Documentation ¶
Overview ¶
Initializes an Admin Client that exposes all implemented services by FlyteAdmin server. The library supports different authentication flows (see AuthType). It initializes the grpc connection once and reuses it. A grpc load balancing policy can be configured as well.
Index ¶
- Constants
- Variables
- func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption
- func GetDeviceFlowAuthTokenSource(ctx context.Context, deviceFlowOrchestrator deviceflow.TokenOrchestrator) (oauth2.TokenSource, error)
- func GetPKCEAuthTokenSource(ctx context.Context, pkceTokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)
- func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient
- func InitializeAdminClientFromConfig(ctx context.Context, tokenCache cache.TokenCache, opts ...grpc.DialOption) (service.AdminServiceClient, error)deprecated
- func InitializeAuthMetadataClient(ctx context.Context, cfg *Config) (client service.AuthMetadataServiceClient, err error)
- func InitializeMockAdminClient() service.AdminServiceClient
- func MaterializeCredentials(ctx context.Context, cfg *Config, tokenCache cache.TokenCache, ...) error
- func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient
- func NewAdminConnection(ctx context.Context, cfg *Config, opts ...grpc.DialOption) (*grpc.ClientConn, error)
- func NewAuthInterceptor(cfg *Config, tokenCache cache.TokenCache, ...) grpc.UnaryClientInterceptor
- func SetConfig(cfg *Config) error
- type AuthType
- type ClientCredentialsTokenSourceProvider
- type Clientset
- func (c Clientset) AdminClient() service.AdminServiceClient
- func (c Clientset) AuthMetadataClient() service.AuthMetadataServiceClient
- func (c Clientset) DataProxyClient() service.DataProxyServiceClient
- func (c Clientset) HealthServiceClient() grpc_health_v1.HealthClient
- func (c Clientset) IdentityClient() service.IdentityServiceClient
- func (c Clientset) SignalServiceClient() service.SignalServiceClient
- type ClientsetBuilder
- func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)
- func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder
- func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder
- func (cb *ClientsetBuilder) WithTokenCache(tokenCache cache.TokenCache) *ClientsetBuilder
- type Config
- type CustomHeaderTokenSource
- type DeviceFlowTokenSourceProvider
- type ExternalTokenSourceProvider
- type PKCETokenSourceProvider
- type PerRPCCredentialsFuture
- func (ts *PerRPCCredentialsFuture) Get() credentials.PerRPCCredentials
- func (ts *PerRPCCredentialsFuture) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
- func (ts *PerRPCCredentialsFuture) IsInitialized() bool
- func (ts *PerRPCCredentialsFuture) RequireTransportSecurity() bool
- func (ts *PerRPCCredentialsFuture) Store(tokenSource credentials.PerRPCCredentials)
- type TokenSource
- type TokenSourceProvider
- func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, scopes []string, tokenURL string, ...) (TokenSourceProvider, error)
- func NewDeviceFlowTokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, ...) (TokenSourceProvider, error)
- func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)
- func NewPKCETokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, ...) (TokenSourceProvider, error)
- func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache cache.TokenCache, ...) (TokenSourceProvider, error)
Examples ¶
Constants ¶
const DefaultAuthorizationHeader = "authorization"
const (
DefaultClientID = "flytepropeller"
)
Variables ¶
Functions ¶
func GetAdditionalAdminClientConfigOptions ¶
func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption
func GetDeviceFlowAuthTokenSource ¶ added in v1.1.13
func GetDeviceFlowAuthTokenSource(ctx context.Context, deviceFlowOrchestrator deviceflow.TokenOrchestrator) (oauth2.TokenSource, error)
GetDeviceFlowAuthTokenSource Returns the token source which would be used for device auth flow
func GetPKCEAuthTokenSource ¶ added in v0.21.4
func GetPKCEAuthTokenSource(ctx context.Context, pkceTokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)
Returns the token source which would be used for three legged oauth. eg : for admin to authorize access to flytectl
func InitializeAdminClient ¶
func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient
InitializeAdminClient creates an AdminClient with a shared Admin connection for the process Deprecated: Please use initializeClients instead.
func InitializeAdminClientFromConfig
deprecated
func InitializeAdminClientFromConfig(ctx context.Context, tokenCache cache.TokenCache, opts ...grpc.DialOption) (service.AdminServiceClient, error)
Deprecated: Please use NewClientsetBuilder() instead.
func InitializeAuthMetadataClient ¶ added in v0.18.40
func InitializeAuthMetadataClient(ctx context.Context, cfg *Config) (client service.AuthMetadataServiceClient, err error)
InitializeAuthMetadataClient creates a new anonymously Auth Metadata Service client.
func InitializeMockAdminClient ¶
func InitializeMockAdminClient() service.AdminServiceClient
func MaterializeCredentials ¶ added in v1.1.15
func MaterializeCredentials(ctx context.Context, cfg *Config, tokenCache cache.TokenCache, perRPCCredentials *PerRPCCredentialsFuture) error
MaterializeCredentials will attempt to build a TokenSource given the anonymously available information exposed by the server. Once established, it'll invoke PerRPCCredentialsFuture.Store() on perRPCCredentials to populate it with the appropriate values.
func NewAdminClient ¶
func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient
func NewAdminConnection ¶
func NewAdminConnection(ctx context.Context, cfg *Config, opts ...grpc.DialOption) (*grpc.ClientConn, error)
func NewAuthInterceptor ¶ added in v1.1.16
func NewAuthInterceptor(cfg *Config, tokenCache cache.TokenCache, credentialsFuture *PerRPCCredentialsFuture) grpc.UnaryClientInterceptor
NewAuthInterceptor creates a new grpc.UnaryClientInterceptor that forwards the grpc call and inspects the error. It will first invoke the grpc pipeline (to proceed with the request) with no modifications. It's expected for the grpc pipeline to already have a grpc.WithPerRPCCredentials() DialOption. If the perRPCCredentials has already been initialized, it'll take care of refreshing when tokens expire... etc. If the first invocation succeeds (either due to grpc.PerRPCCredentials setting the right tokens or the server not requiring authentication), the interceptor will be no-op. If the first invocation fails with an auth error, this interceptor will then attempt to establish a token source once more. It'll fail hard if it couldn't do so (i.e. it will no longer attempt to send an unauthenticated request). Once a token source has been created, it'll invoke the grpc pipeline again, this time the grpc.PerRPCCredentials should be able to find and acquire a valid AccessToken to annotate the request with.
Types ¶
type AuthType ¶ added in v0.18.40
type AuthType uint8
const ( // AuthTypeClientSecret Chooses Client Secret OAuth2 protocol (ref: https://tools.ietf.org/html/rfc6749#section-4.4) AuthTypeClientSecret AuthType = iota // AuthTypePkce Chooses Proof Key Code Exchange OAuth2 extension protocol (ref: https://tools.ietf.org/html/rfc7636) AuthTypePkce // AuthTypeExternalCommand Chooses an external authentication process AuthTypeExternalCommand // AuthTypeDeviceFlow Uses device flow to authenticate in a constrained environment with no access to browser AuthTypeDeviceFlow )
func AuthTypeString ¶ added in v0.18.40
AuthTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func AuthTypeValues ¶ added in v0.18.40
func AuthTypeValues() []AuthType
AuthTypeValues returns all values of the enum
func (AuthType) IsAAuthType ¶ added in v0.18.40
IsAAuthType returns "true" if the value is listed in the enum definition. "false" otherwise
func (AuthType) MarshalJSON ¶ added in v0.18.40
MarshalJSON implements the json.Marshaler interface for AuthType
func (AuthType) MarshalYAML ¶ added in v0.18.40
MarshalYAML implements a YAML Marshaler for AuthType
func (*AuthType) UnmarshalJSON ¶ added in v0.18.40
UnmarshalJSON implements the json.Unmarshaler interface for AuthType
func (*AuthType) UnmarshalYAML ¶ added in v0.18.40
UnmarshalYAML implements a YAML Unmarshaler for AuthType
type ClientCredentialsTokenSourceProvider ¶ added in v0.21.4
type ClientCredentialsTokenSourceProvider struct {
// contains filtered or unexported fields
}
func (ClientCredentialsTokenSourceProvider) GetTokenSource ¶ added in v0.21.4
func (p ClientCredentialsTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
type Clientset ¶ added in v0.18.40
type Clientset struct {
// contains filtered or unexported fields
}
Clientset contains the clients exposed to communicate with various admin services.
func InitializeMockClientset ¶ added in v0.18.40
func InitializeMockClientset() *Clientset
func (Clientset) AdminClient ¶ added in v0.18.40
func (c Clientset) AdminClient() service.AdminServiceClient
AdminClient retrieves the AdminServiceClient
func (Clientset) AuthMetadataClient ¶ added in v0.18.40
func (c Clientset) AuthMetadataClient() service.AuthMetadataServiceClient
AuthMetadataClient retrieves the AuthMetadataServiceClient
func (Clientset) DataProxyClient ¶ added in v0.24.3
func (c Clientset) DataProxyClient() service.DataProxyServiceClient
func (Clientset) HealthServiceClient ¶ added in v0.21.8
func (c Clientset) HealthServiceClient() grpc_health_v1.HealthClient
HealthServiceClient retrieves the grpc_health_v1.HealthClient
func (Clientset) IdentityClient ¶ added in v0.18.40
func (c Clientset) IdentityClient() service.IdentityServiceClient
func (Clientset) SignalServiceClient ¶ added in v1.2.1
func (c Clientset) SignalServiceClient() service.SignalServiceClient
type ClientsetBuilder ¶ added in v0.18.40
type ClientsetBuilder struct {
// contains filtered or unexported fields
}
ClientsetBuilder is used to build the clientset. This allows custom token cache implementations to be plugged in.
func ClientSetBuilder ¶ added in v0.18.40
func ClientSetBuilder() *ClientsetBuilder
ClientSetBuilder is constructor function to be used by the clients in interacting with the builder
Example ¶
ctx := context.Background() // Create a client set that initializes the connection with flyte admin and sets up Auth (if needed). // See AuthType for a list of supported authentication types. clientSet, err := NewClientsetBuilder().WithConfig(GetConfig(ctx)).Build(ctx) if err != nil { logger.Fatalf(ctx, "failed to initialized clientSet from config. Error: %v", err) } // Access and use the desired client: _ = clientSet.AdminClient() _ = clientSet.AuthMetadataClient() _ = clientSet.IdentityClient()
Output:
func NewClientsetBuilder ¶ added in v0.18.40
func NewClientsetBuilder() *ClientsetBuilder
func (*ClientsetBuilder) Build ¶ added in v0.18.40
func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)
Build the clientset using the current state of the ClientsetBuilder
func (*ClientsetBuilder) WithConfig ¶ added in v0.18.40
func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder
WithConfig provides the admin config to be used for constructing the clientset
func (*ClientsetBuilder) WithDialOptions ¶ added in v0.18.40
func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder
func (*ClientsetBuilder) WithTokenCache ¶ added in v0.18.40
func (cb *ClientsetBuilder) WithTokenCache(tokenCache cache.TokenCache) *ClientsetBuilder
WithTokenCache allows pluggable token cache implemetations. eg; flytectl uses keyring as tokenCache
type Config ¶
type Config struct { Endpoint config.URL `json:"endpoint" pflag:",For admin types, specify where the uri of the service is located."` UseInsecureConnection bool `json:"insecure" pflag:",Use insecure connection."` InsecureSkipVerify bool `` /* 186-byte string literal not displayed */ CACertFilePath string `json:"caCertFilePath" pflag:",Use specified certificate file to verify the admin server peer."` MaxBackoffDelay config.Duration `json:"maxBackoffDelay" pflag:",Max delay for grpc backoff"` PerRetryTimeout config.Duration `json:"perRetryTimeout" pflag:",gRPC per retry timeout"` MaxRetries int `json:"maxRetries" pflag:",Max number of gRPC retries"` AuthType AuthType `` /* 129-byte string literal not displayed */ TokenRefreshWindow config.Duration `json:"tokenRefreshWindow" pflag:",Max duration between token refresh attempt and token expiry."` // Deprecated: settings will be discovered dynamically DeprecatedUseAuth bool `json:"useAuth" pflag:",Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information."` ClientID string `json:"clientId" pflag:",Client ID"` ClientSecretLocation string `json:"clientSecretLocation" pflag:",File containing the client secret"` ClientSecretEnvVar string `json:"clientSecretEnvVar" pflag:",Environment variable containing the client secret"` Scopes []string `json:"scopes" pflag:",List of scopes to request"` UseAudienceFromAdmin bool `json:"useAudienceFromAdmin" pflag:",Use Audience configured from admins public endpoint config."` Audience string `json:"audience" pflag:",Audience to use when initiating OAuth2 authorization requests."` // There are two ways to get the token URL. If the authorization server url is provided, the client will try to use RFC 8414 to // try to get the token URL. Or it can be specified directly through TokenURL config. // Deprecated: This will now be discovered through admin's anonymously accessible metadata. DeprecatedAuthorizationServerURL string `json:"authorizationServerUrl" pflag:",This is the URL to your IdP's authorization server. It'll default to Endpoint"` // If not provided, it'll be discovered through admin's anonymously accessible metadata endpoint. TokenURL string `` /* 141-byte string literal not displayed */ // See the implementation of the 'grpcAuthorizationHeader' option in Flyte Admin for more information. But // basically we want to be able to use a different string to pass the token from this client to the the Admin service // because things might be running in a service mesh (like Envoy) that already uses the default 'authorization' header AuthorizationHeader string `json:"authorizationHeader" pflag:",Custom metadata header to pass JWT"` PkceConfig pkce.Config `json:"pkceConfig" pflag:",Config for Pkce authentication flow."` DeviceFlowConfig deviceflow.Config `json:"deviceFlowConfig" pflag:",Config for Device authentication flow."` Command []string `json:"command" pflag:",Command for external authentication token generation"` // Set the gRPC service config formatted as a json string https://github.com/grpc/grpc/blob/master/doc/service_config.md // eg. {"loadBalancingConfig": [{"round_robin":{}}], "methodConfig": [{"name":[{"service": "foo", "method": "bar"}, {"service": "baz"}], "timeout": "1.000000001s"}]} // find the full schema here https://github.com/grpc/grpc-proto/blob/master/grpc/service_config/service_config.proto#L625 // Note that required packages may need to be preloaded to support certain service config. For example "google.golang.org/grpc/balancer/roundrobin" should be preloaded to have round-robin policy supported. DefaultServiceConfig string `json:"defaultServiceConfig" pdflag:",Set the default service config for the admin gRPC client"` // HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."` }
type CustomHeaderTokenSource ¶ added in v0.16.3
type CustomHeaderTokenSource struct {
// contains filtered or unexported fields
}
CustomHeaderTokenSource class is here because we cannot use the normal "github.com/grpc/grpc-go/credentials/oauth" package to satisfy the credentials.PerRPCCredentials interface. This is because we want to be able to support a different 'header' when passing the token in the gRPC call's metadata. The default is filled in in the constructor if none is supplied.
func NewCustomHeaderTokenSource ¶ added in v0.16.3
func NewCustomHeaderTokenSource(source oauth2.TokenSource, insecure bool, customHeader string) CustomHeaderTokenSource
func (CustomHeaderTokenSource) GetRequestMetadata ¶ added in v0.16.3
func (ts CustomHeaderTokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token
func (CustomHeaderTokenSource) RequireTransportSecurity ¶ added in v0.16.3
func (ts CustomHeaderTokenSource) RequireTransportSecurity() bool
RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1
type DeviceFlowTokenSourceProvider ¶ added in v1.1.13
type DeviceFlowTokenSourceProvider struct {
// contains filtered or unexported fields
}
func (DeviceFlowTokenSourceProvider) GetTokenSource ¶ added in v1.1.13
func (p DeviceFlowTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
type ExternalTokenSourceProvider ¶ added in v0.21.4
type ExternalTokenSourceProvider struct {
// contains filtered or unexported fields
}
func (ExternalTokenSourceProvider) GetTokenSource ¶ added in v0.21.4
func (e ExternalTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
type PKCETokenSourceProvider ¶ added in v0.21.4
type PKCETokenSourceProvider struct {
// contains filtered or unexported fields
}
func (PKCETokenSourceProvider) GetTokenSource ¶ added in v0.21.4
func (p PKCETokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
type PerRPCCredentialsFuture ¶ added in v1.1.15
type PerRPCCredentialsFuture struct {
// contains filtered or unexported fields
}
PerRPCCredentialsFuture is a future wrapper for credentials.PerRPCCredentials that can act as one and also be materialized later.
func NewPerRPCCredentialsFuture ¶ added in v1.1.15
func NewPerRPCCredentialsFuture() *PerRPCCredentialsFuture
NewPerRPCCredentialsFuture initializes a new PerRPCCredentialsFuture that can act as a credentials.PerRPCCredentials and can also be resolved in the future. Users of the future can check if it has been initialized before by calling PerRPCCredentialsFuture.IsInitialized(). Calling PerRPCCredentialsFuture.Get() multiple times will return the same stored object (unless it changed in between calls). Calling PerRPCCredentialsFuture.Store() multiple times is supported and will result in overriding the old value atomically.
Example ¶
f := NewPerRPCCredentialsFuture() // Starts uninitialized fmt.Println("Initialized:", f.IsInitialized()) // Implements credentials.PerRPCCredentials so can be used as one m, err := f.GetRequestMetadata(context.TODO(), "") fmt.Println("GetRequestMetadata:", m, "Error:", err) // Materialize the value later and populate tokenSource := DummyTestTokenSource{} f.Store(NewCustomHeaderTokenSource(tokenSource, false, "my_custom_header")) // Future calls to credentials.PerRPCCredentials methods will use the new instance m, err = f.GetRequestMetadata(context.TODO(), "") fmt.Println("GetRequestMetadata:", m, "Error:", err)
Output: Initialized: false GetRequestMetadata: map[] Error: <nil> GetRequestMetadata: map[my_custom_header:Bearer abc] Error: <nil>
func (*PerRPCCredentialsFuture) Get ¶ added in v1.1.15
func (ts *PerRPCCredentialsFuture) Get() credentials.PerRPCCredentials
func (*PerRPCCredentialsFuture) GetRequestMetadata ¶ added in v1.1.15
func (ts *PerRPCCredentialsFuture) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token
func (*PerRPCCredentialsFuture) IsInitialized ¶ added in v1.1.15
func (ts *PerRPCCredentialsFuture) IsInitialized() bool
func (*PerRPCCredentialsFuture) RequireTransportSecurity ¶ added in v1.1.15
func (ts *PerRPCCredentialsFuture) RequireTransportSecurity() bool
RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1
func (*PerRPCCredentialsFuture) Store ¶ added in v1.1.15
func (ts *PerRPCCredentialsFuture) Store(tokenSource credentials.PerRPCCredentials)
type TokenSource ¶ added in v1.2.10
type TokenSourceProvider ¶ added in v0.21.4
type TokenSourceProvider interface {
GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
}
TokenSourceProvider defines the interface needed to provide a TokenSource that is used to create a client with authentication enabled.
func NewClientCredentialsTokenSourceProvider ¶ added in v0.21.4
func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, scopes []string, tokenURL string, tokenCache cache.TokenCache, audience string) (TokenSourceProvider, error)
func NewDeviceFlowTokenSourceProvider ¶ added in v1.1.13
func NewDeviceFlowTokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, deviceFlowConfig deviceflow.Config) (TokenSourceProvider, error)
func NewExternalTokenSourceProvider ¶ added in v0.21.4
func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)
func NewPKCETokenSourceProvider ¶ added in v0.21.4
func NewPKCETokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, pkceCfg pkce.Config) (TokenSourceProvider, error)
func NewTokenSourceProvider ¶ added in v0.21.4
func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache cache.TokenCache, authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.
|
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients. |