CLI: add 'AIS_AUTHN_TOKEN' environment

* add `AIS_AUTHN_TOKEN` (value) env variable - not to confuse with `AIS_AUTHN_TOKEN_FILE` * refactor `api.LoadToken` Signed-off-by: Alex Aizman <[email protected]>
NVIDIA · Sep 25, 2024 · 79543fd · 79543fd
1 parent fcaba7c
commit 79543fd
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 18 deletions.
diff --git a/api/authn/loadtoken.go b/api/authn/loadtoken.go
@@ -1,10 +1,11 @@
 // Package authn provides AuthN API over HTTP(S)
 /*
- * Copyright (c) 2018-2022, NVIDIA CORPORATION. All rights reserved.
+ * Copyright (c) 2018-2024, NVIDIA CORPORATION. All rights reserved.
  */
 package authn
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 
@@ -14,24 +15,38 @@ import (
 	"github.com/NVIDIA/aistore/cmn/jsp"
 )
 
-// NOTE: must load when tokenFile != ""
-func LoadToken(tokenFile string) string {
-	var (
-		token    TokenMsg
-		mustLoad = true
-	)
+// LoadToken retrieves the authentication token from the specified tokenFile,
+// environment variables, or default location (CLI config).
+func LoadToken(tokenFile string) (string /*token value*/, error) {
+	// token value directly from environment
+	if tokenFile == "" {
+		if tokenEnv := os.Getenv(env.AuthN.Token); tokenEnv != "" {
+			return tokenEnv, nil
+		}
+	}
+
+	var token TokenMsg
+
+	// token filename from environment
 	if tokenFile == "" {
 		tokenFile = os.Getenv(env.AuthN.TokenFile)
 	}
+
+	// or, default token filename
 	if tokenFile == "" {
-		// when generated via CLI (and without the `-f` option) - the location:
+		// Default location when generated via CLI without the `-f` option:
 		// $HOME/.config/ais/cli/<fname.Token>
 		tokenFile = filepath.Join(cos.HomeConfigDir(fname.HomeCLI), fname.Token)
-		mustLoad = false
 	}
+
+	// load
 	_, err := jsp.LoadMeta(tokenFile, &token)
-	if err != nil && (mustLoad || !os.IsNotExist(err)) {
-		cos.Errorf("Failed to load token %q: %v", tokenFile, err)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return "", fmt.Errorf("token file %q does not exist", tokenFile)
+		}
+		return "", fmt.Errorf("failed to load token from %q: %v", tokenFile, err)
 	}
-	return token.Token
+
+	return token.Token, nil
 }
diff --git a/api/env/authn.go b/api/env/authn.go
@@ -12,6 +12,7 @@ var (
 		Enabled       string
 		URL           string
 		TokenFile     string
+		Token         string
 		ConfDir       string
 		LogDir        string
 		LogLevel      string
@@ -27,6 +28,7 @@ var (
 		Enabled:       "AIS_AUTHN_ENABLED",
 		URL:           "AIS_AUTHN_URL",
 		TokenFile:     "AIS_AUTHN_TOKEN_FILE", // fully qualified
+		Token:         "AIS_AUTHN_TOKEN",      // Only the JWT token itself (excluding the file and JSON)
 		ConfDir:       "AIS_AUTHN_CONF_DIR",   // contains AuthN config and tokens DB
 		LogDir:        "AIS_AUTHN_LOG_DIR",
 		LogLevel:      "AIS_AUTHN_LOG_LEVEL",

diff --git a/bench/tools/aisloader/run.go b/bench/tools/aisloader/run.go
@@ -274,7 +274,10 @@ func Start(version, buildtime string) (err error) {
 			return fmt.Errorf("failed to get cluster map: %v", err)
 		}
 	}
-	loggedUserToken = authn.LoadToken(runParams.tokenFile)
+	loggedUserToken, err = authn.LoadToken(runParams.tokenFile)
+	if err != nil && runParams.tokenFile != "" {
+		return err
+	}
 	runParams.bp.Token = loggedUserToken
 	runParams.bp.UA = ua
 

diff --git a/docs/authn.md b/docs/authn.md
@@ -202,6 +202,14 @@ AIS_AUTHN_ENABLED=true make deploy
 > **Note:** Don't forget to change the _default secret key_ used to sign tokens and the _admin password_ before starting the deployment process. If you don't, you will have to restart the cluster.
 * More info on env vars: [`api/env/authn.go`](https://github.com/NVIDIA/aistore/blob/main/api/env/authn.go)
 
+Separately, there's also client-side AuthN environment that includes:
+
+| Name                  | Description                                                                                                                         |
+|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| `AIS_AUTHN_URL`       | Used by [CLI](docs/cli/auth.md) to configure and query the authentication server (AuthN).                                           |
+| `AIS_AUTHN_TOKEN_FILE`| Token file pathname; can be used to override the default `$HOME/.config/ais/cli/<fname.Token>`.                                     |
+| `AIS_AUTHN_TOKEN`     | The JWT token itself (excluding the file and JSON); can be used to specify the token directly, bypassing the need for a token file. |
+
 ## Notation
 
 In this README:

diff --git a/docs/environment-vars.md b/docs/environment-vars.md
@@ -302,10 +302,11 @@ AuthN supports multiple AIS clusters; in fact, there's no limit on the number of
 
 Separately, there's also client-side AuthN environment that includes:
 
-| name | comment |
-| ---- | ------- |
-| `AIS_AUTHN_URL` | used by [CLI](docs/cli/auth.md) to configure and query authenication server (AuthN) |
-| `AIS_AUTHN_TOKEN_FILE` | token file pathname; can be used to override the default `$HOME/.config/ais/cli/<fname.Token>`  |
+| Name                  | Description                                                                                                                          |
+|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| `AIS_AUTHN_URL`       | Used by [CLI](docs/cli/auth.md) to configure and query the authentication server (AuthN).                                            |
+| `AIS_AUTHN_TOKEN_FILE`| Token file pathname; can be used to override the default `$HOME/.config/ais/cli/<fname.Token>`.                                      |
+| `AIS_AUTHN_TOKEN`     | The JWT token itself (excluding the file and JSON); can be used to specify the token directly, bypassing the need for a token file.  |
 
 When AuthN is disabled (i.e., not used), `ais config` CLI will show something like:
 

diff --git a/tools/init.go b/tools/init.go
@@ -185,7 +185,7 @@ func InitLocalCluster() {
 // InitCluster initializes the environment necessary for testing against an AIS cluster.
 // NOTE: the function is also used for testing by NVIDIA/ais-k8s Operator
 func InitCluster(proxyURL string, clusterType ClusterType) (err error) {
-	LoggedUserToken = authn.LoadToken("")
+	LoggedUserToken, _ = authn.LoadToken("") // ignore error as not all tests require token
 	proxyURLReadOnly = proxyURL
 	testClusterType = clusterType
 	if err = initProxyURL(); err != nil {