-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Functions] Mask sensitive data on store_function
#3096
[Functions] Mask sensitive data on store_function
#3096
Conversation
…ommand, supported runtimes: remote,nuclio,serving,dask,job,spark,remote-spark,mpijob,local
71d34c0
to
c78e1c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good in general. Have some comments and suggestions...
mlrun/runtimes/base.py
Outdated
If access key is not mask (starts with secret prefix) then fill $generate so that the API will handle filling | ||
of the credentials. | ||
We rely on the HTTPDB to send the access key session through the request header and that the API will mask | ||
the access key, that way we won't even store any plain access key in the function. | ||
""" | ||
if self.metadata.credentials.access_key and ( | ||
# if contains secret reference or $generate then no need to overwrite the access key | ||
self.metadata.credentials.access_key.startswith( | ||
mlrun.model.Credentials.secret_reference_prefix | ||
) | ||
or self.metadata.credentials.access_key.startswith( | ||
mlrun.model.Credentials.generate_access_key | ||
) | ||
): | ||
return |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is already merged - should probably rebase your changes.
mlrun/api/crud/functions.py
Outdated
return mlrun.api.utils.singletons.db.get_db().store_function( | ||
db_session, | ||
function, | ||
name, | ||
function_obj.to_dict(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case there's no auth_info
you do a new_function
just to do to_dict()
on it... A lot of effort for nothing. I guess instead you can do the new_function
-> apply_enrichment
-> to_dict
inside the if
checking for auth_info
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Left a question and a suggestion (Other than Saar's comments)
…tials-on-store-function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Phase 2 of - #3076
Related to https://jira.iguazeng.com/browse/ML-3156
Multiple adjustments had to be done:
auth_info
is provided (will be done onstore_function
endpoint)-
instead of_
to align with the mlrun function naming conventions.tests_dbs
and removed all tests of runtime base which are no longer relevant as we are no longer support running runtime base as well as storing unstructured functions.