Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(backend): enforce SA Token based auth b/w Persistence Agent and Pipeline API Server #9957

Conversation

difince
Copy link
Member

@difince difince commented Sep 4, 2023

Fixes: #9937

Enforce Service Account(SA) Token-based auth between the Persistence Agent and the Pipeline API Server for all the requests.
SA Token auth has already been introduced and applied for ReportWorkflow and ReportScheduledWorkflow by this PR.

Current PR enforces the SA token authentication for readArtifacts and ReportMetrics calls as well, which currently authenticates as a user.

Description of your changes:

This PR :

  • reverts changes done by this PR
  • Enforce the use the SA token authentiaction

Checklist:

…l reqs

Signed-off-by: Diana Atanasova <dianaa@vmware.com>
@difince difince changed the title Force SA Token based auth b/w Persistence Agent and Pipeline API Server feat(hackendForce SA Token based auth b/w Persistence Agent and Pipeline API Server Sep 4, 2023
@difince difince changed the title feat(hackendForce SA Token based auth b/w Persistence Agent and Pipeline API Server feat(hackend) Force SA Token based auth b/w Persistence Agent and Pipeline API Server Sep 4, 2023
@difince difince changed the title feat(hackend) Force SA Token based auth b/w Persistence Agent and Pipeline API Server feat(backend): enforce SA Token based auth b/w Persistence Agent and Pipeline API Server Sep 4, 2023
Signed-off-by: Diana Atanasova <dianaa@vmware.com>
@difince
Copy link
Member Author

difince commented Sep 5, 2023

/retest

@difince
Copy link
Member Author

difince commented Sep 5, 2023

Can someone help me with the failing test - TestCreatePipelineV1_LargeFile ?

Copy link
Member Author

@difince difince left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To simplify the review process, the changes in pipelines_client.go ReadArtifact and ReportRunMetrics are the most meaningful ones. Here, the PA is forced to use SA Token, instead of authenticating as a user.

@chensun chensun self-assigned this Sep 5, 2023
@chensun chensun removed the request for review from Linchin September 5, 2023 16:54
@chensun
Copy link
Member

chensun commented Sep 7, 2023

Can someone help me with the failing test - TestCreatePipelineV1_LargeFile ?

Seems like it could be some transient issue?

    pipeline_server_test.go:99: 
        	Error Trace:	/home/prow/go/src/github.com/kubeflow/pipelines/backend/src/apiserver/server/pipeline_server_test.go:99
        	Error:      	Expected nil, but got: &util.UserError{internalError:(*errors.withStack)(0xc00127e090), externalMessage:"error fetching pipeline spec from https://raw.githubusercontent.com/kubeflow/pipelines/master/sdk/python/test_data/pipelines/xgboost_sample_pipeline.yaml - request returned 503 Service Unavailable", externalStatusCode:0x3}
        	Test:       	TestCreatePipelineV1_LargeFile
    pipeline_server_test.go:100: 

@chensun
Copy link
Member

chensun commented Sep 7, 2023

/retest

Copy link
Member

@chensun chensun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thanks!

@google-oss-prow google-oss-prow bot added the lgtm label Sep 7, 2023
@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chensun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 760c158 into kubeflow:master Sep 7, 2023
1 check passed
stijntratsaertit pushed a commit to stijntratsaertit/kfp that referenced this pull request Feb 16, 2024
…Pipeline API Server (kubeflow#9957)

* Enforece SA-Toben auth b/n Persistence agent & Pipeline server for all reqs

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* Fix persistence agent license file

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

---------

Signed-off-by: Diana Atanasova <dianaa@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[feature] Make Persistence Agent use SA Token when calling KF APIServer endpoints
2 participants