Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Mgmt Core] Enable CAE in auth policy #31314

Closed
wants to merge 1 commit into from

Conversation

pvaneck
Copy link
Member

@pvaneck pvaneck commented Jul 26, 2023

With recent changes to Identity and Core, requests for CAE tokens are now disabled by default. Since the ARM API endpoint and ARM SDK both support CAE (with the ARM policy containing logic for handling these CAE claims challenges), ARMChallengeAuthenticationPolicy and AsyncARMChallengeAuthenticationPolicy were updated to ensure that enable_cae is set to True.

Since the paradigm is now shifting towards enabling CAE per-request with CAE disabled by default, this change allows credentials to still get CAE-enabled tokens when interacting with ARM SDKs.

With recent changes to Identity and Core, requests for
CAE tokens are now disabled by default. Since ARM supports CAE and ARM SDKs have logic for handling these CAE claims challenges,
ARMChallengeAuthenticationPolicy and AsyncARMChallengeAuthenticationPolicy were updated to ensure that enable_cae is set to True

Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>
@pvaneck pvaneck marked this pull request as ready for review July 28, 2023 20:51
@pvaneck
Copy link
Member Author

pvaneck commented Jul 28, 2023

@msyyc Would be great to have your review on this :)

@@ -46,6 +48,11 @@ class ARMChallengeAuthenticationPolicy(BearerTokenCredentialPolicy):
:param str scopes: required authentication scopes
"""

def __init__(self, credential: "TokenCredential", *scopes: str, **kwargs: Any) -> None:
# ARM supports Continuous Access Evaluation (CAE). This policy will enable it by default.
kwargs.setdefault("enable_cae", True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pvaneck Shall we wait for azure-core==1.28.1 release then update setup.py of azure-mgmt-core. After that, merge the PR and release a new version for azure-mgmt-core ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, I wouldn't be opposed to it, @xiangyan99, what do you think? You think this would warrant a minimum core version bump for azure-mgmt-core? I suppose we are technically setting a keyword arg that will only be handled in the latest core. Although behavior changes with CAE being enabled/disabled mainly depends on if the latest identity version is used or not.

Copy link
Member

@xiangyan99 xiangyan99 Aug 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waiting for azure-core 1.29.0 is a good idea because we added some protection code in 1.29.0 to pop enable_cae before calling into transport.

My question is do we want to make enable_cae default to True?

Are you sure if all mgmt libraries handle challenge correctly?

Client libraries decided to set enable_cae back to False by default because if a library does not handle challenge correctly, it crashes. Hence we decided to make CAE an opt-in functionality and needed each library to enable explicitly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, makes sense regarding core versioning.

I think defaulting to true here should be fine as anything that uses the ARMChallengeAuthenticationPolicy would be able to handle challenges because of the on_challenge implementation. Not sure if we'd want to update each mgmt library to call something like:

authentication_policy=ARMChallengeAuthenticationPolicy( ... , enable_cae=True)

when we already know that the ARM endpoint supports CAE, so an update in this policy would opt-in all mgmt packages.

@msyyc WDYT?

@github-actions
Copy link

github-actions bot commented Oct 6, 2023

Hi @pvaneck. Thank you for your interest in helping to improve the Azure SDK experience and for your contribution. We've noticed that there hasn't been recent engagement on this pull request. If this is still an active work stream, please let us know by pushing some changes or leaving a comment. Otherwise, we'll close this out in 7 days.

@github-actions github-actions bot added the no-recent-activity There has been no recent activity on this issue. label Oct 6, 2023
@github-actions
Copy link

Hi @pvaneck. Thank you for your contribution. Since there hasn't been recent engagement, we're going to close this out. Feel free to respond with a comment containing /reopen if you'd like to continue working on these changes. Please be sure to use the command to reopen or remove the no-recent-activity label; otherwise, this is likely to be closed again with the next cleanup pass.

@github-actions github-actions bot closed this Oct 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no-recent-activity There has been no recent activity on this issue.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants