admin

package
v1.5.18 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 20, 2023 License: Apache-2.0 Imports: 36 Imported by: 8

Documentation

Overview

Initializes an Admin Client that exposes all implemented services by FlyteAdmin server. The library supports different authentication flows (see AuthType). It initializes the grpc connection once and reuses it. A grpc load balancing policy can be configured as well.

Index

Examples

Constants

View Source
const DefaultAuthorizationHeader = "authorization"
View Source
const (
	DefaultClientID = "flytepropeller"
)

Variables

View Source
var DefaultClientSecretLocation = filepath.Join(string(filepath.Separator), "etc", "secrets", "client_secret")

Functions

func GetAdditionalAdminClientConfigOptions

func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption

func GetDeviceFlowAuthTokenSource added in v1.1.13

func GetDeviceFlowAuthTokenSource(ctx context.Context, deviceFlowOrchestrator deviceflow.TokenOrchestrator) (oauth2.TokenSource, error)

GetDeviceFlowAuthTokenSource Returns the token source which would be used for device auth flow

func GetPKCEAuthTokenSource added in v0.21.4

func GetPKCEAuthTokenSource(ctx context.Context, pkceTokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)

Returns the token source which would be used for three legged oauth. eg : for admin to authorize access to flytectl

func InitializeAdminClient

func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient

InitializeAdminClient creates an AdminClient with a shared Admin connection for the process Deprecated: Please use initializeClients instead.

func InitializeAdminClientFromConfig deprecated

func InitializeAdminClientFromConfig(ctx context.Context, tokenCache cache.TokenCache, opts ...grpc.DialOption) (service.AdminServiceClient, error)

Deprecated: Please use NewClientsetBuilder() instead.

func InitializeAuthMetadataClient added in v0.18.40

func InitializeAuthMetadataClient(ctx context.Context, cfg *Config) (client service.AuthMetadataServiceClient, err error)

InitializeAuthMetadataClient creates a new anonymously Auth Metadata Service client.

func InitializeMockAdminClient

func InitializeMockAdminClient() service.AdminServiceClient

func MaterializeCredentials added in v1.1.15

func MaterializeCredentials(ctx context.Context, cfg *Config, tokenCache cache.TokenCache, perRPCCredentials *PerRPCCredentialsFuture) error

MaterializeCredentials will attempt to build a TokenSource given the anonymously available information exposed by the server. Once established, it'll invoke PerRPCCredentialsFuture.Store() on perRPCCredentials to populate it with the appropriate values.

func NewAdminClient

func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient

func NewAdminConnection

func NewAdminConnection(ctx context.Context, cfg *Config, opts ...grpc.DialOption) (*grpc.ClientConn, error)

func NewAuthInterceptor added in v1.1.16

func NewAuthInterceptor(cfg *Config, tokenCache cache.TokenCache, credentialsFuture *PerRPCCredentialsFuture) grpc.UnaryClientInterceptor

NewAuthInterceptor creates a new grpc.UnaryClientInterceptor that forwards the grpc call and inspects the error. It will first invoke the grpc pipeline (to proceed with the request) with no modifications. It's expected for the grpc pipeline to already have a grpc.WithPerRPCCredentials() DialOption. If the perRPCCredentials has already been initialized, it'll take care of refreshing when tokens expire... etc. If the first invocation succeeds (either due to grpc.PerRPCCredentials setting the right tokens or the server not requiring authentication), the interceptor will be no-op. If the first invocation fails with an auth error, this interceptor will then attempt to establish a token source once more. It'll fail hard if it couldn't do so (i.e. it will no longer attempt to send an unauthenticated request). Once a token source has been created, it'll invoke the grpc pipeline again, this time the grpc.PerRPCCredentials should be able to find and acquire a valid AccessToken to annotate the request with.

func SetConfig added in v0.18.40

func SetConfig(cfg *Config) error

Types

type AuthType added in v0.18.40

type AuthType uint8
const (
	// AuthTypeClientSecret Chooses Client Secret OAuth2 protocol (ref: https://tools.ietf.org/html/rfc6749#section-4.4)
	AuthTypeClientSecret AuthType = iota
	// AuthTypePkce Chooses Proof Key Code Exchange OAuth2 extension protocol (ref: https://tools.ietf.org/html/rfc7636)
	AuthTypePkce
	// AuthTypeExternalCommand Chooses an external authentication process
	AuthTypeExternalCommand
	// AuthTypeDeviceFlow Uses device flow to authenticate in a constrained environment with no access to browser
	AuthTypeDeviceFlow
)

func AuthTypeString added in v0.18.40

func AuthTypeString(s string) (AuthType, error)

AuthTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func AuthTypeValues added in v0.18.40

func AuthTypeValues() []AuthType

AuthTypeValues returns all values of the enum

func (AuthType) IsAAuthType added in v0.18.40

func (i AuthType) IsAAuthType() bool

IsAAuthType returns "true" if the value is listed in the enum definition. "false" otherwise

func (AuthType) MarshalJSON added in v0.18.40

func (i AuthType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for AuthType

func (AuthType) MarshalYAML added in v0.18.40

func (i AuthType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for AuthType

func (AuthType) String added in v0.18.40

func (i AuthType) String() string

func (*AuthType) UnmarshalJSON added in v0.18.40

func (i *AuthType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for AuthType

func (*AuthType) UnmarshalYAML added in v0.18.40

func (i *AuthType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for AuthType

type ClientCredentialsTokenSourceProvider added in v0.21.4

type ClientCredentialsTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (ClientCredentialsTokenSourceProvider) GetTokenSource added in v0.21.4

type Clientset added in v0.18.40

type Clientset struct {
	// contains filtered or unexported fields
}

Clientset contains the clients exposed to communicate with various admin services.

func InitializeMockClientset added in v0.18.40

func InitializeMockClientset() *Clientset

func (Clientset) AdminClient added in v0.18.40

func (c Clientset) AdminClient() service.AdminServiceClient

AdminClient retrieves the AdminServiceClient

func (Clientset) AuthMetadataClient added in v0.18.40

func (c Clientset) AuthMetadataClient() service.AuthMetadataServiceClient

AuthMetadataClient retrieves the AuthMetadataServiceClient

func (Clientset) DataProxyClient added in v0.24.3

func (c Clientset) DataProxyClient() service.DataProxyServiceClient

func (Clientset) HealthServiceClient added in v0.21.8

func (c Clientset) HealthServiceClient() grpc_health_v1.HealthClient

HealthServiceClient retrieves the grpc_health_v1.HealthClient

func (Clientset) IdentityClient added in v0.18.40

func (c Clientset) IdentityClient() service.IdentityServiceClient

func (Clientset) SignalServiceClient added in v1.2.1

func (c Clientset) SignalServiceClient() service.SignalServiceClient

type ClientsetBuilder added in v0.18.40

type ClientsetBuilder struct {
	// contains filtered or unexported fields
}

ClientsetBuilder is used to build the clientset. This allows custom token cache implementations to be plugged in.

func ClientSetBuilder added in v0.18.40

func ClientSetBuilder() *ClientsetBuilder

ClientSetBuilder is constructor function to be used by the clients in interacting with the builder

Example
ctx := context.Background()
// Create a client set that initializes the connection with flyte admin and sets up Auth (if needed).
// See AuthType for a list of supported authentication types.
clientSet, err := NewClientsetBuilder().WithConfig(GetConfig(ctx)).Build(ctx)
if err != nil {
	logger.Fatalf(ctx, "failed to initialized clientSet from config. Error: %v", err)
}

// Access and use the desired client:
_ = clientSet.AdminClient()
_ = clientSet.AuthMetadataClient()
_ = clientSet.IdentityClient()
Output:

func NewClientsetBuilder added in v0.18.40

func NewClientsetBuilder() *ClientsetBuilder

func (*ClientsetBuilder) Build added in v0.18.40

func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)

Build the clientset using the current state of the ClientsetBuilder

func (*ClientsetBuilder) WithConfig added in v0.18.40

func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder

WithConfig provides the admin config to be used for constructing the clientset

func (*ClientsetBuilder) WithDialOptions added in v0.18.40

func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder

func (*ClientsetBuilder) WithTokenCache added in v0.18.40

func (cb *ClientsetBuilder) WithTokenCache(tokenCache cache.TokenCache) *ClientsetBuilder

WithTokenCache allows pluggable token cache implemetations. eg; flytectl uses keyring as tokenCache

type Config

type Config struct {
	Endpoint              config.URL      `json:"endpoint" pflag:",For admin types, specify where the uri of the service is located."`
	UseInsecureConnection bool            `json:"insecure" pflag:",Use insecure connection."`
	InsecureSkipVerify    bool            `` /* 186-byte string literal not displayed */
	CACertFilePath        string          `json:"caCertFilePath" pflag:",Use specified certificate file to verify the admin server peer."`
	MaxBackoffDelay       config.Duration `json:"maxBackoffDelay" pflag:",Max delay for grpc backoff"`
	PerRetryTimeout       config.Duration `json:"perRetryTimeout" pflag:",gRPC per retry timeout"`
	MaxRetries            int             `json:"maxRetries" pflag:",Max number of gRPC retries"`
	AuthType              AuthType        `` /* 129-byte string literal not displayed */
	TokenRefreshWindow    config.Duration `json:"tokenRefreshWindow" pflag:",Max duration between token refresh attempt and token expiry."`
	// Deprecated: settings will be discovered dynamically
	DeprecatedUseAuth    bool     `json:"useAuth" pflag:",Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information."`
	ClientID             string   `json:"clientId" pflag:",Client ID"`
	ClientSecretLocation string   `json:"clientSecretLocation" pflag:",File containing the client secret"`
	ClientSecretEnvVar   string   `json:"clientSecretEnvVar" pflag:",Environment variable containing the client secret"`
	Scopes               []string `json:"scopes" pflag:",List of scopes to request"`
	UseAudienceFromAdmin bool     `json:"useAudienceFromAdmin" pflag:",Use Audience configured from admins public endpoint config."`
	Audience             string   `json:"audience" pflag:",Audience to use when initiating OAuth2 authorization requests."`

	// There are two ways to get the token URL. If the authorization server url is provided, the client will try to use RFC 8414 to
	// try to get the token URL. Or it can be specified directly through TokenURL config.
	// Deprecated: This will now be discovered through admin's anonymously accessible metadata.
	DeprecatedAuthorizationServerURL string `json:"authorizationServerUrl" pflag:",This is the URL to your IdP's authorization server. It'll default to Endpoint"`
	// If not provided, it'll be discovered through admin's anonymously accessible metadata endpoint.
	TokenURL string `` /* 141-byte string literal not displayed */

	// See the implementation of the 'grpcAuthorizationHeader' option in Flyte Admin for more information. But
	// basically we want to be able to use a different string to pass the token from this client to the the Admin service
	// because things might be running in a service mesh (like Envoy) that already uses the default 'authorization' header
	AuthorizationHeader string `json:"authorizationHeader" pflag:",Custom metadata header to pass JWT"`

	PkceConfig pkce.Config `json:"pkceConfig" pflag:",Config for Pkce authentication flow."`

	DeviceFlowConfig deviceflow.Config `json:"deviceFlowConfig" pflag:",Config for Device authentication flow."`

	Command []string `json:"command" pflag:",Command for external authentication token generation"`

	// Set the gRPC service config formatted as a json string https://github.com/grpc/grpc/blob/master/doc/service_config.md
	// eg. {"loadBalancingConfig": [{"round_robin":{}}], "methodConfig": [{"name":[{"service": "foo", "method": "bar"}, {"service": "baz"}], "timeout": "1.000000001s"}]}
	// find the full schema here https://github.com/grpc/grpc-proto/blob/master/grpc/service_config/service_config.proto#L625
	// Note that required packages may need to be preloaded to support certain service config. For example "google.golang.org/grpc/balancer/roundrobin" should be preloaded to have round-robin policy supported.
	DefaultServiceConfig string `json:"defaultServiceConfig" pdflag:",Set the default service config for the admin gRPC client"`

	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
	HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`
}

func GetConfig

func GetConfig(ctx context.Context) *Config

func (Config) GetPFlagSet

func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet

GetPFlagSet will return strongly types pflags for all fields in Config and its nested types. The format of the flags is json-name.json-sub-name... etc.

type CustomHeaderTokenSource added in v0.16.3

type CustomHeaderTokenSource struct {
	// contains filtered or unexported fields
}

CustomHeaderTokenSource class is here because we cannot use the normal "github.com/grpc/grpc-go/credentials/oauth" package to satisfy the credentials.PerRPCCredentials interface. This is because we want to be able to support a different 'header' when passing the token in the gRPC call's metadata. The default is filled in in the constructor if none is supplied.

func NewCustomHeaderTokenSource added in v0.16.3

func NewCustomHeaderTokenSource(source oauth2.TokenSource, insecure bool, customHeader string) CustomHeaderTokenSource

func (CustomHeaderTokenSource) GetRequestMetadata added in v0.16.3

func (ts CustomHeaderTokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token

func (CustomHeaderTokenSource) RequireTransportSecurity added in v0.16.3

func (ts CustomHeaderTokenSource) RequireTransportSecurity() bool

RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1

type DeviceFlowTokenSourceProvider added in v1.1.13

type DeviceFlowTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (DeviceFlowTokenSourceProvider) GetTokenSource added in v1.1.13

type ExternalTokenSourceProvider added in v0.21.4

type ExternalTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (ExternalTokenSourceProvider) GetTokenSource added in v0.21.4

type PKCETokenSourceProvider added in v0.21.4

type PKCETokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (PKCETokenSourceProvider) GetTokenSource added in v0.21.4

type PerRPCCredentialsFuture added in v1.1.15

type PerRPCCredentialsFuture struct {
	// contains filtered or unexported fields
}

PerRPCCredentialsFuture is a future wrapper for credentials.PerRPCCredentials that can act as one and also be materialized later.

func NewPerRPCCredentialsFuture added in v1.1.15

func NewPerRPCCredentialsFuture() *PerRPCCredentialsFuture

NewPerRPCCredentialsFuture initializes a new PerRPCCredentialsFuture that can act as a credentials.PerRPCCredentials and can also be resolved in the future. Users of the future can check if it has been initialized before by calling PerRPCCredentialsFuture.IsInitialized(). Calling PerRPCCredentialsFuture.Get() multiple times will return the same stored object (unless it changed in between calls). Calling PerRPCCredentialsFuture.Store() multiple times is supported and will result in overriding the old value atomically.

Example
f := NewPerRPCCredentialsFuture()

// Starts uninitialized
fmt.Println("Initialized:", f.IsInitialized())

// Implements credentials.PerRPCCredentials so can be used as one
m, err := f.GetRequestMetadata(context.TODO(), "")
fmt.Println("GetRequestMetadata:", m, "Error:", err)

// Materialize the value later and populate
tokenSource := DummyTestTokenSource{}
f.Store(NewCustomHeaderTokenSource(tokenSource, false, "my_custom_header"))

// Future calls to credentials.PerRPCCredentials methods will use the new instance
m, err = f.GetRequestMetadata(context.TODO(), "")
fmt.Println("GetRequestMetadata:", m, "Error:", err)
Output:

Initialized: false
GetRequestMetadata: map[] Error: <nil>
GetRequestMetadata: map[my_custom_header:Bearer abc] Error: <nil>

func (*PerRPCCredentialsFuture) Get added in v1.1.15

func (*PerRPCCredentialsFuture) GetRequestMetadata added in v1.1.15

func (ts *PerRPCCredentialsFuture) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token

func (*PerRPCCredentialsFuture) IsInitialized added in v1.1.15

func (ts *PerRPCCredentialsFuture) IsInitialized() bool

func (*PerRPCCredentialsFuture) RequireTransportSecurity added in v1.1.15

func (ts *PerRPCCredentialsFuture) RequireTransportSecurity() bool

RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1

func (*PerRPCCredentialsFuture) Store added in v1.1.15

func (ts *PerRPCCredentialsFuture) Store(tokenSource credentials.PerRPCCredentials)

type TokenSource added in v1.2.10

type TokenSource interface {
	Token() (*oauth2.Token, error)
}

type TokenSourceProvider added in v0.21.4

type TokenSourceProvider interface {
	GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
}

TokenSourceProvider defines the interface needed to provide a TokenSource that is used to create a client with authentication enabled.

func NewClientCredentialsTokenSourceProvider added in v0.21.4

func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, scopes []string, tokenURL string,
	tokenCache cache.TokenCache, audience string) (TokenSourceProvider, error)

func NewDeviceFlowTokenSourceProvider added in v1.1.13

func NewDeviceFlowTokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, deviceFlowConfig deviceflow.Config) (TokenSourceProvider, error)

func NewExternalTokenSourceProvider added in v0.21.4

func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)

func NewPKCETokenSourceProvider added in v0.21.4

func NewPKCETokenSourceProvider(baseTokenOrchestrator tokenorchestrator.BaseTokenOrchestrator, pkceCfg pkce.Config) (TokenSourceProvider, error)

func NewTokenSourceProvider added in v0.21.4

func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache cache.TokenCache,
	authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)

Directories

Path Synopsis
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL