header from the gRPC server to KFP service
05151b6
@gaoning777
add variables in const
e6c1443
@gaoning777
Merge branch 'add-ns-in-API' into get-user-identity-from-header
fdb260b
@gaoning777
declare a flag and fill in the authorizations
be5a167
@gaoning777
add types to toModel func
659165e
@gaoning777
Merge branch 'add-ns-in-API' into get-user-identity-from-header
f92c90f
@gaoning777
Merge branch 'get-user-identity-from-header' into authorize-requests
5016f3a
@gaoning777
bug fix
755f542
@gaoning777
strip the namespace resource reference when mapping to the db model
ee45be5
@gaoning777
Merge branch 'add-ns-in-API' into get-user-identity-from-header
2ace3fc
@gaoning777
Merge branch 'get-user-identity-from-header' into authorize-requests
aea1924
@gaoning777
Merge branch 'master' into add-ns-in-API
bdd7dac
@gaoning777
add unit tests
204824b
@gaoning777
Merge branch 'add-ns-in-API' into get-user-identity-from-header
b0aaf18
@gaoning777
Merge branch 'get-user-identity-from-header' into authorize-requests
50eb63c
@gaoning777
add authorization
a21b60a
@gaoning777
interpret json response
a7d3db3
@gaoning777
use gofmt
8085cbf
@gaoning777
Merge branch 'add-ns-in-API' into get-user-identity-from-header
c5db317
@gaoning777
Merge branch 'get-user-identity-from-header' into authorize-requests
91963c0
@gaoning777
add more meaningful error message; format
cefc903
@gaoning777
refactoring codes
a48a554
@gaoning777
separate workflow client
28dab1c
@gaoning777
replace belonging relationshipreference to owner
836573a
@gaoning777
put a todo for further investigation of using namespace or uuid
80ab78d
@gaoning777
apply gofmt
7cc2397
@gaoning777
revert minor change
882872d
@gaoning777 gaoning777 changed the title [WIP] Authorize other run api Authorize other run api Dec 16, 2019
@gaoning777
Copy link
Contributor Author

/test kubeflow-pipeline-frontend-test

@IronPan
Copy link
Member

IronPan commented Dec 18, 2019

/approve

@IronPan
Copy link
Member

IronPan commented Dec 18, 2019

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: IronPan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gaoning777
Copy link
Contributor Author

/test kubeflow-pipeline-sample-test

2 similar comments
@gaoning777
Copy link
Contributor Author

/test kubeflow-pipeline-sample-test

@gaoning777
Copy link
Contributor Author

/test kubeflow-pipeline-sample-test

@k8s-ci-robot k8s-ci-robot merged commit 90b701d into kubeflow:master Dec 18, 2019
Jeffwan pushed a commit to Jeffwan/pipelines that referenced this pull request Dec 9, 2020
@gaoning777 @Jeffwan
Authorize other run api (kubeflow#2735)
40cb8bf 
* add namespace to some run APIs

* update only the create run api

* add resourcereference for namespace runs

* pass user identity header from the gRPC server to KFP service

* add variables in const

* declare a flag and fill in the authorizations

* add types to toModel func

* bug fix

* strip the namespace resource reference when mapping to the db model

* add unit tests

* add authorization

* interpret json response

* use gofmt

* add more meaningful error message; format

* refactoring codes

* separate workflow client

* replace belonging relationshipreference to owner

* put a todo for further investigation of using namespace or uuid

* apply gofmt

* revert minor change

* refactor codes

* minor change

* use internal server error in kfam client

* minor change

* use timeout in kfam client

* make kfam service host/port configurable

* minor changes

* update name

* rename

* update the util function to accept a list of resourcereferences

* better error message

* reformat

* remove IsRequestAuthorized func

* add multi-user mode flag

* apply different service accounts based on the multi-user mode flag

* apply service account only when it is not set

* add kfam host and port in config.json

* generalize the auth code

* rename KFAMInterface to KFAMClientInterface

* add kfam fake for tests

* add build bazel

* add unit tests for util func

* remove the config

* add unit test for authorization with httptest

* only intialize the kfam client when kubeflow deployment

* minor change

* fix typo

* wrap the whole auth func

* update authz logic to be enabled when it is kubeflow deployment

* change flag from kubeflow deployment to multiuser mode

* gofmt

* minor change

* combine getnamespace func

* insert annotation to disable istio injection

* move unit tests

* move fake kfam to the original kfam; create multiple fake kfam clients

* combine authorize func, add unit tests for util_test

* wrap errors

* fix unit test

* service unauthorized info to user

* better user errors

* inject default sa when it is empty or injected by the SDK in multi-user mode

* revert some accidental change

* revert some accidental change

* Update util.go

* make functions local

* deduplicate return values from isauthorized

* update kfam service host env variable

* disable istio injection

* set annotations to template instead of the workflow

* fix reference/value bug

* addressing comments

* Create an argoclient class

* move podnamespace to argo client

* addressing comments

* add authorization for other run modifier

* add unit tests to GetNamespaceFromResourceReferencesModel; add authorization to all modifying run api

* resolve circular dependency

* gofmt

* add unit tests for IsAuthorizedRunID

* addressing comments

* addressing comments

* addressing comments
magdalenakuhn17 pushed a commit to magdalenakuhn17/pipelines that referenced this pull request Oct 22, 2023
@rachitchauhan43
Upgrdaing cherry pick action to v1.0.9 (kubeflow#2735)
6236c58 
Signed-off-by: rachitchauhan43 <rachitchauhan43@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IronPan IronPan IronPan left review comments

@neuromage neuromage Awaiting requested review from neuromage

Assignees

@IronPan IronPan

Labels
approved lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gaoning777 @IronPan @k8s-ci-robot