Skip to content

feat(ws): add auth to backend #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 11, 2025
Merged

feat(ws): add auth to backend #202

merged 2 commits into from
Feb 11, 2025

Conversation

@thesuperzapper
Copy link
Member

@thesuperzapper thesuperzapper commented Feb 11, 2025

This PR:

  1. adds authentication to the backend
  2. Removes the helper.GetKubeconfig and replaces it with ctrl.GetConfig()
    • This allows us to set CLIENT_QPS and CLIENT_BURST as configs (because the defaults are very low 20/30)

Authentication is implemented by reading the USERID_HEADER and GROUPS_HEADER in each request (see NewRequestAuthenticator()).

Authorization is implemented with SubjectAccessReviews (see NewRequestAuthorizer()). The NewRequestAuthorizer() method uses the authorizerfactory.DelegatingAuthorizerConfig from k8s.io/apiserver/pkg/authorization/authorizerfactory and has a 10-second cache to not check the user is still authorized more than once every 10 seconds.

To define what auth a specific handler requires, we have a new a.requireAuth() method, which takes a new []ResourcePolicy list, that can easily be constructed using NewResourcePolicy() in a clear way.

@thesuperzapper
feat(ws): add auth to backend
44390e9 
Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
@google-oss-prow google-oss-prow bot requested a review from kimwnasptd February 11, 2025 04:20
@thesuperzapper thesuperzapper requested review from ederign and removed request for kimwnasptd February 11, 2025 04:21
@thesuperzapper
add DISABLE_AUTH for interim testing (enabled by default)
44b2925 
Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
@ederign
Copy link
Member

ederign commented Feb 11, 2025

@thesuperzapper, impressive PR. This approach is indeed smart! :)

As an FUP, I'll add the authorization mocks for the front end (in the standalone). After 1.10 release, I"ll also upgrade Model Registry auth for this.

Great work

@ederign
Copy link
Member

ederign commented Feb 11, 2025

/lgtm

@google-oss-prow google-oss-prow bot added the lgtm label Feb 11, 2025
@thesuperzapper
Copy link
Member Author

thesuperzapper commented Feb 11, 2025

/approve

@google-oss-prow
Copy link

google-oss-prow bot commented Feb 11, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ederign, thesuperzapper

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit bc6f311 into kubeflow:notebooks-v2 Feb 11, 2025
5 checks passed
@thesuperzapper thesuperzapper deleted the add-auth branch February 11, 2025 20:28
@Adembc Adembc mentioned this pull request Feb 12, 2025
Closed
Mohamed-ben-khemis pushed a commit to Mohamed-ben-khemis/notebooks that referenced this pull request Mar 13, 2025
@thesuperzapper @Mohamed-ben-khemis
feat(ws): add auth to backend (kubeflow#202)
3a9076f 
* feat(ws): add auth to backend

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* add `DISABLE_AUTH` for interim testing (enabled by default)

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

---------

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
mkoushni pushed a commit to mkoushni/notebooks that referenced this pull request May 28, 2025
@thesuperzapper @mkoushni
feat(ws): add auth to backend (kubeflow#202)
0161e60 
* feat(ws): add auth to backend

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* add `DISABLE_AUTH` for interim testing (enabled by default)

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

---------

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
Signed-off-by: CI Bot <mkoushni@redhat.com>
andyatmiami pushed a commit to andyatmiami/kubeflow-notebooks that referenced this pull request Jun 13, 2025
@thesuperzapper @andyatmiami
feat(ws): add auth to backend (kubeflow#202)
94f100c 
* feat(ws): add auth to backend

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* add `DISABLE_AUTH` for interim testing (enabled by default)

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

---------

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ederign ederign ederign approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ederign ederign

Labels

approved lgtm size/XL

Projects

Kubeflow Notebooks
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thesuperzapper @ederign