Support IAM authentication in replication documents

[smithsz]

Thanks for your hard work, please ensure all items are complete before opening.

• Tick to sign-off your agreement to the Developer Certificate of Origin (DCO) 1.1
• You have added tests for any code changes
• You have updated the CHANGES.md
• You have completed the PR template below:

What

Support IAM authenticated databases when replicating.

How

Expose the IAM API key via the client session and inject into the replication document where applicable.

Testing

Includes additional mock unit tests.

Issues

Fixes #354.

[emlaver]

Update copyright for _client_session.py

[emlaver]

Should this be named get_api_key following the design of the functions in this class e.g. _get_access_token?

[emlaver]

I'm wondering if we should put this code into it's own method so that it can be called by all tests in this class. It would require 4 if blocks for options admin_party, server_url, r_session, and is_iam_authenticated.

[ricellis]

I've not reviewed the tests for now as I think this might need bigger changes. I'm reluctant for it to scope creep into fixing the old source/target URL issue, but I think that is a lot easier if we remove the access to the current credentials and force them to be supplied appropriately for creating replicator documents.

[ricellis]

The existing user_ctx applies to a target only. I think we need to make source_user(_ctx?) and target_user(_ctx?) args that can be used to specify. We should alias the user_ctx to target_user to maintain backwards compatibility.

[smithsz]

Not sure I understand what you mean here. Can we please go through it when you get a mo? Thanks.

[ricellis]

It was a long time ago and I'm struggling to reverse engineer my meaning too! I think what I was getting at was that the user_ctx default setting is dependent on some checks on the target, but not the source. My suggestion above doesn't make sense either though.

What I think makes sense is that the default user_ctx is set if one isn't supplied, but should not depend on any checks for the source or target database.

[smithsz]

Done. Removed admin party check in eaaa7f1.

[ricellis]

The auth used in a replicator document should be independent of the method with which the client is authenticated. For example there is no reason why I can't login python-cloudant with my account credentials and create a replicator document using any other credentials including IAM API keys.

This code should be a fallback only if the source_user is empty and target_user are empty. I think however, that a new version of the create_replication should require some credential information and the fallback should only be used in the backwards compatibility case.

[smithsz]

source_db and target_db are supplied to the create_replication method. They are type database objects and therefore don't share credentials used to POST the replication doc.

[ricellis]

Yes, I see what you mean, everything is an object, so the specific credentials will have been supplied up front in construction of the necessary source or target database objects (or more specifically the client instances needed for those if they are distinct from the replicator.

I think it would be nice if a replication could be created with a source & target URLs and the associated API keys i.e. 4 strings instead of needing to potentially instantiate multiple clients and DBs, but that is out of scope here.

[emlaver]

Just want to note that we made a decision to remove source/target URLs from replication (#342) as it wasn't working properly.

[ricellis]

Yep, that's why I think it is out of scope to try and re-introduce that in a working fashion here.

[ricellis]

Shouldn't this be the target? Also shouldn't we only do these checks if a user_ctx wasn't provided?

[emlaver]

Is there a case where user_ctx doesn't exist in data and database.creds?

[smithsz]

yeah, admin party mode.

[emlaver]

+1