Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pipeline-manager: turn API keys into a named API object #1126

Merged
merged 7 commits into from
Dec 11, 2023
Merged

pipeline-manager: turn API keys into a named API object #1126

merged 7 commits into from
Dec 11, 2023

Conversation

lalithsuresh
Copy link
Collaborator

@lalithsuresh lalithsuresh commented Dec 8, 2023
edited

This PR adds an API key object type. It introduces endpoints to create, list, get and delete API keys via the REST API.

The PR also reworks the (previously internal) differentiation between JWT tokens and API keys. Bearer tokens are now a JWT token obtained via an Oauth2/OIDC login workflow or an API key (apikey:1234..). We no longer use a separate custom header for API keys.

This PR also exposes security schemes via OpenAPI and allows Authorization via the swagger UI. So you can now copy in a JWT token or API key via the swagger UI, and the suggested curl commands will correctly use the supplied bearer token. We need to investigate whether this is sufficient to address #1084 (cc @Karakatiza666).

Fixes the backend side of #1103.
Fixes #1114.

See below for what gets added to the Swagger UI:

Authorize button:
image

Enter bearer token:
image

Issue authenticated calls:
image

Is this a user-visible change (yes/no): yes

@lalithsuresh lalithsuresh marked this pull request as draft December 8, 2023 22:04
@lalithsuresh lalithsuresh marked this pull request as ready for review December 11, 2023 00:50
@lalithsuresh lalithsuresh requested a review from gz December 11, 2023 01:14
@lalithsuresh
pipeline-manager: turn API keys into a named API object
0fe242c 
Signed-off-by: Lalith Suresh <lalith@feldera.com>
@lalithsuresh
pipeline-manager: add REST API for API keys
15039aa 
Signed-off-by: Lalith Suresh <lalith@feldera.com>
@lalithsuresh
pipeline-manager: add IDs to API key backend and endpoints
e2de23d 
Signed-off-by: Lalith Suresh <lalith@feldera.com>
@lalithsuresh
auth: avoid custom headers for API keys
28e2723 
Our authz middleware used an Http Bearer Authentication scheme
and custom headers ("x-api-keys") for API keys.

Using API keys in this manner conflicts with some internal assumptions
Actix makes; Our `auth_validator()` works as it should end-to-end but
the Actix framework still logs an error that the request is unathorized,
because it could not find an authorization header with a bearer token in
it.

```
2023-12-10 22:39:42 DEBUG [manager] Error for Option<T> extractor: 401 Unauthorized
```

This could be confusing to users/operators, so I looked into ways to
avoid the custom header. The idea option would have been to keep the
`Bearer` scheme for OIDC JWT tokens and `Basic` for API keys, but
it's not clear from Actix's APIs how to support this. It seems to only
support one authentication scheme per middleware and it felt cumbersome
to implement customized schemes.

So for now, we go for a simple alternative. Both API keys and JWT tokens
use the `Bearer` scheme. API keys are prefixed with `apikeys:` whereas
JWT tokens are encoded as is.

This keeps the design simple, and users should be able to freely replace
a bearer token with an API key in their machine-to-machine workflows.

Signed-off-by: Lalith Suresh <lalith@feldera.com>
@lalithsuresh
auth: allow configuring authentication from swagger UI
324c71e 
Signed-off-by: Lalith Suresh <lalith@feldera.com>
@lalithsuresh
docs: update CHANGELOG.md
14b3923 
Signed-off-by: Lalith Suresh <lalith@feldera.com>
gz
gz approved these changes Dec 11, 2023
View reviewed changes
crates/pipeline_manager/src/api/api_key.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/api/api_key.rs Show resolved Hide resolved
crates/pipeline_manager/src/api/api_key.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/api/api_key.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/api/api_key.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/db/mod.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/db/mod.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/db/storage.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/db/storage.rs Outdated Show resolved Hide resolved
crates/pipeline_manager/src/db/test.rs
.filter(|k| k.0 .0 == tenant_id)
.map(|k| ApiKeyDescr {
id: k.1 .0,
name: k.0 .1.clone(),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe these should be named arguments

@lalithsuresh
pipeline-manager: improve OpenAPI documentation and use named constan…
68f7bac 
…ts for ApiKey-related strings

Co-authored-by: Gerd Zellweger <gz@feldera.com>
Signed-off-by: Lalith Suresh <lalith@feldera.com>
@lalithsuresh lalithsuresh merged commit 093e94a into main Dec 11, 2023
5 checks passed
@lalithsuresh lalithsuresh deleted the api-key branch December 11, 2023 20:10
@lalithsuresh lalithsuresh mentioned this pull request Dec 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gz gz gz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add security scheme to OpenAPI spec
2 participants
@lalithsuresh @gz