Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add authorization mechanisms in new Katib UI backend (#1983)
* UI(back): Add authorization mechanisms in new Katib UI backend * Introduce helper ENV vars and functions for authentication and authorization checks. The authz checks are using SubjectAcessReviews objects. * BACKEND_MODE={dev,prod}: skip authz when in dev mode * APP_DISABLE_AUTH={bool}: skip authz if explicity requested * Introduce a client-go client to construct SubjectAccessReview objects. * Before any request proceed to K8s api-server: * check if authorization must be skipped (BACKEND_MODE, APP_DISBLE_AUTH) * check if a username is proviced in request Header * query the K8s api-server with SAR to ensure that the user has appropriate access privilleges * Replace the /katib/fetch_experiment/ route with /katib/fetch_namespaces_experiments. This route expects a namespace as a query parameter from which all experiments will be fetched. Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * UI(front): Provide a namespace as a query parameter This is needed for the new /katib/fetch_namespaced_experiments route. Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Update README for running locally without auth Update the README of the web app to expose that devs should set APP_DISABLE_AUTH=true when running locally, since there's no authnz when running locally. Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * remove duplicated variable types Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Review fixes * proper error handling. * switch to Go's build-in errors package. * set appropriate verbs when constructing SAR objects. Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * review: Use controller-runtime client to create SAR objects Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Review fixes * fix backend routes. * '/katib/fetch_namespaces' to fetch experiments in a namespace * 'FetchExperiments' handler * hit the appropriate route from frontend and provide namespace as a query parameter to fetch experiments * remove remove BACKEND_MODE env var in favour of the more specific APP_DISABLE_AUTH Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Review fixes * Add constants for CRUD actions * Add plural for experiments and suggestions as constants * Add GetUsername logic under IsAuthorized and handle errors properly * Have APP_DISABLE_AUTH by default as true, since currently Katib doesn't support this feature in standalone mode. Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com>
- Loading branch information