-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(backend): authorize readArtifacts and ReportMetrics endpoints #7819
Conversation
/assign @juliusvonkohout |
/assign @difince |
/unassign @juliusvonkohout |
/cc @annajung |
Amazing work. I only have a few questions
|
Hi @juliusvonkohout Thank you for your fast feedback! About the verb inconsistency - IMO, using the short verb name About 4. you make me think twice .. as ReadArticat is GET request - it makes sense to be part of the viewer role |
|
btw, I have noticed that ReportWorkflow and ReportScheduledWorkflow are also not authorized. Shouldn't they be? |
I changed the PR to Draft because I had realized that in my case the persistent agent does Not call ReadArtifacts or ReportMetrics endpoints at all and that gave me the wrong feeling that all works. In addition, something else I have noticed and guess is wrong behavior is that: on delete Run the artifacts stay in Minio? I will further investigate |
This check should only pass if your pipeline contains metrics. You need to test with something that contains metrics. Here is something to test with and i can also provide you a YAML file if needed
An execution of this should produce metrics AND visualizations in the UI. If not there will be most likely errors in the logs of persistenceagent.
Yes exactly, that is why i was so curious how it worked without permission changes to persistenceagent. The token approach could be problematic, because we do not have the token from the users namespace, but please prove me wrong https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/auth/.
No need to, this is known behavior. And before you do anything there i need to get my not yet polished fixes to the cache server merged. Otherwise deleting artifacts from minio just breaks pipeline execution. My version checks whether the cache database is at least partially consistent with minio and if not it deletes the database entry and prevents faulty caching. |
You are right regarding "ReportWorkflow and ReportScheduledWorkflow should also be secured .." |
Thank you @juliusvonkohout for your feedback! Your guidance is so valuable! |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
Thanks!
@difince i guess there were some changes in master and you have to rebase. |
New Verbs (reportMetrics and readArtifact) are added to ClusterRole with name: aggregate-to-kubeflow-pipelines-edit Signed-off-by: Diana Atanasova <[email protected]>
Persistent Agent authorize itself based ot the namespace and the current user Fixes: kubeflow#7818
Signed-off-by: Diana Atanasova <[email protected]>
Signed-off-by: Diana Atanasova <[email protected]>
Cover MULTIUSER=false usecase/Standalone pipeline installation. In this case the namespace doesn't have `user` annotation and there is no need to provide `kubeflow-userid` Header when making a request against kfp-api-server Signed-off-by: Diana Atanasova <[email protected]>
Signed-off-by: Diana Atanasova <[email protected]>
Signed-off-by: Diana Atanasova <[email protected]>
@chensun I have rebased .. and fixed conflicts in the license file |
@chensun needs to add it /lgtm again, /approve seems to be still there. I do not have the rights to do so. |
@@ -0,0 +1 @@ | |||
MULTIUSER=true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a global config for this? Feels quite redundant to repeat this for all backend pods, especially when the file is already under a path with "multi-user".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a global config for this? Feels quite redundant to repeat this for all backend pods, especially when the file is already under a path with "multi-user".
We just copied the style that your team used so far in https://github.com/kubeflow/manifests/blob/746c523e9e994154df48d4441d01a30e4f9c8de4/apps/pipeline/upstream/base/installs/multi-user/api-service/params.env#L1 . We could consider adding it here https://github.com/kubeflow/pipelines/blob/master/manifests/kustomize/base/installs/multi-user/params.yaml if you want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chensun, @juliusvonkohout Currently with my addition, MULTIUSER
is used by two services - app_server and persistent_agent. We could try to export them in a common params.env file but I would bring up a question about other env variables which are even more frequently used like - KUBEFLOW_USERID_HEADER
, KUBEFLOW_USERID_PREFIX
, NAMESPACE
. Should we also export them?
IMO this is out of the scope of this PR. I was following the current way of work. If we want to do such an enhancement I would open a dedicated issue about it and I would be glad to work on it, but I will let this PR get merged as it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree it's out of scope for this PR.
/lgtm Thanks @difince ! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chensun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…ubeflow#7819) * Authorize readArtifacts and ReportMetrics endpoints New Verbs (reportMetrics and readArtifact) are added to ClusterRole with name: aggregate-to-kubeflow-pipelines-edit Signed-off-by: Diana Atanasova <[email protected]> * Add authorization when Persistent Agent communicate with the api-server Persistent Agent authorize itself based ot the namespace and the current user Fixes: kubeflow#7818 * Update persistence_agent.csv license file Signed-off-by: Diana Atanasova <[email protected]> * Fix lexical error in persistent agent cluster role Signed-off-by: Diana Atanasova <[email protected]> * Fix integration tests/Fix MULTIUSER= false usecase Cover MULTIUSER=false usecase/Standalone pipeline installation. In this case the namespace doesn't have `user` annotation and there is no need to provide `kubeflow-userid` Header when making a request against kfp-api-server Signed-off-by: Diana Atanasova <[email protected]> * rebase: fix conflixt in license file Signed-off-by: Diana Atanasova <[email protected]> * rebase add new line in the end of licensing file Signed-off-by: Diana Atanasova <[email protected]>
Secure communication between the API server and the persistent agent.
Currently, partially secured.
New Verbs (reportMetrics and readArtifact) are added to ClusterRole with name: aggregate-to-kubeflow-pipelines-edit
Fixes: #7818
Signed-off-by: Diana Atanasova [email protected]
Description of your changes:
Checklist: