Add and use auth factory

[Isan-Rivkin]

Closes #8822

Additional Manual testing performed:

1. Upgrade OSS version (No auth)
2. Upgrade OSS no RBAC to RBAC (on-prem solution)

[github-actions]

E2E Test Results - DynamoDB Local - Local Block Adapter

[github-actions]

E2E Test Results - Quickstart

[nopcoder]

We should avoid using IsAdvancedAuth the factory should provide implementation - basic or advanced.

[nopcoder]

from a quick look it seems like we need to start using generics here

[Isan-Rivkin]

Elaborate?
I explored several options here but the small changes don't seem very valuable and others i had required larger design that i prefer to be out of scope.

[nopcoder]

not a blocker. but it looks like a copy paste for each type we like to cache

[Isan-Rivkin]

It's indeed the case.
I'm comfortable with this since it happens once in a blue moon.
But open to suggestions

[nopcoder]

nit;

Suggested change

	"github.com/treeverse/lakefs/pkg/config"
	"github.com/treeverse/lakefs/pkg/kv"
	"github.com/treeverse/lakefs/pkg/logging"
	)
	var errSimplifiedOrExternalAuth = errors.New(`cannot set auth.ui_config.rbac to non-simplified without setting an external auth service`)
	"github.com/treeverse/lakefs/pkg/config"
	"github.com/treeverse/lakefs/pkg/kv"
	"github.com/treeverse/lakefs/pkg/logging"
	)
	var errSimplifiedOrExternalAuth = errors.New("cannot set auth.ui_config.rbac to non-simplified without setting an external auth service")

[Isan-Rivkin]

everything in cache.go is copied from enterprise

[Isan-Rivkin]

We should avoid using IsAdvancedAuth the factory should provide implementation - basic or advanced.

I agree but we have some other considerations - The IsAdvancedAuth is used to determine flow during setup, and indicator for our logging middlewares.
The AuthAPI doesn't know if it's advanced or not if we don't tell it, since it also uses ACL.

[nopcoder]

talked f2f about the use of is advance auth. thanks.

[Isan-Rivkin]

@nopcoder FYI, I copied a BUG from fluffy, using policyCache cache.Cache for external principals, added small commit after approve to use dedicated class.

[Isan-Rivkin]

Fixed unit-test missing new param

[yonipeleg33]

LGTM, very nice work!
Had some minor, non-blocking comments.
I only block because I think this PR calls for more testing - aside from the unit tests, I'd like to see at least a description of manual tests performed on this branch, including backwards compatibility - spinning up a new binary after an old one should proceed from the same state in the auth db seamlessly.

[yonipeleg33]

revert, looks like a typo you added

[yonipeleg33]

this file is a bit odd to me. why not inline everything into modules/auth/factory/build.go?
a good sign that it's serving a questionable purpose is that you call it authfactoryhelper when importing - "helper" is a vague term.

it's not blocking, just not sure what's the purpose

[Isan-Rivkin]

The initiation logic needs to be re-used in enterprise as well, for context, in enterprise the build new function of the factory looks like this:

import ossauthfactory "github.com/treeverse/lakefs/pkg/auth/factory"

func NewAuthService(ctx context.Context, cfg ossconfig.Config, logger logging.Logger, kvStore kv.Store, metadataManager *ossauth.KVMetadataManager) ossauth.Service {

	if !cfg.(*config.Config).Features.RBAC {
		logging.ContextUnavailable().Info("Creating non-local rbac service")
		return ossauthfactory.NewAuthService(ctx, cfg, logger, kvStore, metadataManager)
	}
       // ... 
      // return RBAC local service
      return auth.NewAuthService(...)
}

[yonipeleg33]

then why not call it isRbacEnabled?
i can get why you want to use more general terms like "advanced auth" at the interface level, but this is the concrete value here - i don't see a reason not to give it the proper name it deserves.

this code makes more sense to me as a reader:

func (a *APIAuthService) IsAdvancedAuth() bool {
	return a.isRbacEnabled
}

[Isan-Rivkin]

Not done, I am maintaining the terminology we have.
Let's decouple between how we determine ( == RBAC External or External) VS the meaning (advanced auth).
We have an existing terminology which is NoAuth, Simplified Auth (ACL) and Advanced Auth (RBAC Server with more).
The current best way to determine were using "rbac + other features" is based on the RBAC value but that's not the meaning it's just the best we have.
The auth service doesn't need to know RBAC or not. That's encapsulated at the config level, like it was before.

[yonipeleg33]

sure, i get the decoupling idea. but your comment says otherwise :-)
if the comment is correct, there should be no issue with fusing the comment into the variable name. same meaning, stronger semantics.

(still not blocking)

[Isan-Rivkin]

LGTM, very nice work! Had some minor, non-blocking comments. I only block because I think this PR calls for more testing - aside from the unit tests, I'd like to see at least a description of manual tests performed on this branch, including backwards compatibility - spinning up a new binary after an old one should proceed from the same state in the auth db seamlessly.

You're asking a good question - how was this tested, updated in the description PR description now!

[yonipeleg33]

If you could specify a bit more about the tests that'd be great, I'm not sure what does "Upgrade OSS version" mean exactly.
A short explanation like "built lakefs from master, ran with such and such config, then ran X..." would be very helpful for me.

But not blocking any longer, as there's at least minimal documentation of the tests performed. TYVM, and again - awesome work 💪