chore: logins return Sessions

[wes-turner]

Logins used to return an intermediate UsernameTokenPair that itself was used to create Sessions. We did it this way because the job of login is to find/create a valid token. But because login itself is a user-facing command, and tokens are an implementation detail most people don't care about, this patch updates the login API to just return a Session (the thing most users cared about in the first place).

If a user really wants to get a token, they can always access the token in the Session.

Additionally as a part of this patch, the UsernameTokenPair class has been removed -- it was kind of an in-between abstraction to make it easier for callers of login to create sessions.

This change also contains new BaseSession.with_retry to modify retries (by creating new sessions). We needed some mechanism for users to set retry to something other than the default, and passing retry into login would have been a weird interface (what does the retry of the eventual session have to do with logging in?).

MD-283

Description

Test Plan

Commentary (optional)

Checklist

• Changes have been manually QA'd
• User-facing API changes need the "User-facing API Change" label.
• Release notes should be added as a separate file under docs/release-notes/.
  See Release Note for details.
• Licenses should be included for new code which was copied and/or modified from any external code.

Ticket

[netlify]

✅ Deploy Preview for determined-ui ready!

Name	Link
🔨 Latest commit	f6251f0
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/65f9b5cd2ed2e20008152b01
😎 Deploy Preview	https://deploy-preview-8883--determined-ui.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 78.78788% with 14 lines in your changes are missing coverage. Please review.

Project coverage is 47.75%. Comparing base (fa43bff) to head (f6251f0).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8883      +/-   ##
==========================================
+ Coverage   47.74%   47.75%   +0.01%     
==========================================
  Files        1161     1161              
  Lines      143093   143070      -23     
  Branches     2372     2370       -2     
==========================================
+ Hits        68318    68330      +12     
+ Misses      74622    74587      -35     
  Partials      153      153              

Flag	Coverage Δ
backend	42.74% <ø> (+0.06%)	⬆️
harness	63.96% <78.78%> (+<0.01%)	⬆️
web	40.86% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
harness/determined/cli/_util.py	68.08% <100.00%> (-0.67%)	⬇️
harness/determined/common/api/__init__.py	100.00% <100.00%> (ø)
harness/determined/common/api/authentication.py	85.44% <100.00%> (-0.33%)	⬇️
...rness/determined/common/experimental/determined.py	41.21% <100.00%> (-0.36%)	⬇️
harness/determined/launch/deepspeed.py	91.46% <100.00%> (-0.11%)	⬇️
harness/determined/launch/horovod.py	94.56% <100.00%> (-0.12%)	⬇️
harness/tests/checkpoints/test_checkpoint.py	100.00% <ø> (ø)
harness/tests/cli/test_auth.py	93.85% <100.00%> (+0.03%)	⬆️
harness/tests/cli/test_experiment.py	100.00% <100.00%> (ø)
.../determined/common/experimental/test_checkpoint.py	94.82% <100.00%> (-0.18%)	⬇️
... and 16 more

... and 4 files with indirect coverage changes

[rb-determined-ai]

My name is @rb-determined-ai, and I approve of this change.

But also, what if UnauthSession had login and login_with_cache on it? That might be a more natural way to configure the retries.

Or it might be making the relationship between objects too complicated (that is how I felt, because I did consider that at some point).

But I wanted to voice it in case you hadn't thought of it and you loved the idea.

[wes-turner]

But also, what if UnauthSession had login and login_with_cache on it? That might be a more natural way to configure the retries.

Or it might be making the relationship between objects too complicated (that is how I felt, because I did consider that at some point).

But I wanted to voice it in case you hadn't thought of it and you loved the idea.

In code,

class UnauthSession(BaseSession):
  def login(self, user, password) -> Session:
    ...
  def login_with_cache(self, user, password) -> Session:
    ...

sess = api.UnauthSession(master, cert).login(user, password)

I like it. I don't know if I prefer it on the whole (makes creating a new session a little more awkward), but I do think it's a better abstraction to have implemented.

FWIW, I think adding an optional max_retries to UnauthSession.login is no better than max_retries on authentication.login, so in the case of the above I still prefer a BaseSession.with_retry.

[rb-determined-ai]

FWIW, I think adding an optional max_retries to UnauthSession.login is no better than max_retries on authentication.login, so in the case of the above I still prefer a BaseSession.with_retry.

I mean, I think you would put max_retries on UnauthSession not on its .login()

[azhou-determined]

i had originally thought login methods returning a session would be a great abstraction. the more i look at it/think about it, the less sure i am.

i think you're right that a parameter like retry shouldn't have anything to do with logging in. but then why should login methods return a session? seems like we're blurring abstractions somewhere. feels like a "pure" login method should return nothing (or at most a bool indicating whether login was successful or not). and if i keep with this train of thought, maybe logically all login should do is authenticate and persist the login token. and maybe get_current_session would be a separate method that returns the session.

i don't know how feasible this is, so take this however seriously you want. it's probably not worth the effort as i don't see it providing much value, and i think what you have is fine. just my $0.02.

[wes-turner]

FWIW, I think adding an optional max_retries to UnauthSession.login is no better than max_retries on authentication.login, so in the case of the above I still prefer a BaseSession.with_retry.

I mean, I think you would put max_retries on UnauthSession not on its .login()

Oh... Yeah. That's better.

[azhou-determined]

quotes api.Session

[wes-turner]

Fixed. Thanks!

[azhou-determined]

lgtm

[wes-turner]

But also, what if UnauthSession had login and login_with_cache on it? That might be a more natural way to configure the retries.

I do like this idea. A lot. But I'm not sure how much more I like it than what's implemented, and keeping in mind ROI I don't think it's worth working out.

[wes-turner]

Unrelated to the change; this looks like a bugfix. info had not been in scope.

[wes-turner]

Decided to not implement a regression test. This doesn't seem like functionality we care much about.

[NicholasBlaskey]

I think this will also need to be updated

determined/.circleci/scripts/wait_for_perf_migration_upload_results.py

Line 38 in bc1b431

utp = authentication.login("http://127.0.0.1:8080", "admin", "", cert)

[wes-turner]

Fixed. I hadn't known that **/*.py glob skipped hidden directories. Thanks for catching this.

[loksonarius]

Approving CI changes on behalf of infra