-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Integrate External Auth Principals management #7539
Changes from all commits
3aafcec
92b9d7b
44e3cd2
40df335
02953d0
aade81b
9cc77c8
9b2b076
d336de4
200caf3
b57a5ff
5a3bb8b
2108e6d
a347036
4458308
8bd869a
c2103b8
8ecf161
2b690e2
d98439b
3ffb207
7600075
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -340,6 +340,29 @@ components: | |
format: int64 | ||
description: Unix Epoch in seconds | ||
|
||
ExternalPrincipal: | ||
type: object | ||
required: | ||
- user_id | ||
- id | ||
properties: | ||
user_id: | ||
type: string | ||
id: | ||
type: string | ||
ExternalPrincipalList: | ||
type: object | ||
required: | ||
- pagination | ||
- results | ||
properties: | ||
pagination: | ||
$ref: "#/components/schemas/Pagination" | ||
results: | ||
type: array | ||
items: | ||
$ref: "#/components/schemas/ExternalPrincipal" | ||
|
||
paths: | ||
/auth/users: | ||
get: | ||
|
@@ -1079,7 +1102,101 @@ paths: | |
$ref: "#/components/responses/Unauthorized" | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
/auth/users/{userId}/external/principals: | ||
parameters: | ||
- in: path | ||
name: userId | ||
required: true | ||
schema: | ||
type: string | ||
get: | ||
tags: | ||
- auth | ||
- experimental | ||
parameters: | ||
- $ref: "#/components/parameters/PaginationPrefix" | ||
- $ref: "#/components/parameters/PaginationAfter" | ||
- $ref: "#/components/parameters/PaginationAmount" | ||
operationId: listUserExternalPrincipals | ||
summary: list external principals for user | ||
responses: | ||
200: | ||
description: external principals | ||
content: | ||
application/json: | ||
schema: | ||
$ref: "#/components/schemas/ExternalPrincipalList" | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
404: | ||
$ref: "#/components/responses/NotFound" | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
|
||
/auth/users/{userId}/external/principals/{principalId}: | ||
parameters: | ||
- in: path | ||
name: userId | ||
required: true | ||
schema: | ||
type: string | ||
- in: path | ||
name: principalId | ||
required: true | ||
schema: | ||
type: string | ||
post: | ||
tags: | ||
- auth | ||
- experimental | ||
operationId: createUserExternalPrincipal | ||
summary: Create principal as external identity connected to lakeFS user | ||
responses: | ||
201: | ||
description: external principal created successfully | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
409: | ||
$ref: "#/components/responses/Conflict" | ||
Comment on lines
+1159
to
+1160
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Elaborate? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. IIUC, you're asking in what case the Conflict error will be returned? |
||
420: | ||
description: too many requests | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
delete: | ||
tags: | ||
- auth | ||
- experimental | ||
operationId: deleteUserExternalPrincipal | ||
summary: delete external principal from user's external principal list | ||
responses: | ||
204: | ||
description: external principal deleted | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
404: | ||
$ref: "#/components/responses/NotFound" | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
get: | ||
tags: | ||
- auth | ||
- experimental | ||
operationId: getUserExternalPrincipal | ||
summary: get external principal | ||
responses: | ||
200: | ||
description: external principal | ||
content: | ||
application/json: | ||
schema: | ||
$ref: "#/components/schemas/ExternalPrincipal" | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
404: | ||
$ref: "#/components/responses/NotFound" | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
|
||
/healthcheck: | ||
get: | ||
operationId: healthCheck | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1633,7 +1633,47 @@ components: | |
- installation_id | ||
- reports | ||
|
||
|
||
ExternalPrincipalList: | ||
type: object | ||
required: | ||
- pagination | ||
- results | ||
properties: | ||
pagination: | ||
$ref: "#/components/schemas/Pagination" | ||
results: | ||
type: array | ||
items: | ||
$ref: "#/components/schemas/ExternalPrincipal" | ||
ExternalPrincipalSettings: | ||
type: object | ||
additionalProperties: | ||
type: string | ||
description: Additional settings to be consumed by the remote authenticator | ||
Comment on lines
+1650
to
+1652
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't understand what this is. Is it Opaque? Can you add an example? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is opaque on purpose to avoid breaking the API. |
||
ExternalPrincipalCreation: | ||
type: object | ||
properties: | ||
settings: | ||
type: object | ||
items: | ||
$ref: "#/components/schemas/ExternalPrincipalSettings" | ||
Comment on lines
+1653
to
+1659
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Creation has just a list of settings which are strings? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's currently optional, |
||
ExternalPrincipal: | ||
type: object | ||
required: | ||
- user_id | ||
- id | ||
properties: | ||
id: | ||
type: string | ||
description: A unique identifier for the external principal i.e aws:sts::123:assumed-role/role-name | ||
user_id: | ||
type: string | ||
description: | | ||
lakeFS user ID to associate with an external principal. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Email? something else? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have no idea what's the question? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we have many id types for a user in Treeverse, right? I may be wrong.. |
||
settings: | ||
type: object | ||
items: | ||
$ref: "#/components/schemas/ExternalPrincipalSettings" | ||
paths: | ||
/setup_comm_prefs: | ||
post: | ||
|
@@ -2394,6 +2434,118 @@ paths: | |
default: | ||
$ref: "#/components/responses/ServerError" | ||
|
||
/auth/users/{userId}/external/principal/{principalId}: | ||
parameters: | ||
- in: path | ||
name: userId | ||
required: true | ||
schema: | ||
type: string | ||
- in: path | ||
name: principalId | ||
required: true | ||
schema: | ||
type: string | ||
post: | ||
tags: | ||
- auth | ||
- external | ||
- experimental | ||
operationId: createUserExternalPrincipal | ||
summary: attach external principal to user | ||
requestBody: | ||
required: true | ||
content: | ||
application/json: | ||
schema: | ||
$ref: "#/components/schemas/ExternalPrincipalCreation" | ||
responses: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You didn't add conflict here |
||
201: | ||
description: external principal attached successfully | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
404: | ||
$ref: "#/components/responses/NotFound" | ||
409: | ||
$ref: "#/components/responses/Conflict" | ||
420: | ||
description: too many requests | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
delete: | ||
tags: | ||
- auth | ||
- external | ||
- experimental | ||
operationId: deleteUserExternalPrincipal | ||
summary: delete external principal from user | ||
responses: | ||
204: | ||
description: external principal detached successfully | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
404: | ||
$ref: "#/components/responses/NotFound" | ||
420: | ||
description: too many requests | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
get: | ||
tags: | ||
- auth | ||
- external | ||
- experimental | ||
operationId: getUserExternalPrincipal | ||
summary: get external principal of a user | ||
responses: | ||
200: | ||
description: external principal | ||
content: | ||
application/json: | ||
schema: | ||
$ref: "#/components/schemas/ExternalPrincipal" | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
404: | ||
$ref: "#/components/responses/NotFound" | ||
420: | ||
description: too many requests | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
|
||
/auth/users/{userId}/external/principals: | ||
parameters: | ||
- in: path | ||
name: userId | ||
required: true | ||
schema: | ||
type: string | ||
get: | ||
tags: | ||
- auth | ||
- external | ||
- experimental | ||
parameters: | ||
- $ref: "#/components/parameters/PaginationPrefix" | ||
- $ref: "#/components/parameters/PaginationAfter" | ||
- $ref: "#/components/parameters/PaginationAmount" | ||
operationId: listUserExternalPrincipals | ||
summary: list user external policies attached to a user | ||
responses: | ||
200: | ||
description: external principals list | ||
content: | ||
application/json: | ||
schema: | ||
$ref: "#/components/schemas/ExternalPrincipalList" | ||
401: | ||
$ref: "#/components/responses/Unauthorized" | ||
404: | ||
$ref: "#/components/responses/NotFound" | ||
420: | ||
description: too many requests | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
/auth/groups/{groupId}/policies: | ||
parameters: | ||
- in: path | ||
|
@@ -2523,7 +2675,7 @@ paths: | |
description: too many requests | ||
default: | ||
$ref: "#/components/responses/ServerError" | ||
|
||
/repositories: | ||
get: | ||
tags: | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where are all them settings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the authorization will require them - during login flow that will be added.
In this PR there's no use for it.
Changing
api/authorization.yml
is not a breaking change for lakeFS api.