admin

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 12, 2024 License: Apache-2.0 Imports: 36 Imported by: 8

Documentation

Overview

Initializes an Admin Client that exposes all implemented services by FlyteAdmin server. The library supports different authentication flows (see AuthType). It initializes the grpc connection once and reuses it. A grpc load balancing policy can be configured as well.

Index

Examples

Constants

View Source
const DefaultAuthorizationHeader = "authorization"
View Source
const (
	DefaultClientID = "flytepropeller"
)
View Source
const ProxyAuthorizationHeader = "proxy-authorization"

Variables

View Source
var DefaultClientSecretLocation = filepath.Join(string(filepath.Separator), "etc", "secrets", "client_secret")

Functions

func GetAdditionalAdminClientConfigOptions

func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption

func GetDeviceFlowAuthTokenSource

func GetDeviceFlowAuthTokenSource(ctx context.Context, deviceFlowOrchestrator deviceflow.TokenOrchestrator) (oauth2.TokenSource, error)

GetDeviceFlowAuthTokenSource Returns the token source which would be used for device auth flow

func GetPKCEAuthTokenSource

func GetPKCEAuthTokenSource(ctx context.Context, pkceTokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)

Returns the token source which would be used for three legged oauth. eg : for admin to authorize access to flytectl

func GetProxyTokenSource added in v1.9.17

func GetProxyTokenSource(ctx context.Context, cfg *Config) (oauth2.TokenSource, error)

func InitializeAdminClient

func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient

InitializeAdminClient creates an AdminClient with a shared Admin connection for the process Deprecated: Please use initializeClients instead.

func InitializeAuthMetadataClient

func InitializeAuthMetadataClient(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) (client service.AuthMetadataServiceClient, err error)

InitializeAuthMetadataClient creates a new anonymously Auth Metadata Service client.

func InitializeMockAdminClient

func InitializeMockAdminClient() service.AdminServiceClient

func MaterializeCredentials

func MaterializeCredentials(ctx context.Context, cfg *Config, tokenCache cache.TokenCache, perRPCCredentials *PerRPCCredentialsFuture, proxyCredentialsFuture *PerRPCCredentialsFuture) error

MaterializeCredentials will attempt to build a TokenSource given the anonymously available information exposed by the server. Once established, it'll invoke PerRPCCredentialsFuture.Store() on perRPCCredentials to populate it with the appropriate values.

func MaterializeProxyAuthCredentials added in v1.9.17

func MaterializeProxyAuthCredentials(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) error

func NewAdminClient

func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient

func NewAdminConnection

func NewAdminConnection(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture, opts ...grpc.DialOption) (*grpc.ClientConn, error)

func NewAuthInterceptor

func NewAuthInterceptor(cfg *Config, tokenCache cache.TokenCache, credentialsFuture *PerRPCCredentialsFuture, proxyCredentialsFuture *PerRPCCredentialsFuture) grpc.UnaryClientInterceptor

NewAuthInterceptor creates a new grpc.UnaryClientInterceptor that forwards the grpc call and inspects the error. It will first invoke the grpc pipeline (to proceed with the request) with no modifications. It's expected for the grpc pipeline to already have a grpc.WithPerRPCCredentials() DialOption. If the perRPCCredentials has already been initialized, it'll take care of refreshing when tokens expire... etc. If the first invocation succeeds (either due to grpc.PerRPCCredentials setting the right tokens or the server not requiring authentication), the interceptor will be no-op. If the first invocation fails with an auth error, this interceptor will then attempt to establish a token source once more. It'll fail hard if it couldn't do so (i.e. it will no longer attempt to send an unauthenticated request). Once a token source has been created, it'll invoke the grpc pipeline again, this time the grpc.PerRPCCredentials should be able to find and acquire a valid AccessToken to annotate the request with.

func NewProxyAuthInterceptor added in v1.9.17

func NewProxyAuthInterceptor(cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) grpc.UnaryClientInterceptor

func SetConfig

func SetConfig(cfg *Config) error

Types

type AuthType

type AuthType uint8
const (
	// AuthTypeClientSecret Chooses Client Secret OAuth2 protocol (ref: https://tools.ietf.org/html/rfc6749#section-4.4)
	AuthTypeClientSecret AuthType = iota
	// AuthTypePkce Chooses Proof Key Code Exchange OAuth2 extension protocol (ref: https://tools.ietf.org/html/rfc7636)
	AuthTypePkce
	// AuthTypeExternalCommand Chooses an external authentication process
	AuthTypeExternalCommand
	// AuthTypeDeviceFlow Uses device flow to authenticate in a constrained environment with no access to browser
	AuthTypeDeviceFlow
)

func AuthTypeString

func AuthTypeString(s string) (AuthType, error)

AuthTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func AuthTypeValues

func AuthTypeValues() []AuthType

AuthTypeValues returns all values of the enum

func (AuthType) IsAAuthType

func (i AuthType) IsAAuthType() bool

IsAAuthType returns "true" if the value is listed in the enum definition. "false" otherwise

func (AuthType) MarshalJSON

func (i AuthType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for AuthType

func (AuthType) MarshalYAML

func (i AuthType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for AuthType

func (AuthType) String

func (i AuthType) String() string

func (*AuthType) UnmarshalJSON

func (i *AuthType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for AuthType

func (*AuthType) UnmarshalYAML

func (i *AuthType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for AuthType

type ClientCredentialsTokenSourceProvider

type ClientCredentialsTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (ClientCredentialsTokenSourceProvider) GetTokenSource

type Clientset

type Clientset struct {
	// contains filtered or unexported fields
}

Clientset contains the clients exposed to communicate with various admin services.

func InitializeMockClientset

func InitializeMockClientset() *Clientset

func (Clientset) AdminClient

func (c Clientset) AdminClient() service.AdminServiceClient

AdminClient retrieves the AdminServiceClient

func (Clientset) AuthMetadataClient

func (c Clientset) AuthMetadataClient() service.AuthMetadataServiceClient

AuthMetadataClient retrieves the AuthMetadataServiceClient

func (Clientset) DataProxyClient

func (c Clientset) DataProxyClient() service.DataProxyServiceClient

func (Clientset) HealthServiceClient

func (c Clientset) HealthServiceClient() grpc_health_v1.HealthClient

HealthServiceClient retrieves the grpc_health_v1.HealthClient

func (Clientset) IdentityClient

func (c Clientset) IdentityClient() service.IdentityServiceClient

func (Clientset) SignalServiceClient

func (c Clientset) SignalServiceClient() service.SignalServiceClient

type ClientsetBuilder

type ClientsetBuilder struct {
	// contains filtered or unexported fields
}

ClientsetBuilder is used to build the clientset. This allows custom token cache implementations to be plugged in.

func ClientSetBuilder

func ClientSetBuilder() *ClientsetBuilder

ClientSetBuilder is constructor function to be used by the clients in interacting with the builder

Example
ctx := context.Background()
// Create a client set that initializes the connection with flyte admin and sets up Auth (if needed).
// See AuthType for a list of supported authentication types.
clientSet, err := NewClientsetBuilder().WithConfig(GetConfig(ctx)).Build(ctx)
if err != nil {
	logger.Fatalf(ctx, "failed to initialized clientSet from config. Error: %v", err)
}

// Access and use the desired client:
_ = clientSet.AdminClient()
_ = clientSet.AuthMetadataClient()
_ = clientSet.IdentityClient()
Output:

func NewClientsetBuilder

func NewClientsetBuilder() *ClientsetBuilder

func (*ClientsetBuilder) Build

func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)

Build the clientset using the current state of the ClientsetBuilder

func (*ClientsetBuilder) WithConfig

func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder

WithConfig provides the admin config to be used for constructing the clientset

func (*ClientsetBuilder) WithDialOptions

func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder

func (*ClientsetBuilder) WithTokenCache

func (cb *ClientsetBuilder) WithTokenCache(tokenCache cache.TokenCache) *ClientsetBuilder

WithTokenCache allows pluggable token cache implementations. eg; flytectl uses keyring as tokenCache

type Config

type Config struct {
	Endpoint              config.URL      `json:"endpoint" pflag:",For admin types, specify where the uri of the service is located."`
	UseInsecureConnection bool            `json:"insecure" pflag:",Use insecure connection."`
	InsecureSkipVerify    bool            `` /* 186-byte string literal not displayed */
	CACertFilePath        string          `json:"caCertFilePath" pflag:",Use specified certificate file to verify the admin server peer."`
	MaxBackoffDelay       config.Duration `json:"maxBackoffDelay" pflag:",Max delay for grpc backoff"`
	PerRetryTimeout       config.Duration `json:"perRetryTimeout" pflag:",gRPC per retry timeout"`
	MaxRetries            int             `json:"maxRetries" pflag:",Max number of gRPC retries"`
	AuthType              AuthType        `` /* 129-byte string literal not displayed */
	TokenRefreshWindow    config.Duration `json:"tokenRefreshWindow" pflag:",Max duration between token refresh attempt and token expiry."`
	// Deprecated: settings will be discovered dynamically
	DeprecatedUseAuth    bool     `json:"useAuth" pflag:",Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information."`
	ClientID             string   `json:"clientId" pflag:",Client ID"`
	ClientSecretLocation string   `json:"clientSecretLocation" pflag:",File containing the client secret"`
	ClientSecretEnvVar   string   `json:"clientSecretEnvVar" pflag:",Environment variable containing the client secret"`
	Scopes               []string `json:"scopes" pflag:",List of scopes to request"`
	UseAudienceFromAdmin bool     `json:"useAudienceFromAdmin" pflag:",Use Audience configured from admins public endpoint config."`
	Audience             string   `json:"audience" pflag:",Audience to use when initiating OAuth2 authorization requests."`

	// There are two ways to get the token URL. If the authorization server url is provided, the client will try to use RFC 8414 to
	// try to get the token URL. Or it can be specified directly through TokenURL config.
	// Deprecated: This will now be discovered through admin's anonymously accessible metadata.
	DeprecatedAuthorizationServerURL string `json:"authorizationServerUrl" pflag:",This is the URL to your IdP's authorization server. It'll default to Endpoint"`
	// If not provided, it'll be discovered through admin's anonymously accessible metadata endpoint.
	TokenURL string `` /* 141-byte string literal not displayed */

	// See the implementation of the 'grpcAuthorizationHeader' option in Flyte Admin for more information. But
	// basically we want to be able to use a different string to pass the token from this client to the the Admin service
	// because things might be running in a service mesh (like Envoy) that already uses the default 'authorization' header
	AuthorizationHeader string `json:"authorizationHeader" pflag:",Custom metadata header to pass JWT"`

	PkceConfig pkce.Config `json:"pkceConfig" pflag:",Config for Pkce authentication flow."`

	DeviceFlowConfig deviceflow.Config `json:"deviceFlowConfig" pflag:",Config for Device authentication flow."`

	Command []string `json:"command" pflag:",Command for external authentication token generation"`

	ProxyCommand []string `json:"proxyCommand" pflag:",Command for external proxy-authorization token generation"`

	// Set the gRPC service config formatted as a json string https://github.com/grpc/grpc/blob/master/doc/service_config.md
	// eg. {"loadBalancingConfig": [{"round_robin":{}}], "methodConfig": [{"name":[{"service": "foo", "method": "bar"}, {"service": "baz"}], "timeout": "1.000000001s"}]}
	// find the full schema here https://github.com/grpc/grpc-proto/blob/master/grpc/service_config/service_config.proto#L625
	// Note that required packages may need to be preloaded to support certain service config. For example "google.golang.org/grpc/balancer/roundrobin" should be preloaded to have round-robin policy supported.
	DefaultServiceConfig string `json:"defaultServiceConfig" pdflag:",Set the default service config for the admin gRPC client"`

	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
	HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`
}

func GetConfig

func GetConfig(ctx context.Context) *Config

func (Config) GetPFlagSet

func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet

GetPFlagSet will return strongly types pflags for all fields in Config and its nested types. The format of the flags is json-name.json-sub-name... etc.

type CustomHeaderTokenSource

type CustomHeaderTokenSource struct {
	// contains filtered or unexported fields
}

CustomHeaderTokenSource class is here because we cannot use the normal "github.com/grpc/grpc-go/credentials/oauth" package to satisfy the credentials.PerRPCCredentials interface. This is because we want to be able to support a different 'header' when passing the token in the gRPC call's metadata. The default is filled in in the constructor if none is supplied.

func NewCustomHeaderTokenSource

func NewCustomHeaderTokenSource(source oauth2.TokenSource, insecure bool, customHeader string) CustomHeaderTokenSource

func (CustomHeaderTokenSource) GetRequestMetadata

func (ts CustomHeaderTokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token

func (CustomHeaderTokenSource) RequireTransportSecurity

func (ts CustomHeaderTokenSource) RequireTransportSecurity() bool

RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1

type DeviceFlowTokenSourceProvider

type DeviceFlowTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (DeviceFlowTokenSourceProvider) GetTokenSource

type ExternalTokenSourceProvider

type ExternalTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (ExternalTokenSourceProvider) GetTokenSource

type PKCETokenSourceProvider

type PKCETokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (PKCETokenSourceProvider) GetTokenSource

type PerRPCCredentialsFuture

type PerRPCCredentialsFuture struct {
	// contains filtered or unexported fields
}

PerRPCCredentialsFuture is a future wrapper for credentials.PerRPCCredentials that can act as one and also be materialized later.

func NewPerRPCCredentialsFuture

func NewPerRPCCredentialsFuture() *PerRPCCredentialsFuture

NewPerRPCCredentialsFuture initializes a new PerRPCCredentialsFuture that can act as a credentials.PerRPCCredentials and can also be resolved in the future. Users of the future can check if it has been initialized before by calling PerRPCCredentialsFuture.IsInitialized(). Calling PerRPCCredentialsFuture.Get() multiple times will return the same stored object (unless it changed in between calls). Calling PerRPCCredentialsFuture.Store() multiple times is supported and will result in overriding the old value atomically.

Example
f := NewPerRPCCredentialsFuture()

// Starts uninitialized
fmt.Println("Initialized:", f.IsInitialized())

// Implements credentials.PerRPCCredentials so can be used as one
m, err := f.GetRequestMetadata(context.TODO(), "")
fmt.Println("GetRequestMetadata:", m, "Error:", err)

// Materialize the value later and populate
tokenSource := DummyTestTokenSource{}
f.Store(NewCustomHeaderTokenSource(tokenSource, false, "my_custom_header"))

// Future calls to credentials.PerRPCCredentials methods will use the new instance
m, err = f.GetRequestMetadata(context.TODO(), "")
fmt.Println("GetRequestMetadata:", m, "Error:", err)
Output:

Initialized: false
GetRequestMetadata: map[] Error: <nil>
GetRequestMetadata: map[my_custom_header:Bearer abc] Error: <nil>

func (*PerRPCCredentialsFuture) Get

func (*PerRPCCredentialsFuture) GetRequestMetadata

func (ts *PerRPCCredentialsFuture) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token

func (*PerRPCCredentialsFuture) IsInitialized

func (ts *PerRPCCredentialsFuture) IsInitialized() bool

func (*PerRPCCredentialsFuture) RequireTransportSecurity

func (ts *PerRPCCredentialsFuture) RequireTransportSecurity() bool

RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1

func (*PerRPCCredentialsFuture) Store

func (ts *PerRPCCredentialsFuture) Store(tokenSource credentials.PerRPCCredentials)

type TokenSource

type TokenSource interface {
	Token() (*oauth2.Token, error)
}

type TokenSourceProvider

type TokenSourceProvider interface {
	GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
}

TokenSourceProvider defines the interface needed to provide a TokenSource that is used to create a client with authentication enabled.

func NewClientCredentialsTokenSourceProvider

func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, scopes []string, tokenURL string,
	tokenCache cache.TokenCache, audience string) (TokenSourceProvider, error)

func NewDeviceFlowTokenSourceProvider

func NewDeviceFlowTokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, deviceFlowConfig deviceflow.Config) (TokenSourceProvider, error)

func NewExternalTokenSourceProvider

func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)

func NewPKCETokenSourceProvider

func NewPKCETokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, pkceCfg pkce.Config) (TokenSourceProvider, error)

func NewTokenSourceProvider

func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache cache.TokenCache,
	authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)

Directories

Path Synopsis
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL