Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Multi User] Make user identity header configurable #3752

Closed
2 tasks done
Bobgy opened this issue May 13, 2020 · 9 comments · Fixed by #3842
Closed
2 tasks done

[Multi User] Make user identity header configurable #3752

Bobgy opened this issue May 13, 2020 · 9 comments · Fixed by #3842
Assignees
@chensun @Bobgy
Labels
area/backend area/frontend cuj/multi-user status/triaged Whether the issue has been explicitly triaged

Comments

@Bobgy
Copy link
Contributor

Bobgy commented May 13, 2020
edited
Loading

/cc @yanniszark @jlewi
as discussed in #3645 (comment)

Part of #1223
@IronPan IronPan mentioned this issue May 13, 2020
Closed
28 tasks
@Bobgy Bobgy mentioned this issue May 13, 2020
Merged
@Bobgy Bobgy added the status/triaged Whether the issue has been explicitly triaged label May 15, 2020
@chensun chensun mentioned this issue May 16, 2020
Merged
@yanniszark
Copy link
Contributor

yanniszark commented May 18, 2020
edited
Loading

@Bobgy thanks a lot!
After seeing the changes, I have a small question.
I may be wrong, but is authorization happening in two places? (apiserver and ui-server)
If yes, is there any plan to consolidate authorization logic in one place?

@Bobgy
Copy link
Contributor Author

Bobgy commented May 18, 2020

@Bobgy thanks a lot!
After seeing the changes, I have a small question.
I may be wrong, but is authorization happening in two places? (apiserver and ui-server)
If yes, is there any plan to consolidate authorization logic in one place?

@yanniszark For clarification, authorization logic happens in only one place, the api server. Api server exposes an endpoint that ui-server queries. The usage of the header in ui-server was because ui-server needs to know what header to proxy to api-server, so api-server can authenticate correctly

@yanniszark
Copy link
Contributor

@Bobgy awesome, thanks a lot for the explanation!
Is the endpoint you're talking about a special endpoint only for the UI-server to use?
Or is the UI-server making requests to the API-Server's usual endpoints on behalf of the user and includes the userid header in them (so requests happen to the usual endpoints)?

@Bobgy
Copy link
Contributor Author

Bobgy commented May 18, 2020
edited
Loading

@yanniszark It's a special endpoint only for UI-server, because some features (e.g. tensorboard CRUD) is implemented in UI server. We'd want to keep current structure that UI server can implement some UI only apis, because we don't want to rewrite them in api server.

@yanniszark
Copy link
Contributor

@Bobgy I see. Is this the endpoint you are talking about?
https://github.com/kubeflow/pipelines/blob/1dcea49472e725ab681db3d244d51837e291f5ba/backend/api/auth.proto

It seems like you're implementing a SubjectAccessReview-like endpoint but for the Pipelines API-Server.

@Bobgy
Copy link
Contributor Author

Bobgy commented May 19, 2020

@yanniszark yes, that's right. I made a thin wrapper following the same schema, to be compatible with future changes.

@elikatsis
Copy link
Member

@Bobgy hi!
I found a bug on user id header parsing and opened this PR: #3842
It would be great if you included it in the main list of this issue, and it would be even greater if you took a look at it 😃

@elikatsis elikatsis mentioned this issue May 26, 2020
Merged
@Bobgy Bobgy mentioned this issue Jun 12, 2020
Closed
@Bobgy
Copy link
Contributor Author

Bobgy commented Jun 28, 2020

Regarding #4091, the prefix env var cannot be set as empty string.

@Bobgy Bobgy reopened this Jun 28, 2020
@Bobgy
Copy link
Contributor Author

Bobgy commented Jun 29, 2020

#4091 fixed

@Bobgy Bobgy closed this as completed Jun 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chensun chensun

@Bobgy Bobgy

Labels
area/backend area/frontend cuj/multi-user status/triaged Whether the issue has been explicitly triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Backend] Fix user identity extraction logic in getUserIdentity() arrikto/kubeflow-pipelines
4 participants
@chensun @Bobgy @yanniszark @elikatsis