Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AWS remote auth login #7578

Merged
merged 38 commits into from
Apr 10, 2024
Merged

Add AWS remote auth login #7578

merged 38 commits into from
Apr 10, 2024

Conversation

idanovo
Copy link
Contributor

@idanovo idanovo commented Mar 19, 2024
edited
Loading

Closes #7574

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 19, 2024
edited
Loading

♻️ PR Preview 1e5fa4c has been successfully destroyed since this PR has been closed.

🤖 By surge-preview

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 19, 2024
edited
Loading

E2E Test Results - DynamoDB Local - Local Block Adapter

13 passed

@idanovo idanovo added the include-changelog PR description should be included in next release changelog label Mar 20, 2024
@idanovo idanovo linked an issue Mar 20, 2024 that may be closed by this pull request
IAM Role - AWS Remote Authenticator login #7574
Closed
@idanovo idanovo marked this pull request as ready for review March 20, 2024 10:13
@idanovo idanovo requested review from Isan-Rivkin and guy-har March 20, 2024 10:14
Isan-Rivkin
Isan-Rivkin requested changes Mar 20, 2024
View reviewed changes
api/swagger.yml Outdated Show resolved Hide resolved
api/swagger.yml Outdated Show resolved Hide resolved
api/authorization.yml Outdated
@@ -363,6 +366,15 @@ components:
items:
$ref: "#/components/schemas/ExternalPrincipal"

ExternalLoginInformation:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lakeFS should not be aware of the details of the identity token details fields or params.
it should pass it to the remote authentication services.
so in other words, it should be some generic object key/value in the body that will be passed to the remote authentication service as is.

The remote service on the other hand that does the login will seriallize this object and extract specific fields to create AWS request.

@idanovo idanovo requested a review from Isan-Rivkin March 20, 2024 13:43
Isan-Rivkin
Isan-Rivkin requested changes Mar 20, 2024
View reviewed changes
pkg/api/controller.go Outdated
@@ -554,6 +554,40 @@ func (c *Controller) Login(w http.ResponseWriter, r *http.Request, body apigen.L
writeResponse(w, r, http.StatusOK, response)
}

func (c *Controller) ExternalLogin(w http.ResponseWriter, r *http.Request, body apigen.ExternalLoginJSONRequestBody) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's be consistent:

Suggested change
func (c *Controller) ExternalLogin(w http.ResponseWriter, r *http.Request, body apigen.ExternalLoginJSONRequestBody) {
func (c *Controller) ExternalPrincipalLogin(w http.ResponseWriter, r *http.Request, body apigen.ExternalLoginJSONRequestBody) {

pkg/api/controller.go Outdated
return
}

c.LogAction(ctx, "external_login", r, "", "", "")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
c.LogAction(ctx, "external_login", r, "", "", "")
c.LogAction(ctx, "external_principal_login", r, "", "", "")

pkg/auth/service.go Outdated
@@ -85,6 +85,7 @@ type ExternalPrincipalsService interface {
DeleteUserExternalPrincipal(ctx context.Context, userID, principalID string) error
GetExternalPrincipal(ctx context.Context, principalID string) (*model.ExternalPrincipal, error)
ListUserExternalPrincipals(ctx context.Context, userID string, params *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)
ExternalLogin(ctx context.Context, externalLoginInfo map[string]interface{}) (string, error)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It needs to be a different authentication service.
The service doing the login is not RBAC / GIAM, it doesn't have reference to KV.
That's the part I wanted you to sync with @guy-har.

guy-har
guy-har previously requested changes Mar 21, 2024
View reviewed changes
Copy link
Contributor

@guy-har guy-har left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good, I have a few concerns regarding the service
IIUC the authService is currently in charge of authorization (that is, authorization and authentication may run on different endpoints).
Another thing I'm not sure about, is that currently lakeFS sometimes needs to validate claims (validate_id_token_claims in the configuration), are this claims required in this flow or not?

api/authorization.yml Outdated
Comment on lines 1218 to 1219
/auth/external/login:
post:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be part of the authentication API?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should.
I'll move it there once you merge your PR

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Sorry for blocking 😬

pkg/api/controller.go Outdated
Comment on lines 567 to 571
if c.handleAPIError(ctx, w, r, err) {
if errors.Is(err, ErrAuthenticatingRequest) {
writeResponse(w, r, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
return
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • handleAPIError already writes the response, so you just need to return
  • It looks like the token generation happens only in case of error (brackets are in the wrong place I think)

@idanovo idanovo requested review from guy-har and Isan-Rivkin March 25, 2024 10:44
@idanovo idanovo requested a review from Isan-Rivkin April 3, 2024 09:54
Isan-Rivkin
Isan-Rivkin requested changes Apr 9, 2024
View reviewed changes
pkg/api/controller.go Show resolved Hide resolved
pkg/authentication/service.go Outdated Show resolved Hide resolved
pkg/authentication/service.go Outdated Show resolved Hide resolved
lakefs.yaml Outdated Show resolved Hide resolved
pkg/api/controller.go Show resolved Hide resolved
@idanovo idanovo requested a review from Isan-Rivkin April 9, 2024 15:36
Isan-Rivkin
Isan-Rivkin requested changes Apr 10, 2024
View reviewed changes
pkg/api/controller.go Outdated Show resolved Hide resolved
@idanovo idanovo requested a review from Isan-Rivkin April 10, 2024 11:22
Isan-Rivkin
Isan-Rivkin requested changes Apr 10, 2024
View reviewed changes
docs/reference/configuration.md Show resolved Hide resolved
pkg/authentication/service.go Outdated
if err != nil {
return nil, fmt.Errorf("calling authenticate user: %w", err)
}
if resp.StatusCode() != http.StatusOK || resp.JSON200 == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If resp.JSON200 nil it's a bug and should panic.

Suggested change
if resp.StatusCode() != http.StatusOK || resp.JSON200 == nil {
if resp.StatusCode() != http.StatusOK {

Isan-Rivkin
Isan-Rivkin requested changes Apr 10, 2024
View reviewed changes
api/swagger.yml Show resolved Hide resolved
@idanovo idanovo requested a review from Isan-Rivkin April 10, 2024 12:49
@idanovo idanovo requested a review from Isan-Rivkin April 10, 2024 13:00
Isan-Rivkin
Isan-Rivkin approved these changes Apr 10, 2024
View reviewed changes
Copy link
Contributor

@Isan-Rivkin Isan-Rivkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! THANK YOU!

@idanovo idanovo enabled auto-merge (squash) April 10, 2024 13:10
@idanovo idanovo dismissed guy-har’s stale review April 10, 2024 13:12

Fixed all the comments

@idanovo idanovo merged commit 1e6647b into master Apr 10, 2024
37 checks passed
@idanovo idanovo deleted the 7574-aws-remote-auth-login branch April 10, 2024 13:12
emulatorchen pushed a commit to emulatorchen/lakeFS that referenced this pull request May 27, 2024
@idanovo
Add AWS remote auth login (treeverse#7578)
21c8be1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Isan-Rivkin Isan-Rivkin Isan-Rivkin approved these changes

@guy-har guy-har Awaiting requested review from guy-har

Assignees
No one assigned
Labels
include-changelog PR description should be included in next release changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

IAM Role - AWS Remote Authenticator login
3 participants
@idanovo @Isan-Rivkin @guy-har