Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Integrate External Auth Principals management #7539

Merged
merged 22 commits into from
Mar 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions api/authorization.yml
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,29 @@ components:
format: int64
description: Unix Epoch in seconds

ExternalPrincipal:
type: object
required:
- user_id
- id
properties:
user_id:
type: string
id:
type: string
ExternalPrincipalList:
type: object
required:
- pagination
- results
properties:
pagination:
$ref: "#/components/schemas/Pagination"
results:
type: array
items:
$ref: "#/components/schemas/ExternalPrincipal"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where are all them settings?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the authorization will require them - during login flow that will be added.
In this PR there's no use for it.
Changing api/authorization.yml is not a breaking change for lakeFS api.

paths:
/auth/users:
get:
Expand Down Expand Up @@ -1079,7 +1102,101 @@ paths:
$ref: "#/components/responses/Unauthorized"
default:
$ref: "#/components/responses/ServerError"
/auth/users/{userId}/external/principals:
parameters:
- in: path
name: userId
required: true
schema:
type: string
get:
tags:
- auth
- experimental
parameters:
- $ref: "#/components/parameters/PaginationPrefix"
- $ref: "#/components/parameters/PaginationAfter"
- $ref: "#/components/parameters/PaginationAmount"
operationId: listUserExternalPrincipals
summary: list external principals for user
responses:
200:
description: external principals
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipalList"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
default:
$ref: "#/components/responses/ServerError"

/auth/users/{userId}/external/principals/{principalId}:
parameters:
- in: path
name: userId
required: true
schema:
type: string
- in: path
name: principalId
required: true
schema:
type: string
post:
tags:
- auth
- experimental
operationId: createUserExternalPrincipal
summary: Create principal as external identity connected to lakeFS user
responses:
201:
description: external principal created successfully
401:
$ref: "#/components/responses/Unauthorized"
409:
$ref: "#/components/responses/Conflict"
Comment on lines +1159 to +1160
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Elaborate?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, you're asking in what case the Conflict error will be returned?
If so then in case when an external principal is already attached to a user.

420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
delete:
tags:
- auth
- experimental
operationId: deleteUserExternalPrincipal
summary: delete external principal from user's external principal list
responses:
204:
description: external principal deleted
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
default:
$ref: "#/components/responses/ServerError"
get:
tags:
- auth
- experimental
operationId: getUserExternalPrincipal
summary: get external principal
responses:
200:
description: external principal
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipal"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
default:
$ref: "#/components/responses/ServerError"

/healthcheck:
get:
operationId: healthCheck
Expand Down
156 changes: 154 additions & 2 deletions api/swagger.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1633,7 +1633,47 @@ components:
- installation_id
- reports


ExternalPrincipalList:
type: object
required:
- pagination
- results
properties:
pagination:
$ref: "#/components/schemas/Pagination"
results:
type: array
items:
$ref: "#/components/schemas/ExternalPrincipal"
ExternalPrincipalSettings:
type: object
additionalProperties:
type: string
description: Additional settings to be consumed by the remote authenticator
Comment on lines +1650 to +1652
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what this is. Is it Opaque? Can you add an example?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is opaque on purpose to avoid breaking the API.
An example is forcing session_name or only matching based on role_name in IAM.
Another example would be specifying max ttl.

ExternalPrincipalCreation:
type: object
properties:
settings:
type: object
items:
$ref: "#/components/schemas/ExternalPrincipalSettings"
Comment on lines +1653 to +1659
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Creation has just a list of settings which are strings?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's currently optional, ExternalPrincipalSettings is an object of key/value with string type.

ExternalPrincipal:
type: object
required:
- user_id
- id
properties:
id:
type: string
description: A unique identifier for the external principal i.e aws:sts::123:assumed-role/role-name
user_id:
type: string
description: |
lakeFS user ID to associate with an external principal.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Email? something else?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no idea what's the question?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have many id types for a user in Treeverse, right? I may be wrong..

settings:
type: object
items:
$ref: "#/components/schemas/ExternalPrincipalSettings"
paths:
/setup_comm_prefs:
post:
Expand Down Expand Up @@ -2394,6 +2434,118 @@ paths:
default:
$ref: "#/components/responses/ServerError"

/auth/users/{userId}/external/principal/{principalId}:
parameters:
- in: path
name: userId
required: true
schema:
type: string
- in: path
name: principalId
required: true
schema:
type: string
post:
tags:
- auth
- external
- experimental
operationId: createUserExternalPrincipal
summary: attach external principal to user
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipalCreation"
responses:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You didn't add conflict here

201:
description: external principal attached successfully
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
409:
$ref: "#/components/responses/Conflict"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
delete:
tags:
- auth
- external
- experimental
operationId: deleteUserExternalPrincipal
summary: delete external principal from user
responses:
204:
description: external principal detached successfully
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
get:
tags:
- auth
- external
- experimental
operationId: getUserExternalPrincipal
summary: get external principal of a user
responses:
200:
description: external principal
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipal"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"

/auth/users/{userId}/external/principals:
parameters:
- in: path
name: userId
required: true
schema:
type: string
get:
tags:
- auth
- external
- experimental
parameters:
- $ref: "#/components/parameters/PaginationPrefix"
- $ref: "#/components/parameters/PaginationAfter"
- $ref: "#/components/parameters/PaginationAmount"
operationId: listUserExternalPrincipals
summary: list user external policies attached to a user
responses:
200:
description: external principals list
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipalList"
401:
$ref: "#/components/responses/Unauthorized"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
/auth/groups/{groupId}/policies:
parameters:
- in: path
Expand Down Expand Up @@ -2523,7 +2675,7 @@ paths:
description: too many requests
default:
$ref: "#/components/responses/ServerError"

/repositories:
get:
tags:
Expand Down
12 changes: 12 additions & 0 deletions clients/java-legacy/.openapi-generator/FILES

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading