admin

package
v0.24.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 23, 2022 License: Apache-2.0 Imports: 28 Imported by: 8

Documentation

Overview

Initializes an Admin Client that exposes all implemented services by FlyteAdmin server. The library supports different authentication flows (see AuthType). It initializes the grpc connection once and reuses it. The gRPC connection is sticky (it hogs one server and keeps the connection alive). For better load balancing against the server, place a proxy service in between instead.

Index

Examples

Constants

View Source 
const DefaultAuthorizationHeader = "authorization"
View Source 
const (
	DefaultClientID = "flytepropeller"
)

Variables

View Source 
var DefaultClientSecretLocation = filepath.Join(string(filepath.Separator), "etc", "secrets", "client_secret")

Functions

func GetAdditionalAdminClientConfigOptions 

func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption

func GetPKCEAuthTokenSource added in v0.21.4 

func GetPKCEAuthTokenSource(ctx context.Context, tokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)

Returns the token source which would be used for three legged oauth. eg : for admin to authorize access to flytectl

func InitializeAdminClient 

func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient

InitializeAdminClient creates an AdminClient with a shared Admin connection for the process Deprecated: Please use initializeClients instead.

func InitializeAdminClientFromConfig deprecated 

func InitializeAdminClientFromConfig(ctx context.Context, tokenCache pkce.TokenCache, opts ...grpc.DialOption) (service.AdminServiceClient, error)

Deprecated: Please use NewClientsetBuilder() instead.

func InitializeAuthMetadataClient added in v0.18.40 

func InitializeAuthMetadataClient(ctx context.Context, cfg *Config) (client service.AuthMetadataServiceClient, err error)

InitializeAuthMetadataClient creates a new anonymously Auth Metadata Service client.

func InitializeMockAdminClient 

func InitializeMockAdminClient() service.AdminServiceClient

func NewAdminClient 

func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient

func NewAdminConnection 

func NewAdminConnection(ctx context.Context, cfg *Config, opts ...grpc.DialOption) (*grpc.ClientConn, error)

func SetConfig added in v0.18.40 

func SetConfig(cfg *Config) error

Types

type AuthType added in v0.18.40 

type AuthType uint8
const (
	// Chooses Client Secret OAuth2 protocol (ref: https://tools.ietf.org/html/rfc6749#section-4.4)
	AuthTypeClientSecret AuthType = iota
	// Chooses Proof Key Code Exchange OAuth2 extension protocol (ref: https://tools.ietf.org/html/rfc7636)
	AuthTypePkce
	// Chooses an external authentication process
	AuthTypeExternalCommand
)

func AuthTypeString added in v0.18.40 

func AuthTypeString(s string) (AuthType, error)

AuthTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func AuthTypeValues added in v0.18.40 

func AuthTypeValues() []AuthType

AuthTypeValues returns all values of the enum

func (AuthType) IsAAuthType added in v0.18.40 

func (i AuthType) IsAAuthType() bool

IsAAuthType returns "true" if the value is listed in the enum definition. "false" otherwise

func (AuthType) MarshalJSON added in v0.18.40 

func (i AuthType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for AuthType

func (AuthType) MarshalYAML added in v0.18.40 

func (i AuthType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for AuthType

func (AuthType) String added in v0.18.40 

func (i AuthType) String() string

func (*AuthType) UnmarshalJSON added in v0.18.40 

func (i *AuthType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for AuthType

func (*AuthType) UnmarshalYAML added in v0.18.40 

func (i *AuthType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for AuthType

type ClientCredentialsTokenSourceProvider added in v0.21.4 

type ClientCredentialsTokenSourceProvider struct {
	TokenRefreshWindow time.Duration
	// contains filtered or unexported fields
}

func (ClientCredentialsTokenSourceProvider) GetTokenSource added in v0.21.4 

func (p ClientCredentialsTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)

type Clientset added in v0.18.40 

type Clientset struct {
	// contains filtered or unexported fields
}

Clientset contains the clients exposed to communicate with various admin services.

func InitializeMockClientset added in v0.18.40 

func InitializeMockClientset() *Clientset

func (Clientset) AdminClient added in v0.18.40 

func (c Clientset) AdminClient() service.AdminServiceClient

AdminClient retrieves the AdminServiceClient

func (Clientset) AuthMetadataClient added in v0.18.40 

func (c Clientset) AuthMetadataClient() service.AuthMetadataServiceClient

AuthMetadataClient retrieves the AuthMetadataServiceClient

func (Clientset) AuthOpt added in v0.21.25 

func (c Clientset) AuthOpt() grpc.DialOption

func (Clientset) DataProxyClient added in v0.24.3 

func (c Clientset) DataProxyClient() service.DataProxyClient

func (Clientset) HealthServiceClient added in v0.21.8 

func (c Clientset) HealthServiceClient() grpc_health_v1.HealthClient

HealthServiceClient retrieves the grpc_health_v1.HealthClient

func (Clientset) IdentityClient added in v0.18.40 

func (c Clientset) IdentityClient() service.IdentityServiceClient

type ClientsetBuilder added in v0.18.40 

type ClientsetBuilder struct {
	// contains filtered or unexported fields
}

ClientsetBuilder is used to build the clientset. This allows custom token cache implementations to be plugged in.

func ClientSetBuilder added in v0.18.40 

func ClientSetBuilder() *ClientsetBuilder

ClientSetBuilder is constructor function to be used by the clients in interacting with the builder

Example 
ctx := context.Background()
// Create a client set that initializes the connection with flyte admin and sets up Auth (if needed).
// See AuthType for a list of supported authentication types.
clientSet, err := NewClientsetBuilder().WithConfig(GetConfig(ctx)).Build(ctx)
if err != nil {
	logger.Fatalf(ctx, "failed to initialize clientSet from config. Error: %v", err)
}

// Access and use the desired client:
_ = clientSet.AdminClient()
_ = clientSet.AuthMetadataClient()
_ = clientSet.IdentityClient()

Output:

func NewClientsetBuilder added in v0.18.40 

func NewClientsetBuilder() *ClientsetBuilder

func (*ClientsetBuilder) Build added in v0.18.40 

func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)

Build the clientset using the current state of the ClientsetBuilder

func (*ClientsetBuilder) WithConfig added in v0.18.40 

func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder

WithConfig provides the admin config to be used for constructing the clientset

func (*ClientsetBuilder) WithDialOptions added in v0.18.40 

func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder

func (*ClientsetBuilder) WithTokenCache added in v0.18.40 

func (cb *ClientsetBuilder) WithTokenCache(tokenCache pkce.TokenCache) *ClientsetBuilder

WithTokenCache allows pluggable token cache implemetations. eg; flytectl uses keyring as tokenCache

type Config 

type Config struct {
	Endpoint              config.URL      `json:"endpoint" pflag:",For admin types, specify where the uri of the service is located."`
	UseInsecureConnection bool            `json:"insecure" pflag:",Use insecure connection."`
	InsecureSkipVerify    bool            `` /* 186-byte string literal not displayed */
	CACertFilePath        string          `json:"caCertFilePath" pflag:",Use specified certificate file to verify the admin server peer."`
	MaxBackoffDelay       config.Duration `json:"maxBackoffDelay" pflag:",Max delay for grpc backoff"`
	PerRetryTimeout       config.Duration `json:"perRetryTimeout" pflag:",gRPC per retry timeout"`
	MaxRetries            int             `json:"maxRetries" pflag:",Max number of gRPC retries"`
	AuthType              AuthType        `json:"authType" pflag:"-,Type of OAuth2 flow used for communicating with admin."`
	TokenRefreshWindow    config.Duration `json:"tokenRefreshWindow" pflag:",Max duration between token refresh attempt and token expiry."`
	// Deprecated: settings will be discovered dynamically
	DeprecatedUseAuth    bool     `json:"useAuth" pflag:",Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information."`
	ClientID             string   `json:"clientId" pflag:",Client ID"`
	ClientSecretLocation string   `json:"clientSecretLocation" pflag:",File containing the client secret"`
	Scopes               []string `json:"scopes" pflag:",List of scopes to request"`

	// There are two ways to get the token URL. If the authorization server url is provided, the client will try to use RFC 8414 to
	// try to get the token URL. Or it can be specified directly through TokenURL config.
	// Deprecated: This will now be discovered through admin's anonymously accessible metadata.
	DeprecatedAuthorizationServerURL string `json:"authorizationServerUrl" pflag:",This is the URL to your IdP's authorization server. It'll default to Endpoint"`
	// If not provided, it'll be discovered through admin's anonymously accessible metadata endpoint.
	TokenURL string `` /* 141-byte string literal not displayed */

	// See the implementation of the 'grpcAuthorizationHeader' option in Flyte Admin for more information. But
	// basically we want to be able to use a different string to pass the token from this client to the the Admin service
	// because things might be running in a service mesh (like Envoy) that already uses the default 'authorization' header
	// Deprecated: It will automatically be discovered through an anonymously accessible auth metadata service.
	DeprecatedAuthorizationHeader string `json:"authorizationHeader" pflag:",Custom metadata header to pass JWT"`

	PkceConfig pkce.Config `json:"pkceConfig" pflag:",Config for Pkce authentication flow."`

	Command []string `json:"command" pflag:",Command for external authentication token generation"`
}

func GetConfig 

func GetConfig(ctx context.Context) *Config

func (Config) GetPFlagSet 

func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet

GetPFlagSet will return strongly types pflags for all fields in Config and its nested types. The format of the flags is json-name.json-sub-name... etc.

type CustomHeaderTokenSource added in v0.16.3 

type CustomHeaderTokenSource struct {
	oauth2.TokenSource
	// contains filtered or unexported fields
}

This class is here because we cannot use the normal "github.com/grpc/grpc-go/credentials/oauth" package to satisfy the credentials.PerRPCCredentials interface. This is because we want to be able to support a different 'header' when passing the token in the gRPC call's metadata. The default is filled in in the constructor if none is supplied.

func NewCustomHeaderTokenSource added in v0.16.3 

func NewCustomHeaderTokenSource(source oauth2.TokenSource, insecure bool, customHeader string) CustomHeaderTokenSource

func (CustomHeaderTokenSource) GetRequestMetadata added in v0.16.3 

func (ts CustomHeaderTokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token

func (CustomHeaderTokenSource) RequireTransportSecurity added in v0.16.3 

func (ts CustomHeaderTokenSource) RequireTransportSecurity() bool

RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1

type ExternalTokenSourceProvider added in v0.21.4 

type ExternalTokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (ExternalTokenSourceProvider) GetTokenSource added in v0.21.4 

func (e ExternalTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)

type PKCETokenSourceProvider added in v0.21.4 

type PKCETokenSourceProvider struct {
	// contains filtered or unexported fields
}

func (PKCETokenSourceProvider) GetTokenSource added in v0.21.4 

func (p PKCETokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)

type TokenSourceProvider added in v0.21.4 

type TokenSourceProvider interface {
	GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
}

TokenSourceProvider defines the interface needed to provide a TokenSource that is used to create a client with authentication enabled.

func NewClientCredentialsTokenSourceProvider added in v0.21.4 

func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config,
	clientMetadata *service.PublicClientAuthConfigResponse, tokenURL string) (TokenSourceProvider, error)

func NewExternalTokenSourceProvider added in v0.21.4 

func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)

func NewPKCETokenSourceProvider added in v0.21.4 

func NewPKCETokenSourceProvider(ctx context.Context, pkceCfg pkce.Config, tokenCache pkce.TokenCache, authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)

func NewTokenSourceProvider added in v0.21.4 

func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache pkce.TokenCache,
	authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)

Source Files

View all Source files

Directories

Path Synopsis
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.
 Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.
mocks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.