admin

package
v1.13.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 2, 2024 License: Apache-2.0 Imports: 38 Imported by: 10

Documentation

Overview

Initializes an Admin Client that exposes all implemented services by FlyteAdmin server. The library supports different authentication flows (see AuthType). It initializes the grpc connection once and reuses it. A grpc load balancing policy can be configured as well.

Index

Examples

Constants

View Source 
const DefaultAuthorizationHeader = "authorization"
View Source 
const (
	DefaultClientID = "flytepropeller"
)
View Source 
const ProxyAuthorizationHeader = "proxy-authorization"

Variables

View Source 
var DefaultClientSecretLocation = filepath.Join(string(filepath.Separator), "etc", "secrets", "client_secret")

Functions

func GetAdditionalAdminClientConfigOptions 

func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption

func GetDeviceFlowAuthTokenSource 

func GetDeviceFlowAuthTokenSource(ctx context.Context, deviceFlowOrchestrator deviceflow.TokenOrchestrator) (oauth2.TokenSource, error)

GetDeviceFlowAuthTokenSource Returns the token source which would be used for device auth flow

func GetPKCEAuthTokenSource 

func GetPKCEAuthTokenSource(ctx context.Context, pkceTokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)

Returns the token source which would be used for three legged oauth. eg : for admin to authorize access to flytectl

func GetProxyTokenSource added in v1.9.17 

func GetProxyTokenSource(ctx context.Context, cfg *Config) (oauth2.TokenSource, error)

func InitializeAdminClient 

func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient

InitializeAdminClient creates an AdminClient with a shared Admin connection for the process Deprecated: Please use initializeClients instead.

func InitializeAuthMetadataClient 

func InitializeAuthMetadataClient(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) (client service.AuthMetadataServiceClient, err error)

InitializeAuthMetadataClient creates a new anonymously Auth Metadata Service client.

func InitializeMockAdminClient 

func InitializeMockAdminClient() service.AdminServiceClient

func MaterializeCredentials 

func MaterializeCredentials(tokenSource oauth2.TokenSource, cfg *Config, authorizationMetadataKey string,
	perRPCCredentials *PerRPCCredentialsFuture) error

MaterializeCredentials will attempt to build a TokenSource given the anonymously available information exposed by the server. Once established, it'll invoke PerRPCCredentialsFuture.Store() on perRPCCredentials to populate it with the appropriate values.

func MaterializeProxyAuthCredentials added in v1.9.17 

func MaterializeProxyAuthCredentials(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) error

func NewAdminClient 

func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient

func NewAdminConnection 

func NewAdminConnection(ctx context.Context, cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture, opts ...grpc.DialOption) (*grpc.ClientConn, error)

func NewAuthInterceptor 

func NewAuthInterceptor(cfg *Config, tokenCache cache.TokenCache, credentialsFuture *PerRPCCredentialsFuture, proxyCredentialsFuture *PerRPCCredentialsFuture) grpc.UnaryClientInterceptor

NewAuthInterceptor creates a new grpc.UnaryClientInterceptor that forwards the grpc call and inspects the error. It will first invoke the grpc pipeline (to proceed with the request) with no modifications. It's expected for the grpc pipeline to already have a grpc.WithPerRPCCredentials() DialOption. If the perRPCCredentials has already been initialized, it'll take care of refreshing when tokens expire... etc. If the first invocation succeeds (either due to grpc.PerRPCCredentials setting the right tokens or the server not requiring authentication), the interceptor will be no-op. If the first invocation fails with an auth error, this interceptor will then attempt to establish a token source once more. It'll fail hard if it couldn't do so (i.e. it will no longer attempt to send an unauthenticated request). Once a token source has been created, it'll invoke the grpc pipeline again, this time the grpc.PerRPCCredentials should be able to find and acquire a valid AccessToken to annotate the request with.

func NewProxyAuthInterceptor added in v1.9.17 

func NewProxyAuthInterceptor(cfg *Config, proxyCredentialsFuture *PerRPCCredentialsFuture) grpc.UnaryClientInterceptor

func SetConfig 

func SetConfig(cfg *Config) error

Types

type AuthType 

type AuthType uint8
const (
	// AuthTypeClientSecret Chooses Client Secret OAuth2 protocol (ref: https://tools.ietf.org/html/rfc6749#section-4.4)
	AuthTypeClientSecret AuthType = iota
	// AuthTypePkce Chooses Proof Key Code Exchange OAuth2 extension protocol (ref: https://tools.ietf.org/html/rfc7636)
	AuthTypePkce
	// AuthTypeExternalCommand Chooses an external authentication process
	AuthTypeExternalCommand
	// AuthTypeDeviceFlow Uses device flow to authenticate in a constrained environment with no access to browser
	AuthTypeDeviceFlow
)

func AuthTypeString 

func AuthTypeString(s string) (AuthType, error)

AuthTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func AuthTypeValues 

func AuthTypeValues() []AuthType

AuthTypeValues returns all values of the enum

func (AuthType) IsAAuthType 

func (i AuthType) IsAAuthType() bool

IsAAuthType returns "true" if the value is listed in the enum definition. "false" otherwise

func (AuthType) MarshalJSON 

func (i AuthType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for AuthType

func (AuthType) MarshalYAML 

func (i AuthType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for AuthType

func (AuthType) String 

func (i AuthType) String() string

func (*AuthType) UnmarshalJSON 

func (i *AuthType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for AuthType

func (*AuthType) UnmarshalYAML 

func (i *AuthType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for AuthType

type ClientCredentialsTokenSourceProvider 

type ClientCredentialsTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (ClientCredentialsTokenSourceProvider) GetTokenSource 

func (p ClientCredentialsTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)

type Clientset 

type Clientset struct {
	// contains filtered or unexported fields
}

Clientset contains the clients exposed to communicate with various admin services.

func InitializeMockClientset 

func InitializeMockClientset() *Clientset

func (Clientset) AdminClient 

func (c Clientset) AdminClient() service.AdminServiceClient

AdminClient retrieves the AdminServiceClient

func (Clientset) AuthMetadataClient 

func (c Clientset) AuthMetadataClient() service.AuthMetadataServiceClient

AuthMetadataClient retrieves the AuthMetadataServiceClient

func (Clientset) DataProxyClient 

func (c Clientset) DataProxyClient() service.DataProxyServiceClient

func (Clientset) HealthServiceClient 

func (c Clientset) HealthServiceClient() grpc_health_v1.HealthClient

HealthServiceClient retrieves the grpc_health_v1.HealthClient

func (Clientset) IdentityClient 

func (c Clientset) IdentityClient() service.IdentityServiceClient

func (Clientset) SignalServiceClient 

func (c Clientset) SignalServiceClient() service.SignalServiceClient

type ClientsetBuilder 

type ClientsetBuilder struct {
	// contains filtered or unexported fields
}

ClientsetBuilder is used to build the clientset. This allows custom token cache implementations to be plugged in.

func ClientSetBuilder 

func ClientSetBuilder() *ClientsetBuilder

ClientSetBuilder is constructor function to be used by the clients in interacting with the builder

Example 
ctx := context.Background()
// Create a client set that initializes the connection with flyte admin and sets up Auth (if needed).
// See AuthType for a list of supported authentication types.
clientSet, err := NewClientsetBuilder().WithConfig(GetConfig(ctx)).Build(ctx)
if err != nil {
	logger.Fatalf(ctx, "failed to initialized clientSet from config. Error: %v", err)
}

// Access and use the desired client:
_ = clientSet.AdminClient()
_ = clientSet.AuthMetadataClient()
_ = clientSet.IdentityClient()

Output:

func NewClientsetBuilder 

func NewClientsetBuilder() *ClientsetBuilder

func (*ClientsetBuilder) Build 

func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)

Build the clientset using the current state of the ClientsetBuilder

func (*ClientsetBuilder) WithConfig 

func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder

WithConfig provides the admin config to be used for constructing the clientset

func (*ClientsetBuilder) WithDialOptions 

func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder

func (*ClientsetBuilder) WithTokenCache 

func (cb *ClientsetBuilder) WithTokenCache(tokenCache cache.TokenCache) *ClientsetBuilder

WithTokenCache allows pluggable token cache implementations. eg; flytectl uses keyring as tokenCache

type Config 

type Config struct {
	Endpoint              config.URL      `json:"endpoint" pflag:",For admin types, specify where the uri of the service is located."`
	UseInsecureConnection bool            `json:"insecure" pflag:",Use insecure connection."`
	InsecureSkipVerify    bool            `` /* 186-byte string literal not displayed */
	CACertFilePath        string          `json:"caCertFilePath" pflag:",Use specified certificate file to verify the admin server peer."`
	MaxBackoffDelay       config.Duration `json:"maxBackoffDelay" pflag:",Max delay for grpc backoff"`
	PerRetryTimeout       config.Duration `json:"perRetryTimeout" pflag:",gRPC per retry timeout"`
	MaxRetries            int             `json:"maxRetries" pflag:",Max number of gRPC retries"`
	MaxMessageSizeBytes   int             `json:"maxMessageSizeBytes" pflag:",The max size in bytes for incoming gRPC messages"`
	AuthType              AuthType        `` /* 129-byte string literal not displayed */
	TokenRefreshWindow    config.Duration `json:"tokenRefreshWindow" pflag:",Max duration between token refresh attempt and token expiry."`
	// Deprecated: settings will be discovered dynamically
	DeprecatedUseAuth    bool     `json:"useAuth" pflag:",Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information."`
	ClientID             string   `json:"clientId" pflag:",Client ID"`
	ClientSecretLocation string   `json:"clientSecretLocation" pflag:",File containing the client secret"`
	ClientSecretEnvVar   string   `json:"clientSecretEnvVar" pflag:",Environment variable containing the client secret"`
	Scopes               []string `json:"scopes" pflag:",List of scopes to request"`
	UseAudienceFromAdmin bool     `json:"useAudienceFromAdmin" pflag:",Use Audience configured from admins public endpoint config."`
	Audience             string   `json:"audience" pflag:",Audience to use when initiating OAuth2 authorization requests."`

	// There are two ways to get the token URL. If the authorization server url is provided, the client will try to use RFC 8414 to
	// try to get the token URL. Or it can be specified directly through TokenURL config.
	// Deprecated: This will now be discovered through admin's anonymously accessible metadata.
	DeprecatedAuthorizationServerURL string `json:"authorizationServerUrl" pflag:",This is the URL to your IdP's authorization server. It'll default to Endpoint"`
	// If not provided, it'll be discovered through admin's anonymously accessible metadata endpoint.
	TokenURL string `` /* 141-byte string literal not displayed */

	// See the implementation of the 'grpcAuthorizationHeader' option in Flyte Admin for more information. But
	// basically we want to be able to use a different string to pass the token from this client to the the Admin service
	// because things might be running in a service mesh (like Envoy) that already uses the default 'authorization' header
	AuthorizationHeader string `json:"authorizationHeader" pflag:",Custom metadata header to pass JWT"`

	PkceConfig pkce.Config `json:"pkceConfig" pflag:",Config for Pkce authentication flow."`

	DeviceFlowConfig deviceflow.Config `json:"deviceFlowConfig" pflag:",Config for Device authentication flow."`

	Command []string `json:"command" pflag:",Command for external authentication token generation"`

	ProxyCommand []string `json:"proxyCommand" pflag:",Command for external proxy-authorization token generation"`

	// Set the gRPC service config formatted as a json string https://github.com/grpc/grpc/blob/master/doc/service_config.md
	// eg. {"loadBalancingConfig": [{"round_robin":{}}], "methodConfig": [{"name":[{"service": "foo", "method": "bar"}, {"service": "baz"}], "timeout": "1.000000001s"}]}
	// find the full schema here https://github.com/grpc/grpc-proto/blob/master/grpc/service_config/service_config.proto#L625
	// Note that required packages may need to be preloaded to support certain service config. For example "google.golang.org/grpc/balancer/roundrobin" should be preloaded to have round-robin policy supported.
	DefaultServiceConfig string `json:"defaultServiceConfig" pdflag:",Set the default service config for the admin gRPC client"`

	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
	HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`
}

func GetConfig 

func GetConfig(ctx context.Context) *Config

func (Config) GetPFlagSet 

func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet

GetPFlagSet will return strongly types pflags for all fields in Config and its nested types. The format of the flags is json-name.json-sub-name... etc.

type CustomHeaderTokenSource 

type CustomHeaderTokenSource struct {
	// contains filtered or unexported fields
}

CustomHeaderTokenSource class is here because we cannot use the normal "github.com/grpc/grpc-go/credentials/oauth" package to satisfy the credentials.PerRPCCredentials interface. This is because we want to be able to support a different 'header' when passing the token in the gRPC call's metadata. The default is filled in the constructor if none is supplied.

func NewCustomHeaderTokenSource 

func NewCustomHeaderTokenSource(source oauth2.TokenSource, insecure bool, customHeader string) CustomHeaderTokenSource

func (CustomHeaderTokenSource) GetRequestMetadata 

func (ts CustomHeaderTokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token

func (CustomHeaderTokenSource) RequireTransportSecurity 

func (ts CustomHeaderTokenSource) RequireTransportSecurity() bool

RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1

type DeviceFlowTokenSourceProvider 

type DeviceFlowTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (DeviceFlowTokenSourceProvider) GetTokenSource 

func (p DeviceFlowTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)

type ExternalTokenSourceProvider 

type ExternalTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (ExternalTokenSourceProvider) GetTokenSource 

func (e ExternalTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)

type OauthMetadataProvider added in v1.13.3 

type OauthMetadataProvider struct {
	// contains filtered or unexported fields
}

func (*OauthMetadataProvider) GetOauthMetadata added in v1.13.3 

func (o *OauthMetadataProvider) GetOauthMetadata(cfg *Config, tokenCache cache.TokenCache, proxyCredentialsFuture *PerRPCCredentialsFuture) error

type PKCETokenSourceProvider 

type PKCETokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (PKCETokenSourceProvider) GetTokenSource 

func (p PKCETokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)

type PerRPCCredentialsFuture 

type PerRPCCredentialsFuture struct {
	// contains filtered or unexported fields
}

PerRPCCredentialsFuture is a future wrapper for credentials.PerRPCCredentials that can act as one and also be materialized later.

func NewPerRPCCredentialsFuture 

func NewPerRPCCredentialsFuture() *PerRPCCredentialsFuture

NewPerRPCCredentialsFuture initializes a new PerRPCCredentialsFuture that can act as a credentials.PerRPCCredentials and can also be resolved in the future. Users of the future can check if it has been initialized before by calling PerRPCCredentialsFuture.IsInitialized(). Calling PerRPCCredentialsFuture.Get() multiple times will return the same stored object (unless it changed in between calls). Calling PerRPCCredentialsFuture.Store() multiple times is supported and will result in overriding the old value atomically.

Example 
f := NewPerRPCCredentialsFuture()

// Starts uninitialized
fmt.Println("Initialized:", f.IsInitialized())

// Implements credentials.PerRPCCredentials so can be used as one
m, err := f.GetRequestMetadata(context.TODO(), "")
fmt.Println("GetRequestMetadata:", m, "Error:", err)

// Materialize the value later and populate
tokenSource := DummyTestTokenSource{}
f.Store(NewCustomHeaderTokenSource(tokenSource, false, "my_custom_header"))

// Future calls to credentials.PerRPCCredentials methods will use the new instance
m, err = f.GetRequestMetadata(context.TODO(), "")
fmt.Println("GetRequestMetadata:", m, "Error:", err)

Output:

Initialized: false
GetRequestMetadata: map[] Error: <nil>
GetRequestMetadata: map[my_custom_header:Bearer abc] Error: <nil>

func (*PerRPCCredentialsFuture) Get 

func (ts *PerRPCCredentialsFuture) Get() credentials.PerRPCCredentials

func (*PerRPCCredentialsFuture) GetRequestMetadata 

func (ts *PerRPCCredentialsFuture) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token

func (*PerRPCCredentialsFuture) IsInitialized 

func (ts *PerRPCCredentialsFuture) IsInitialized() bool

func (*PerRPCCredentialsFuture) RequireTransportSecurity 

func (ts *PerRPCCredentialsFuture) RequireTransportSecurity() bool

RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1

func (*PerRPCCredentialsFuture) Store 

func (ts *PerRPCCredentialsFuture) Store(tokenSource credentials.PerRPCCredentials)

type TokenSource 

type TokenSource interface {
	Token() (*oauth2.Token, error)
}

type TokenSourceProvider 

type TokenSourceProvider interface {
	GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
}

TokenSourceProvider defines the interface needed to provide a TokenSource that is used to create a client with authentication enabled.

func NewClientCredentialsTokenSourceProvider 

func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, scopes []string, tokenURL string,
	tokenCache cache.TokenCache, audience string) (TokenSourceProvider, error)

func NewDeviceFlowTokenSourceProvider 

func NewDeviceFlowTokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, deviceFlowConfig deviceflow.Config) (TokenSourceProvider, error)

func NewExternalTokenSourceProvider 

func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)

func NewPKCETokenSourceProvider 

func NewPKCETokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, pkceCfg pkce.Config) (TokenSourceProvider, error)

func NewTokenSourceProvider 

func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache cache.TokenCache,
	authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)

Source Files

View all Source files

Directories

Path Synopsis
mocks
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.
 Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.