Documentation ¶
Index ¶
- Variables
- func MustParseURL(rawURL string) *url.URL
- type AuthorizationServer
- type AuthorizationServerType
- type Config
- type CookieSettings
- type DomainMatch
- type ExternalAuthorizationServer
- type FlyteClientConfig
- type OAuth2Options
- type OpenIDOptions
- type SameSite
- type SecretName
- type ThirdPartyConfigOptions
- type UserAuthConfig
Constants ¶
This section is empty.
Variables ¶
var ( DefaultConfig = &Config{ HTTPAuthorizationHeader: "flyte-authorization", GrpcAuthorizationHeader: "flyte-authorization", UserAuth: UserAuthConfig{ RedirectURL: config.URL{URL: *MustParseURL("/console")}, CookieHashKeySecretName: SecretNameCookieHashKey, CookieBlockKeySecretName: SecretNameCookieBlockKey, OpenID: OpenIDOptions{ ClientSecretName: SecretNameOIdCClientSecret, Scopes: []string{ "openid", "profile", }, }, CookieSetting: CookieSettings{ DomainMatchPolicy: DomainMatchExact, SameSitePolicy: SameSiteDefaultMode, }, }, AppAuth: OAuth2Options{ AuthServerType: AuthorizationServerTypeSelf, ThirdParty: ThirdPartyConfigOptions{ FlyteClientConfig: FlyteClientConfig{ ClientID: "flytectl", RedirectURI: "http://localhost:53593/callback", Scopes: []string{"all", "offline"}, }, }, SelfAuthServer: AuthorizationServer{ AccessTokenLifespan: config.Duration{Duration: 30 * time.Minute}, RefreshTokenLifespan: config.Duration{Duration: 60 * time.Minute}, AuthorizationCodeLifespan: config.Duration{Duration: 5 * time.Minute}, ClaimSymmetricEncryptionKeySecretName: SecretNameClaimSymmetricKey, TokenSigningRSAKeySecretName: SecretNameTokenSigningRSAKey, OldTokenSigningRSAKeySecretName: SecretNameOldTokenSigningRSAKey, StaticClients: map[string]*fosite.DefaultClient{ "flyte-cli": { ID: "flyte-cli", RedirectURIs: []string{"http://localhost:53593/callback", "http://localhost:12345/callback"}, ResponseTypes: []string{"code", "token"}, GrantTypes: []string{"refresh_token", "authorization_code"}, Scopes: []string{"all", "offline", "access_token"}, Public: true, }, "flytectl": { ID: "flytectl", RedirectURIs: []string{"http://localhost:53593/callback", "http://localhost:12345/callback"}, ResponseTypes: []string{"code", "token"}, GrantTypes: []string{"refresh_token", "authorization_code"}, Scopes: []string{"all", "offline", "access_token"}, Public: true, }, "flytepropeller": { ID: "flytepropeller", Secret: []byte(`$2a$06$pxs1AkG81Kvrhpml1QiLSOQaTk9eePrU/7Yab9y07h3x0TglbaoT6`), RedirectURIs: []string{"http://localhost:3846/callback"}, ResponseTypes: []string{"token"}, GrantTypes: []string{"refresh_token", "client_credentials"}, Scopes: []string{"all", "offline", "access_token"}, }, }, }, }, } )
Functions ¶
func MustParseURL ¶
MustParseURL panics if the provided url fails parsing. Should only be used in package initialization or tests.
Types ¶
type AuthorizationServer ¶
type AuthorizationServer struct { // Defines the issuer to use when issuing and validating tokens. The default value is https://<requestUri.HostAndPort>/ Issuer string `` /* 139-byte string literal not displayed */ // Defines the lifespan of issued access tokens. AccessTokenLifespan config.Duration `json:"accessTokenLifespan" pflag:",Defines the lifespan of issued access tokens."` // Defines the lifespan of issued access tokens. RefreshTokenLifespan config.Duration `json:"refreshTokenLifespan" pflag:",Defines the lifespan of issued access tokens."` // Defines the lifespan of issued access tokens. AuthorizationCodeLifespan config.Duration `json:"authorizationCodeLifespan" pflag:",Defines the lifespan of issued access tokens."` // Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs. ClaimSymmetricEncryptionKeySecretName string `json:"claimSymmetricEncryptionKeySecretName" pflag:",OPTIONAL: Secret name to use to encrypt claims in authcode token."` TokenSigningRSAKeySecretName string `json:"tokenSigningRSAKeySecretName" pflag:",OPTIONAL: Secret name to use to retrieve RSA Signing Key."` OldTokenSigningRSAKeySecretName string `` /* 184-byte string literal not displayed */ // A list of clients to grant access to. StaticClients map[string]*fosite.DefaultClient `json:"staticClients" pflag:"-,Defines statically defined list of clients to allow."` }
type AuthorizationServerType ¶
type AuthorizationServerType int
AuthorizationServerType defines the type of Authorization Server to use.
const ( // AuthorizationServerTypeSelf determines that FlyteAdmin should act as the authorization server to serve // OAuth2 token requests AuthorizationServerTypeSelf AuthorizationServerType = iota // AuthorizationServerTypeExternal determines that FlyteAdmin should rely on an external authorization server (e.g. // Okta) to serve OAuth2 token requests AuthorizationServerTypeExternal )
func AuthorizationServerTypeString ¶
func AuthorizationServerTypeString(s string) (AuthorizationServerType, error)
AuthorizationServerTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func AuthorizationServerTypeValues ¶
func AuthorizationServerTypeValues() []AuthorizationServerType
AuthorizationServerTypeValues returns all values of the enum
func (AuthorizationServerType) IsAAuthorizationServerType ¶
func (i AuthorizationServerType) IsAAuthorizationServerType() bool
IsAAuthorizationServerType returns "true" if the value is listed in the enum definition. "false" otherwise
func (AuthorizationServerType) MarshalJSON ¶
func (i AuthorizationServerType) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface for AuthorizationServerType
func (AuthorizationServerType) String ¶
func (i AuthorizationServerType) String() string
func (*AuthorizationServerType) UnmarshalJSON ¶
func (i *AuthorizationServerType) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface for AuthorizationServerType
type Config ¶
type Config struct { // These settings are for non-SSL authentication modes, where Envoy is handling SSL termination // This is not yet used, but this is the HTTP variant of the setting below. HTTPAuthorizationHeader string `json:"httpAuthorizationHeader"` // In order to support deployments of this Admin service where Envoy is terminating SSL connections, the metadata // header name cannot be "authorization", which is the standard metadata name. Envoy has special handling for that // name. Instead, there is a gRPC interceptor, GetAuthenticationCustomMetadataInterceptor, that will translate // incoming metadata headers with this config setting's name, into that standard header GrpcAuthorizationHeader string `json:"grpcAuthorizationHeader"` // To help ease migration, it was helpful to be able to only selectively enforce authentication. The // dimension that made the most sense to cut by at time of writing is HTTP vs gRPC as the web UI mainly used HTTP // and the backend used mostly gRPC. Cutting by individual endpoints is another option but it possibly falls more // into the realm of authorization rather than authentication. DisableForHTTP bool `json:"disableForHttp" pflag:",Disables auth enforcement on HTTP Endpoints."` DisableForGrpc bool `json:"disableForGrpc" pflag:",Disables auth enforcement on Grpc Endpoints."` // AuthorizedURIs is optional and defines the set of URIs that clients are allowed to visit the service on. If set, // the system will attempt to match the incoming host to the first authorized URIs and use that (including the scheme) // when generating metadata endpoints and when validating audience and issuer claims. If no matching authorizedUri // is found, it'll default to the first one. If not provided, the urls will be deduced based on the request url and // the `secure` setting. AuthorizedURIs []config.URL `` /* 415-byte string literal not displayed */ // UserAuth settings used to authenticate end users in web-browsers. UserAuth UserAuthConfig `json:"userAuth" pflag:",Defines Auth options for users."` // AppAuth settings used to authenticate and control/limit access scopes for apps. AppAuth OAuth2Options `json:"appAuth" pflag:",Defines Auth options for apps. UserAuth must be enabled for AppAuth to work."` }
type CookieSettings ¶ added in v1.1.18
type CookieSettings struct { SameSitePolicy SameSite `` /* 166-byte string literal not displayed */ DomainMatchPolicy DomainMatch `` /* 153-byte string literal not displayed */ }
type DomainMatch ¶ added in v1.1.18
type DomainMatch int
const ( DomainMatchExact DomainMatch = iota DomainMatchSubdomains )
func DomainMatchString ¶ added in v1.1.18
func DomainMatchString(s string) (DomainMatch, error)
DomainMatchString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func DomainMatchValues ¶ added in v1.1.18
func DomainMatchValues() []DomainMatch
DomainMatchValues returns all values of the enum
func (DomainMatch) IsADomainMatch ¶ added in v1.1.18
func (i DomainMatch) IsADomainMatch() bool
IsADomainMatch returns "true" if the value is listed in the enum definition. "false" otherwise
func (DomainMatch) MarshalJSON ¶ added in v1.1.18
func (i DomainMatch) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface for DomainMatch
func (DomainMatch) String ¶ added in v1.1.18
func (i DomainMatch) String() string
func (*DomainMatch) UnmarshalJSON ¶ added in v1.1.18
func (i *DomainMatch) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface for DomainMatch
type ExternalAuthorizationServer ¶
type ExternalAuthorizationServer struct { // BaseURL should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/ // If not provided, the OpenID.BaseURL will be assumed instead. BaseURL config.URL `` /* 208-byte string literal not displayed */ AllowedAudience []string `` /* 149-byte string literal not displayed */ MetadataEndpointURL config.URL `` /* 149-byte string literal not displayed */ }
type FlyteClientConfig ¶
type FlyteClientConfig struct { ClientID string `json:"clientId" pflag:",public identifier for the app which handles authorization for a Flyte deployment"` RedirectURI string `` /* 127-byte string literal not displayed */ Scopes []string `json:"scopes" pflag:",Recommended scopes for the client to request."` }
type OAuth2Options ¶
type OAuth2Options struct { // AuthServerType defines the type of AuthServer to connect to. AuthServerType AuthorizationServerType `` /* 148-byte string literal not displayed */ // SelfAuthServer defines settings for running authorization server locally. SelfAuthServer AuthorizationServer `` /* 164-byte string literal not displayed */ // ExternalAuthServer defines settings for connecting with an external authorization server. ExternalAuthServer ExternalAuthorizationServer `json:"externalAuthServer" pflag:",External Authorization Server config."` // ThirdParty defines settings for the public client flyte-clients (e.g. flytectl, flytecli) should use. ThirdParty ThirdPartyConfigOptions `` /* 146-byte string literal not displayed */ }
OAuth2Options defines settings for app auth.
type OpenIDOptions ¶
type OpenIDOptions struct { // The client ID for Admin in your IDP // See https://tools.ietf.org/html/rfc6749#section-2.2 for more information ClientID string `json:"clientId"` // The client secret used in the exchange of the authorization code for the token. // https://tools.ietf.org/html/rfc6749#section-2.3 ClientSecretName string `json:"clientSecretName"` // Deprecated: Please use ClientSecretName instead. DeprecatedClientSecretFile string `json:"clientSecretFile"` // This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it // will look something like https://company.okta.com/oauth2/abcdef123456789/ BaseURL config.URL `json:"baseUrl"` // Provides a list of scopes to request from the IDP when authenticating. Default value requests claims that should // be supported by any OIdC server. Refer to https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for // a complete list. Other providers might support additional scopes that you can define in a config. Scopes []string `json:"scopes"` }
type SameSite ¶ added in v1.1.18
type SameSite int
func SameSiteString ¶ added in v1.1.18
SameSiteString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func SameSiteValues ¶ added in v1.1.18
func SameSiteValues() []SameSite
SameSiteValues returns all values of the enum
func (SameSite) IsASameSite ¶ added in v1.1.18
IsASameSite returns "true" if the value is listed in the enum definition. "false" otherwise
func (SameSite) MarshalJSON ¶ added in v1.1.18
MarshalJSON implements the json.Marshaler interface for SameSite
func (*SameSite) UnmarshalJSON ¶ added in v1.1.18
UnmarshalJSON implements the json.Unmarshaler interface for SameSite
type SecretName ¶
type SecretName = string
const ( // SecretNameOIdCClientSecret defines the default OIdC client secret name to use. // #nosec SecretNameOIdCClientSecret SecretName = "oidc_client_secret" // SecretNameCookieHashKey defines the default cookie hash key secret name to use. // #nosec SecretNameCookieHashKey SecretName = "cookie_hash_key" // SecretNameCookieBlockKey defines the default cookie block key secret name to use. // #nosec SecretNameCookieBlockKey SecretName = "cookie_block_key" // SecretNameClaimSymmetricKey must be a base64 encoded secret of exactly 32 bytes // #nosec SecretNameClaimSymmetricKey SecretName = "claim_symmetric_key" // SecretNameTokenSigningRSAKey is the privateKey used to sign JWT tokens. The default strategy uses RS256 (RSA Signature with SHA-256) // #nosec SecretNameTokenSigningRSAKey SecretName = "token_rsa_key.pem" // SecretNameOldTokenSigningRSAKey is the privateKey used to sign old JWT tokens. The default strategy uses RS256 (RSA Signature with SHA-256) // This is used to support key rotation. When present, it'll only be used to validate incoming tokens. New tokens // will not be issued using this key. // #nosec SecretNameOldTokenSigningRSAKey SecretName = "token_rsa_key_old.pem" )
type ThirdPartyConfigOptions ¶
type ThirdPartyConfigOptions struct {
FlyteClientConfig FlyteClientConfig `json:"flyteClient"`
}
This struct encapsulates config options for bootstrapping various Flyte applications with config values For example, FlyteClientConfig contains application-specific values to initialize the config required by flyte client
func (ThirdPartyConfigOptions) IsEmpty ¶
func (o ThirdPartyConfigOptions) IsEmpty() bool
type UserAuthConfig ¶
type UserAuthConfig struct { // This is where the user will be redirected to at the end of the flow, but you should not use it. Instead, // the initial /login handler should be called with a redirect_url parameter, which will get saved to a cookie. // This setting will only be used when that cookie is missing. // See the login handler code for more comments. RedirectURL config.URL `json:"redirectUrl"` // OpenID defines settings for connecting and trusting an OpenIDConnect provider. OpenID OpenIDOptions `json:"openId" pflag:",OpenID Configuration for User Auth"` // Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs. CookieHashKeySecretName string `json:"cookieHashKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie hash key."` CookieBlockKeySecretName string `json:"cookieBlockKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie block key."` CookieSetting CookieSettings `json:"cookieSetting" pflag:", settings used by cookies created for user auth"` }