SeldonClient: Token Authentication without HTTPS

[maltemelzer]

Describe the bug

When using a token for authentication, SeldonClient assumes an HTTPS connection. In development the connection could be with token but without HTTPS, e.g. when working with an ssh-Tunnel.

To reproduce

Create a Seldon Deployment with Istio and token authentication without HTTPS.
Use SeldonClient to send a REST or gRPC request.
SeldonClient will assume HTTPS and request will fail.

Expected behaviour

Manually setting a parameter for https/http possible. If None/not set, protocol defaults to the current selection method.

[ukclivecox]

Looks like its this code:

seldon-core/python/seldon_core/seldon_client.py

Lines 1447 to 1450 in 8975a87

	if call_credentials is None:
	scheme = "http"
	else:
	scheme = "https"

We could add an extra argument which if not set follows the above logic but provides an override?

[axsaucedo]

I actually have this somewhere in my notes from a while back - it may point you in the right direction but auth is very fiddly if you do want to do it with the python client (but it's always fiddly):

# REACHING A REST ENDPOINT WITH TOKEN

from seldon_core.seldon_client import SeldonClient, SeldonCallCredentials, SeldonChannelCredentials

import numpy as np

url = "[example.com](example.com)"

token = TOKEN
creds = SeldonCallCredentials(token=token)
verify = SeldonChannelCredentials(verify=False)

sc = SeldonClient(
    gateway_endpoint=url,
    namespace="default",
    payload_type="nparray",
    transport="rest",
    call_credentials=creds,
    channel_credentials=verify)

data = np.array(["Hello", "Good bye"])

sc.predict(data=data, deployment_name="ende-nmt-model-server", names=[])

SIMPLE POST

import requests
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS='ALL'

headers = {
    'X-Auth-Token': TOKEN
}

url = "example.com"

r = requests.post(
            url,

            json={"data": { "ndarray": ["Hello", "Good bye"] }},

            headers=headers,
            verify=False)
r.json()

GRPC REquest raw

import grpc
import numpy as np
from seldon_core.proto import prediction_pb2, prediction_pb2_grpc
from seldon_core.utils import array_to_grpc_datadef, seldon_message_to_json, \
    json_to_seldon_message, feedback_to_json, seldon_messages_to_json

data = np.array(["Hello", "Good bye"])

datadef = array_to_grpc_datadef("ndarray", data, names=[])
request = prediction_pb2.SeldonMessage(data=datadef)

with open("../cert.crt", 'rb') as f:

    trusted_certs = f.read()

channel_credentials = grpc.ssl_channel_credentials(root_certificates=trusted_certs)

def auth_meta(context, callback):
    return callback((("X-Auth-Token", token),), None)

token = TOKEN
call_credentials = grpc.metadata_call_credentials(
    lambda context, callback: callback((("x-auth-token", token),), None))

# call_credentials = grpc.access_token_call_credentials(token)

credentials = [grpc.composite_channel_credentials(channel_credentials](http://grpc.composite_channel_credentials%28channel_credentials/), call_credentials)

url = "[example.com](example.com)"

options = [
        ('grpc.max_send_message_length', 4 * 1024 * 1024),
        ('grpc.max_receive_message_length', 4 * 1024 * 1024),
        ('grpc.ssl_target_name_override', url)]

channel = grpc.secure_channel(f"{url}:443", credentials, options)

print(url, options)
stub = prediction_pb2_grpc.SeldonStub(channel)
metadata = [('seldon', "ende-nmt-model-server-grpc"), ('namespace', "default")]

response = stub.Predict(request=request, metadata=metadata)

GRPC PYTHON CLIENT EXAMPLE

from seldon_core.seldon_client import SeldonClient, SeldonCallCredentials, SeldonChannelCredentials

import numpy as np

url = "[example.com](example.com)"

token = TOKEN
creds = SeldonCallCredentials(token=token)
verify = SeldonChannelCredentials(
    verify=False,

    root_certificates_file="../cert.crt"

)

sc = SeldonClient(
    gateway_endpoint=url,
    namespace="default",
    payload_type="nparray",
    transport="grpc",
    call_credentials=creds,
    channel_credentials=verify)

data = np.array(["Hello", "Good bye"])

sc.predict(data=data, deployment_name="ende-nmt-model-server-grpc", names=[])

[maltemelzer]

Looks like its this code:

seldon-core/python/seldon_core/seldon_client.py

Lines 1447 to 1450 in 8975a87

	if call_credentials is None:
	scheme = "http"
	else:
	scheme = "https"

We could add an extra argument which if not set follows the above logic but provides an override?

For HTTP an extra argument to override would be good.

Using the gRPC-Endpoint I think it is defined in here:

seldon-core/python/seldon_core/seldon_client.py

Lines 1836 to 1837 in 8975a87

	else:
	grpc_channel_credentials = grpc.ssl_channel_credentials()

An extra argument for no ssl could change it to:
grpc_channel_credentials = grpc.local_channel_credentials()

[ukclivecox]

Can you create a small PR for this?

[juliusvonkohout]

Can you create a small PR for this?

Done in #3141

[juliusvonkohout]

@axsaucedo you just closed my pull request. What exactly needs to be changed? Or do you want to do a pull request yourself?