-
Notifications
You must be signed in to change notification settings - Fork 513
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: use decorators for admin api authentication #2860
Feature: use decorators for admin api authentication #2860
Conversation
Looks good upon first glance. |
Thanks @ianco . I've pushed updates to all the route handlers, now working on cleaning-up and fixing/adding tests and validating things really work as expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the flexibility and straightforward-ness of the approach. I like a nice function decorator lol. I always tend toward caution with them though; they can have some gotchas. Where these are being called by the aiohttp router, I think the gotcha potential should be minimal. LGTM so far.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So far, this all LGTM! Really liking how clean those decorators are.
Fixed the route tests, still need to tackle removing the now failing middleware tests and add tests for the decorator functions. |
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
…t-python into feature/api-key-tweaks
All tests should be fixed now. I updated/synced the version of Black as three different versions were specified between Only thing left now is adding tests specific to the decorators. |
I haven't looked into the pre-commit or black format files. I use the |
…t-python into feature/api-key-tweaks Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
…t-python into feature/api-key-tweaks Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
This is - finally - ready for review. |
There's one failing unit test because of a ruff formatting error. |
Looks good and I will approve. I just had one comment about how there is a upgrade on all packages. I think it's better to only upgrade the packages related to the PR and do a general upgrade in a separate PR. In the case we do find a problem with an upgrade it will be easier to isolate. |
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
d0830e6
to
b3a9e68
Compare
This reverts commit ece22ce. Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
dd8fdc4
to
3599117
Compare
Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
Quality Gate passedIssues Measures |
Resolves #2318
Opening draft PR early for feedback while I work through the changes across the code (and fixing/updating/adding tests as needed).
The PR removes the authentication middleware and the logic they deal with, and implements two decorators:
admin_authentication
: to be used for routes that should ONLY be invoked by an administrator, such as the multitenancy endpoints, the server endpoints and so on, independently of the mode the agent is running as.tenant_authentication
: to be used to require authentication by either providing a tenant token (multi-tenant mode) or a valid api-key (single-tenant mode).Both decorators account for unauthenticated
options
requests as well as insecure mode. Insecure paths will just not be decorated. Middleware code - currently commented-out - will be removed.I think the bit of refactoring required for this to work (including plugins once released) is well worth the flexibility - looking for early feedback especially from @dbluhm, @ianco, @jamshale