Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Cloud Client for new USER-scoped API tokens #1423

Merged
merged 5 commits into from
Aug 29, 2019
Merged

Update Cloud Client for new USER-scoped API tokens #1423

merged 5 commits into from
Aug 29, 2019

Conversation

jlowin
Copy link
Member

@jlowin jlowin commented Aug 29, 2019

This PR supersedes #1410

Thanks for contributing to Prefect!

Please describe your work and make sure your PR:

  • adds new tests (if appropriate)
  • updates CHANGELOG.md (if appropriate)
  • updates docstrings for any new functions or function arguments, including docs/outline.toml for API reference docs (if appropriate)

Note that your PR will not be reviewed unless all three boxes are checked.

What does this PR change?

This PR adds a new auth flow to the Python Cloud client, without changing its existing behavior. However, it does rename some private attributes.

The primary contribution of this PR is to support USER-scoped Cloud API tokens, which function as personal access tokens. USER-scoped tokens can not be used to interact with the Cloud API in a significant way, but are able to authenticate with the API and receive short-lived JWTs in return. These JWTs are full auth tokens representing a user's membership in a specific Cloud tenant.

The user flow works like this:

  1. User instantiates a Cloud client and passes it a USER-scoped API token
  2. User calls client.save_api_token() to write the token to local storage so it persists across Python sessions.
  3. User calls client.get_available_tenants() to see what tenants they can login to
  4. User calls client.log_to_tenant(tenant_id=<>, tenant_slug=<>) (with one or the other argument). When this happens, an ephemeral JWT is received as well as a refresh token. Note this step is also persisted across sessions.
  5. The User can now make API calls as if they were logged in to the tenant in question, for example client.graphql(...). The Client is managing all refreshing and exchanging of JWTs in the background.
  6. The User is finished, so they call client.logout_from_tenant(). This discards the JWT access token.

The TOKEN- and AGENT- scoped flows are unchanged:

  1. Client instantiated with an API token (or receives one via env var/config)
  2. Client includes the API token in all calls.

@codecov
Copy link

codecov bot commented Aug 29, 2019
edited
Loading

Codecov Report

Merging #1423 into master will increase coverage by 0.03%.
The diff coverage is 98.87%.

joshmeek
joshmeek reviewed Aug 29, 2019
View reviewed changes
docs/cloud/cloud_concepts/api.md Outdated

`TENANT`-scoped API tokens are used for long-lived programmatic access to a specific Cloud tenant. Unlike `USER` tokens, which can adopt any tenant membership the user has, `TENANT` tokens are fixed to a specific membership in a specific tenant. They adopt whatever permissions the user has in the tenant.

### `AGENT`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RUNNER

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TY

@jlowin jlowin mentioned this pull request Aug 29, 2019
Closed
3 tasks
@joshmeek joshmeek merged commit f380bac into master Aug 29, 2019
@joshmeek joshmeek deleted the client-auth-2 branch August 29, 2019 21:08
@jlowin jlowin mentioned this pull request Aug 29, 2019
Merged
@joshmeek joshmeek mentioned this pull request Aug 30, 2019
Merged
3 tasks
zanieb added a commit that referenced this pull request Apr 13, 2022
@zanieb
Merge pull request #1423 from PrefectHQ/release-real
d007cf1 
Add support for all version tags
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cicdw cicdw cicdw approved these changes

@joshmeek joshmeek joshmeek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jlowin @cicdw @joshmeek