-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flytekit Auth system overhaul and pretty printing upgrade #1458
Conversation
- Reuse local keyring better - use grpc based auth system Signed-off-by: Ketan Umare <[email protected]>
retrying Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Help wanted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
flytekit/clients/auth/auth_client.py
Outdated
</head> | ||
<body> | ||
<h1>Log in successful to {self.server.remote_metadata.endpoint}</h1> | ||
</body></html>""", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: add please close this window
or something like that..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do, i will make it a configurable thing, also add Flyte icon
self._creds = Credentials(output.stdout.strip()) | ||
|
||
|
||
class ClientCredentialsAuthenticator(Authenticator): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also add Device flow at some point...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wdym?
@staticmethod | ||
def _raise_if_exc(request: typing.Any, e: Union[grpc.Call, grpc.Future]): | ||
if e.code() == grpc.StatusCode.UNAUTHENTICATED: | ||
raise FlyteAuthenticationException() from e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am I missing something, where is this handled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is only an exception beautifier. This is not handled anywhere, this is once all auth tries fail
click.secho(f"Underlying Exception: {e.__cause__}", dim=True) | ||
return | ||
|
||
if isinstance(e, grpc._channel._InactiveRpcError): # noqa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
grpc._channel
needs to be imported.
self._cmd = command | ||
if not self._cmd: | ||
raise ValueError("Command cannot be empty for command authenticator") | ||
super().__init__(header_key) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super().__init__(header_key) | |
super().__init__(None, header_key) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for the catch, updating it
I did a quick test. I managed to run a task via |
Signed-off-by: Ketan Umare <[email protected]>
server_process.terminate() | ||
|
||
def refresh_access_token(self, credentials: Credentials) -> Credentials: | ||
if credentials.refresh_token is None: | ||
raise ValueError("no refresh token available with which to refresh authorization credentials") | ||
|
||
resp = _requests.post( | ||
url=self._token_endpoint, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should consider passing verify
switch to request calls as in: #1509
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let me incorporate your change
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
…e the image smaller Signed-off-by: Yee Hing Tong <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
I was able to repro the test errors in a docker container (e.g. Installing |
Signed-off-by: Yee Hing Tong <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Ketan Umare <[email protected]>
Signed-off-by: Eduardo Apolinario <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #1458 +/- ##
==========================================
- Coverage 69.32% 69.28% -0.05%
==========================================
Files 305 315 +10
Lines 28671 28845 +174
Branches 2718 2741 +23
==========================================
+ Hits 19877 19986 +109
- Misses 8276 8341 +65
Partials 518 518
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
* [wip] New authentication system - Reuse local keyring better - use grpc based auth system Signed-off-by: Ketan Umare <[email protected]> * Better error handling and printing, better exception handling and retrying Signed-off-by: Ketan Umare <[email protected]> * Delete legacy files Signed-off-by: Ketan Umare <[email protected]> * add missing None Signed-off-by: Ketan Umare <[email protected]> * keyring removed Signed-off-by: Ketan Umare <[email protected]> * added insecure_skip_verify Signed-off-by: Ketan Umare <[email protected]> * test fixed Signed-off-by: Ketan Umare <[email protected]> * Test fixed Signed-off-by: Ketan Umare <[email protected]> * Auth update Signed-off-by: Ketan Umare <[email protected]> * updated test Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * flush buffer instead of closing, was getting a weird stack trace. make the image smaller Signed-off-by: Yee Hing Tong <[email protected]> * updated ca-cert logic Signed-off-by: Ketan Umare <[email protected]> * Fixed unit tests Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * test fix Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * nest raise if exc Signed-off-by: Yee Hing Tong <[email protected]> * added keyring.alt for tests Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * Lint Signed-off-by: Eduardo Apolinario <[email protected]> --------- Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Yee Hing Tong <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Yee Hing Tong <[email protected]> Co-authored-by: Eduardo Apolinario <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]>
…pgrade (#1458) (#1525) * Flytekit Auth system overhaul and pretty printing upgrade (#1458) * [wip] New authentication system - Reuse local keyring better - use grpc based auth system Signed-off-by: Ketan Umare <[email protected]> * Better error handling and printing, better exception handling and retrying Signed-off-by: Ketan Umare <[email protected]> * Delete legacy files Signed-off-by: Ketan Umare <[email protected]> * add missing None Signed-off-by: Ketan Umare <[email protected]> * keyring removed Signed-off-by: Ketan Umare <[email protected]> * added insecure_skip_verify Signed-off-by: Ketan Umare <[email protected]> * test fixed Signed-off-by: Ketan Umare <[email protected]> * Test fixed Signed-off-by: Ketan Umare <[email protected]> * Auth update Signed-off-by: Ketan Umare <[email protected]> * updated test Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * flush buffer instead of closing, was getting a weird stack trace. make the image smaller Signed-off-by: Yee Hing Tong <[email protected]> * updated ca-cert logic Signed-off-by: Ketan Umare <[email protected]> * Fixed unit tests Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * test fix Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * nest raise if exc Signed-off-by: Yee Hing Tong <[email protected]> * added keyring.alt for tests Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * updated Signed-off-by: Ketan Umare <[email protected]> * Lint Signed-off-by: Eduardo Apolinario <[email protected]> --------- Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Yee Hing Tong <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Yee Hing Tong <[email protected]> Co-authored-by: Eduardo Apolinario <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]> * Remove requirements files (#1511) * Remove mentions to spark Signed-off-by: Eduardo Apolinario <[email protected]> * Remove mentions to requirements.txt and dev-requirements.txt Signed-off-by: Eduardo Apolinario <[email protected]> * Remove plugins requirements. Signed-off-by: Eduardo Apolinario <[email protected]> * Remove all_requirements target from plugins makefile Signed-off-by: Eduardo Apolinario <[email protected]> * Use dev-requirements.in in lint gh action job Signed-off-by: Eduardo Apolinario <[email protected]> * Revert "Remove all_requirements target from plugins makefile" This reverts commit 50cbb4d. Signed-off-by: Eduardo Apolinario <[email protected]> * Revert "Remove plugins requirements." This reverts commit eae945c. Signed-off-by: Eduardo Apolinario <[email protected]> --------- Signed-off-by: Eduardo Apolinario <[email protected]> Co-authored-by: Eduardo Apolinario <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]> * Remove requirements files (#1511) * Remove mentions to spark Signed-off-by: Eduardo Apolinario <[email protected]> * Remove mentions to requirements.txt and dev-requirements.txt Signed-off-by: Eduardo Apolinario <[email protected]> * Remove plugins requirements. Signed-off-by: Eduardo Apolinario <[email protected]> * Remove all_requirements target from plugins makefile Signed-off-by: Eduardo Apolinario <[email protected]> * Use dev-requirements.in in lint gh action job Signed-off-by: Eduardo Apolinario <[email protected]> * Revert "Remove all_requirements target from plugins makefile" This reverts commit 50cbb4d. Signed-off-by: Eduardo Apolinario <[email protected]> * Revert "Remove plugins requirements." This reverts commit eae945c. Signed-off-by: Eduardo Apolinario <[email protected]> --------- Signed-off-by: Eduardo Apolinario <[email protected]> Co-authored-by: Eduardo Apolinario <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]> --------- Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Ketan Umare <[email protected]> Signed-off-by: Yee Hing Tong <[email protected]> Signed-off-by: Eduardo Apolinario <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Ketan Umare <[email protected]> Co-authored-by: Yee Hing Tong <[email protected]> Co-authored-by: Eduardo Apolinario <[email protected]>
TL;DR
This PR introduces a new Oauth2 handling system in flytekit, that can be used in non flytekit python libraries that wish to use a standardized flow for flytekit. The standard flow is as defined in the RFC and a few additional supported methods.
The system uses client side - grpc.Interceptors. for fine control on the auth flow. It also introduces exception wrapping and retrying interceptor.
As a last time, it improves the terminal output when using pyflyte. All the output is not distilled and the error is traced correctly. Eventually we could link to docs for the errors.
Type
Are all requirements met?