[Feature] Integrate External Auth Principals management

[Isan-Rivkin]

Closes #7536

Change Description

Adding auth management endpoints for external principals management such as AWS IAM roles.

Background

As part of getting token in lakeFS from external principals such as IAM role we need to support for the CRUD operations around those attachments between an external principal and lakeFS user.

Testing Details

Added unit tests.

Breaking Change?

• No breaking changes.
• It's disabled by default.

Additional Info

More things that needs to be done before this feature is complete:

1. Docs
2. The actual login endpoint

[github-actions]

♻️ PR Preview 7600075 has been successfully destroyed since this PR has been closed.

_{🤖 By surge-preview}

[github-actions]

E2E Test Results - DynamoDB Local - Local Block Adapter

[idanovo]

Add a few suggestions/questions.
Overall looks good.

[idanovo]

Why users and not only user IDs?
Where do we use the other information?

[Isan-Rivkin]

Why users and not only user IDs?

Notice users is of type array[string], user IDs.

Where do we use the other information?

Other information is essentially config that will be digested by the remote authenticator.
For example, in AWS remote auth - when we create principal, this will contain flag indicating if we want to use the session name or not.
It's optional, to stay agile it's not specific to anything so that we don't need to break the API tomorrow.

[idanovo]

I'm not sure what this API returns.
a list of external principals configured for the current installation?

[Isan-Rivkin]

I used the exact pattern we use for groups, roles, users.
depends on the HTTP verb, one is a list the other will create attachment.

[idanovo]

I thought that external auth are configurable, not something the user need to make an API call to add

[Isan-Rivkin]

I'm not sure what you mean, perhaps a miss understanding?
As the summary suggests (maybe not that well?) it will create a specific principal.
i.e arn:123:role:abc -> user_a.

[Isan-Rivkin]

TODO:

• list external principals -> user api
• in externalidentity struct -> not users, just userId

[Isan-Rivkin]

@idanovo please review
i need to add tests and to handle settings optional (see TODO comment in controller) but i want to first sort out the api and interface correctly it's related to both of us.

[itaiad200]

It's either removing this API or making it useful by returning something more than the id

[idanovo]

I think that getting the list of principals' IDs we have might be useful.
We should consider changing ExternalPrincipalList to return an actual list of ExternalPrincipals so we will get the user IDs too.

[idanovo]

Looks good!
Minor comments

[idanovo]

Can you create a function for this? It's a reused code.

[idanovo]

I'm not sure if we need to check here user's existence.
WDYT?

[Isan-Rivkin]

I wouldn't want to check this here.

If you look at other requests such as AttachPolicyToUser and DetachPolicyFromUser when using APIAuthService (API service) we let that API decide on the correct authorization.
Especially around external principal implementation i'd rather let the auth service dictate the business logic since the implementation details belong to there.

[idanovo]

LGTM

[itaiad200]

Thanks for the PR, it's great to see the progress 💪
Mostly nit, a few blocking comments

[itaiad200]

Email? something else?

[Isan-Rivkin]

I have no idea what's the question?

[itaiad200]

I think we have many id types for a user in Treeverse, right? I may be wrong..

[itaiad200]

Can you add a string example?

[itaiad200]

I actually like the blank lines, it's very hard for me to udnerstand where an object ends without them

[itaiad200]

I don't understand what this is. Is it Opaque? Can you add an example?

[Isan-Rivkin]

This is opaque on purpose to avoid breaking the API.
An example is forcing session_name or only matching based on role_name in IAM.
Another example would be specifying max ttl.

[itaiad200]

Creation has just a list of settings which are strings?

[Isan-Rivkin]

That's currently optional, ExternalPrincipalSettings is an object of key/value with string type.

[itaiad200]

Thanks for the prompt fix! Single non blocking comment

[itaiad200]

Oh I see what happened here.
You check first thing for isExternalPrincipalNotSupported and then return not implemented. I thought we reach the AuthService that returns an error auth.ErrNotImplemented but I was wrong. When handleAPIError sees an error it doesn't recognize it will return Internal Server Error which is not what we want but also not the case here.

I believe it's slightly better to have the AuthService handle the possible ExternalPrincipals enabled/disabled status in terms of separation of concerns, i.e. it's not the controller responsibility, you have errors as communication protocol between the 2 components. BUT - it is also not a bug, and definitely not a blocking bug.