Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple CC Authorizer support CCManager #2396

Merged
merged 45 commits into from
Mar 19, 2024
Merged

Multiple CC Authorizer support CCManager #2396

merged 45 commits into from
Mar 19, 2024

Conversation

yhwen
Copy link
Collaborator

@yhwen yhwen commented Mar 8, 2024

Fixes # .

Description

CCManager support multiple CC Authorizer for token generation and verification.

  • multiple CC Authorizer based on the CCAuthorizer interface.
  • individual CC Authorizer token expiration configuration.
  • Configurable CC token verification frequency.
  • critical_level configuration to control Stop_Job or Shutdown_System if CC verification failure.

Sample component config in the "local/resource.json":

{
	"id": "cc_manager",
	"path": "nvflare.app_opt.confidential_computing.cc_manager.CCManager",
	"args": {
		"cc_issuers_conf": [
			{
  				  "issuer_id": "tdx_authorizer",
			  "token_expiration": 250
  				}
		],
		"cc_verifier_ids": ["tdx_authorizer"],
		"verify_frequency": 600,
		"critical_level": 2
	}
},
{
	"id": "tdx_authorizer",
	"path": "nvflare.app_opt.confidential_computing.tdx_authorizer.TDXAuthorizer",
	"args": {
		"tdx_cli_command": "/home/azureuser/TDX/client/tdx-cli/trustauthority-cli",
		"config_dir": "/home/azureuser/NVFlare/nvflare/poc/workspace/server/local"
	}
}

Types of changes

  • Non-breaking change (fix or new feature that would not break existing functionality).
  • Breaking change (fix or new feature that would cause existing functionality to change).
  • New tests added to cover the changes.
  • Quick tests passed locally by running ./runtest.sh.
  • In-line docstrings updated.
  • Documentation updated.

yhwen added 30 commits February 21, 2024 12:35
@yhwen
WIP: tdx_cc integration.
14d6b69
@yhwen
fixed toke_file read.
bc6b21e
@yhwen
WIP: added info for CC add client tokens.:
9f6b715
@yhwen
Fixed an error when client does not have CC token reported.
dd281f5
@yhwen
Added handle for client does not have CC_INFO.
4d87722
@yhwen
Added CLIENT_QUIT event for CCManager to remove client token.
8830069
@yhwen
Added _add_client_token client token logging info.
9fbdde3
@yhwen
Added peer_ctx for client quit.
dd9fe74
@yhwen
set_peer_context for client quit.
2f44cef
@yhwen
Changed the AUTHORIZATION_REASON set_prop sticky to False.
0f87eb3
@yhwen
WIP: TokenPundit interface change.
6ec9ae6
@yhwen
WIP: added cc_authorizer_ids config.
044201a
@yhwen
Added cc_issuer_id for CCManager.
3c593c0
@yhwen
renamed the TokenPundit to CCAutorizer.
7f74d68
@yhwen
Added CC token adding through client heartbeat.
ff55554
@yhwen
Added function to stop current running job if CC verify fail.
2c5f3bd
@yhwen
if CC failed to get toke, don't allow the system to start.
2f383d6
@yhwen
Added exceptions None check.
ea5ae61
@yhwen
Address the client side CC check before job scheduled.
13e0b6b
@yhwen
fixed the PEER_FL_CONTEXT error.
68d8d91
@yhwen
Added CCManager support to have multiple cc_issuers.
b9942e3
@yhwen
optimized CCManager.
91e3f40
@yhwen
updated the _verify_participants() logic.
6206452
@yhwen
set up the proper fl_ctx for admin send_requests().
51226d6
@yhwen
Add proper fl_ctx.
ed770ac
@yhwen
Refactor the CCManager.
f76fa1e
@yhwen
Refactor the CCManager and TDX_authorizer.
74a6059
@yhwen
Added TOKEN_EXPIRATION for each cc_issue in CCManager.
313ed21
@yhwen
Fixed CC TOKEN_EXPIRATION error.
40d70c6
@yhwen
refactor the CCManager _prepare_cc_info()
0c3c188
chesterxgchen
chesterxgchen reviewed Mar 8, 2024
View reviewed changes
Copy link
Collaborator

@chesterxgchen chesterxgchen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add few comments.

Notice there is no unit tests for this PR, we should add some critical ones.

yanchengnv
yanchengnv requested changes Mar 11, 2024
View reviewed changes
Copy link
Collaborator

@yanchengnv yanchengnv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see my comments

nvflare/app_common/job_schedulers/job_scheduler.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/cc_authorizer.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/cc_authorizer.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/cc_authorizer.py Show resolved Hide resolved
nvflare/app_opt/confidential_computing/cc_authorizer.py Show resolved Hide resolved
nvflare/app_opt/confidential_computing/gpu_authorizer.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/tdx_authorizer.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/tdx_authorizer.py Outdated Show resolved Hide resolved
nvflare/private/fed/app/client/client_train.py Outdated Show resolved Hide resolved
nvflare/private/fed/app/deployer/server_deployer.py Outdated Show resolved Hide resolved
YuanTingHsieh
YuanTingHsieh reviewed Mar 12, 2024
View reviewed changes
Copy link
Collaborator

@YuanTingHsieh YuanTingHsieh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, good unit test showcasing how to use Mock in different ways.
Have some questions

nvflare/app_opt/confidential_computing/cc_authorizer.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/gpu_authorizer.py Outdated Show resolved Hide resolved
nvflare/private/fed/app/client/client_train.py Outdated Show resolved Hide resolved
nvflare/private/fed/app/deployer/server_deployer.py Outdated Show resolved Hide resolved
nvflare/private/fed/server/admin.py Show resolved Hide resolved
nvflare/app_opt/confidential_computing/cc_manager.py Show resolved Hide resolved
nvflare/app_opt/confidential_computing/cc_manager.py Show resolved Hide resolved
nvflare/app_opt/confidential_computing/tdx_authorizer.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/tdx_authorizer.py Outdated Show resolved Hide resolved
nvflare/app_opt/confidential_computing/cc_manager.py Show resolved Hide resolved
YuanTingHsieh
YuanTingHsieh previously approved these changes Mar 15, 2024
View reviewed changes
Copy link
Collaborator

@YuanTingHsieh YuanTingHsieh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

yanchengnv
yanchengnv requested changes Mar 18, 2024
View reviewed changes
Copy link
Collaborator

@yanchengnv yanchengnv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some issues I raised about cc_manager.py still are not addressed. Please look into them.

@yhwen
Copy link
Collaborator Author

yhwen commented Mar 18, 2024

Some issues I raised about cc_manager.py still are not addressed. Please look into them.

renamed the events to distinguish the events for server and client side.

yanchengnv
yanchengnv requested changes Mar 18, 2024
View reviewed changes
Copy link
Collaborator

@yanchengnv yanchengnv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The event name "PROCEEDED_XXX" isn't what you meant. Should change to PROCESSED_XXX.

nvflare/apis/event_type.py Outdated Show resolved Hide resolved
nvflare/apis/event_type.py Outdated Show resolved Hide resolved
nvflare/private/fed/server/fed_server.py Outdated Show resolved Hide resolved
nvflare/private/fed/server/fed_server.py Outdated Show resolved Hide resolved
yanchengnv
yanchengnv approved these changes Mar 19, 2024
View reviewed changes
Copy link
Collaborator

@yanchengnv yanchengnv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yhwen yhwen merged commit 0e443f8 into NVIDIA:main Mar 19, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chesterxgchen chesterxgchen chesterxgchen left review comments

@yanchengnv yanchengnv yanchengnv approved these changes

@YuanTingHsieh YuanTingHsieh YuanTingHsieh left review comments

@IsaacYangSLA IsaacYangSLA Awaiting requested review from IsaacYangSLA

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yhwen @chesterxgchen @YuanTingHsieh @yanchengnv