Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Integrate External Auth Principals management #7539

Merged
merged 22 commits into from
Mar 17, 2024
Merged

[Feature] Integrate External Auth Principals management #7539

Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
3aafcec
draft: principal api endpointsz
Isan-Rivkin Mar 7, 2024
92b9d7b
minor fix
Isan-Rivkin Mar 7, 2024
44e3cd2
Update api/swagger.yml
Isan-Rivkin Mar 7, 2024
40df335
update comments
Isan-Rivkin Mar 7, 2024
02953d0
update experimental
Isan-Rivkin Mar 7, 2024
aade81b
update user not users
Isan-Rivkin Mar 7, 2024
9cc77c8
update review
Isan-Rivkin Mar 10, 2024
9b2b076
update spsaces
Isan-Rivkin Mar 10, 2024
d336de4
add initial rbac
Isan-Rivkin Mar 10, 2024
200caf3
update perms
Isan-Rivkin Mar 10, 2024
b57a5ff
update
Isan-Rivkin Mar 10, 2024
5a3bb8b
integration authenticator
Isan-Rivkin Mar 10, 2024
2108e6d
update base actions
Isan-Rivkin Mar 11, 2024
a347036
update api public endpoints
Isan-Rivkin Mar 11, 2024
4458308
update external api controller
Isan-Rivkin Mar 11, 2024
8bd869a
update
Isan-Rivkin Mar 11, 2024
c2103b8
tests
Isan-Rivkin Mar 12, 2024
8ecf161
remove test
Isan-Rivkin Mar 12, 2024
2b690e2
fix unitest
Isan-Rivkin Mar 13, 2024
d98439b
Merge branch 'master' into external-auth-principals-api
Isan-Rivkin Mar 14, 2024
3ffb207
update check for support
Isan-Rivkin Mar 14, 2024
7600075
update review comments
Isan-Rivkin Mar 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions api/authorization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,29 @@ components:
format: int64
description: Unix Epoch in seconds

ExternalPrincipal:
type: object
required:
- user_id
- id
properties:
user_id:
type: string
id:
type: string
ExternalPrincipalList:
type: object
required:
- pagination
- results
properties:
pagination:
$ref: "#/components/schemas/Pagination"
results:
type: array
items:
$ref: "#/components/schemas/ExternalPrincipal"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where are all them settings?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the authorization will require them - during login flow that will be added.
In this PR there's no use for it.
Changing api/authorization.yml is not a breaking change for lakeFS api.

paths:
/auth/users:
get:
Expand Down Expand Up @@ -1079,7 +1102,101 @@ paths:
$ref: "#/components/responses/Unauthorized"
default:
$ref: "#/components/responses/ServerError"
/auth/users/{userId}/external/principals:
parameters:
- in: path
name: userId
required: true
schema:
type: string
get:
tags:
- auth
- experimental
parameters:
- $ref: "#/components/parameters/PaginationPrefix"
- $ref: "#/components/parameters/PaginationAfter"
- $ref: "#/components/parameters/PaginationAmount"
operationId: listUserExternalPrincipals
summary: list external principals for user
responses:
200:
description: external principals
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipalList"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
default:
$ref: "#/components/responses/ServerError"

/auth/users/{userId}/external/principals/{principalId}:
parameters:
- in: path
name: userId
required: true
schema:
type: string
- in: path
name: principalId
required: true
schema:
type: string
post:
tags:
- auth
- experimental
operationId: createUserExternalPrincipal
summary: Create principal as external identity connected to lakeFS user
responses:
201:
description: external principal created successfully
401:
$ref: "#/components/responses/Unauthorized"
409:
$ref: "#/components/responses/Conflict"
Comment on lines +1159 to +1160
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Elaborate?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, you're asking in what case the Conflict error will be returned?
If so then in case when an external principal is already attached to a user.

420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
delete:
tags:
- auth
- experimental
operationId: deleteUserExternalPrincipal
summary: delete external principal from user's external principal list
responses:
204:
description: external principal deleted
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
default:
$ref: "#/components/responses/ServerError"
get:
tags:
- auth
- experimental
operationId: getUserExternalPrincipal
summary: get external principal
responses:
200:
description: external principal
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipal"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
default:
$ref: "#/components/responses/ServerError"

/healthcheck:
get:
operationId: healthCheck
Expand Down
156 changes: 153 additions & 3 deletions api/swagger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1632,8 +1632,47 @@ components:
required:
- installation_id
- reports


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually like the blank lines, it's very hard for me to udnerstand where an object ends without them

ExternalPrincipalList:
type: object
required:
- pagination
- results
properties:
pagination:
$ref: "#/components/schemas/Pagination"
results:
type: array
items:
$ref: "#/components/schemas/ExternalPrincipal"
ExternalPrincipalSettings:
type: object
additionalProperties:
type: string
description: Additional settings to be consumed by the remote authenticator
Comment on lines +1650 to +1652
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what this is. Is it Opaque? Can you add an example?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is opaque on purpose to avoid breaking the API.
An example is forcing session_name or only matching based on role_name in IAM.
Another example would be specifying max ttl.

ExternalPrincipalCreation:
type: object
properties:
settings:
type: object
items:
$ref: "#/components/schemas/ExternalPrincipalSettings"
Comment on lines +1653 to +1659
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Creation has just a list of settings which are strings?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's currently optional, ExternalPrincipalSettings is an object of key/value with string type.

ExternalPrincipal:
type: object
required:
- user_id
- id
properties:
id:
type: string
description: A unique identifier for the external principal
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a string example?

user_id:
type: string
description: |
lakeFS user ID to associate with an external principal.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Email? something else?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no idea what's the question?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have many id types for a user in Treeverse, right? I may be wrong..

settings:
type: object
items:
$ref: "#/components/schemas/ExternalPrincipalSettings"
paths:
/setup_comm_prefs:
post:
Expand Down Expand Up @@ -2394,6 +2433,117 @@ paths:
default:
$ref: "#/components/responses/ServerError"

/auth/users/{userId}/external/principal/{principalId}:
parameters:
- in: path
name: userId
required: true
schema:
type: string
- in: path
name: principalId
required: true
schema:
type: string
post:
tags:
- auth
- external
- experimental
operationId: createUserExternalPrincipal
summary: attach external principal to user
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipalCreation"
responses:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You didn't add conflict here

201:
description: external principal attached successfully
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
delete:
tags:
- auth
- external
- experimental
operationId: deleteUserExternalPrincipal
summary: delete external principal from user
responses:
204:
description: external principal detached successfully
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
get:
tags:
- auth
- external
- experimental
operationId: getUserExternalPrincipal
summary: get external principal of a user
responses:
200:
description: external principal
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipal"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"

/auth/users/{userId}/external/principals:
parameters:
- in: path
name: userId
required: true
schema:
type: string
get:
tags:
- auth
- external
- experimental
parameters:
- $ref: "#/components/parameters/PaginationPrefix"
- $ref: "#/components/parameters/PaginationAfter"
- $ref: "#/components/parameters/PaginationAmount"
description: will return all external principals id attached to the user
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something is off with the identation, no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch, removed

operationId: listUserExternalPrincipals
summary: list user external policies
responses:
200:
description: external principals list
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipalList"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
/auth/groups/{groupId}/policies:
parameters:
- in: path
Expand Down Expand Up @@ -2523,7 +2673,7 @@ paths:
description: too many requests
default:
$ref: "#/components/responses/ServerError"

/repositories:
get:
tags:
Expand Down
12 changes: 12 additions & 0 deletions clients/java-legacy/.openapi-generator/FILES
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading