-
Notifications
You must be signed in to change notification settings - Fork 998
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Authentication and Authorization for feast serving (#865)
* Authentication and authorization for feast serving, squashed on 07/21 * fix e2e, add metadata plugin in jobs, merge labels, auth failure test, removed unwanted expire time validation from gauth. * fix rebase adaption. * Fix core integration test. * Authentication integration test. * Add authorization test and minor refactoring. * fix failing integration test. * fix lint error.
- Loading branch information
Showing
46 changed files
with
1,974 additions
and
255 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
56 changes: 56 additions & 0 deletions
56
auth/src/main/java/feast/auth/credentials/CoreAuthenticationProperties.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * Copyright 2018-2020 The Feast Authors | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package feast.auth.credentials; | ||
|
|
||
| import feast.common.validators.OneOfStrings; | ||
| import java.util.Map; | ||
|
|
||
| public class CoreAuthenticationProperties { | ||
| // needs to be set to true if authentication is enabled on core | ||
| private boolean enabled; | ||
|
|
||
| // authentication provider to use | ||
| @OneOfStrings({"google", "oauth"}) | ||
| private String provider; | ||
|
|
||
| // K/V options to initialize the provider. | ||
| Map<String, String> options; | ||
|
|
||
| public boolean isEnabled() { | ||
| return enabled; | ||
| } | ||
|
|
||
| public void setEnabled(boolean enabled) { | ||
| this.enabled = enabled; | ||
| } | ||
|
|
||
| public String getProvider() { | ||
| return provider; | ||
| } | ||
|
|
||
| public void setProvider(String provider) { | ||
| this.provider = provider; | ||
| } | ||
|
|
||
| public Map<String, String> getOptions() { | ||
| return options; | ||
| } | ||
|
|
||
| public void setOptions(Map<String, String> options) { | ||
| this.options = options; | ||
| } | ||
| } |
79 changes: 79 additions & 0 deletions
79
auth/src/main/java/feast/auth/credentials/GoogleAuthCredentials.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * Copyright 2018-2020 The Feast Authors | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package feast.auth.credentials; | ||
|
|
||
| import static io.grpc.Metadata.ASCII_STRING_MARSHALLER; | ||
|
|
||
| import com.google.auth.oauth2.IdTokenCredentials; | ||
| import com.google.auth.oauth2.ServiceAccountCredentials; | ||
| import io.grpc.CallCredentials; | ||
| import io.grpc.Metadata; | ||
| import io.grpc.Status; | ||
| import java.io.IOException; | ||
| import java.util.Arrays; | ||
| import java.util.Map; | ||
| import java.util.concurrent.Executor; | ||
|
|
||
| /* | ||
| * Google auth provider's callCredentials Implementation for serving. | ||
| * Used by CoreSpecService to connect to core. | ||
| */ | ||
| public class GoogleAuthCredentials extends CallCredentials { | ||
| private final IdTokenCredentials credentials; | ||
| private static final String BEARER_TYPE = "Bearer"; | ||
| private static final Metadata.Key<String> AUTHORIZATION_METADATA_KEY = | ||
| Metadata.Key.of("Authorization", ASCII_STRING_MARSHALLER); | ||
|
|
||
| public GoogleAuthCredentials(Map<String, String> options) throws IOException { | ||
|
|
||
| String targetAudience = options.getOrDefault("audience", "https://localhost"); | ||
| ServiceAccountCredentials serviceCreds = | ||
| (ServiceAccountCredentials) | ||
| ServiceAccountCredentials.getApplicationDefault() | ||
| .createScoped(Arrays.asList("openid", "email")); | ||
|
|
||
| credentials = | ||
| IdTokenCredentials.newBuilder() | ||
| .setIdTokenProvider(serviceCreds) | ||
| .setTargetAudience(targetAudience) | ||
| .build(); | ||
| } | ||
|
|
||
| @Override | ||
| public void applyRequestMetadata( | ||
| RequestInfo requestInfo, Executor appExecutor, MetadataApplier applier) { | ||
| appExecutor.execute( | ||
| () -> { | ||
| try { | ||
| credentials.refreshIfExpired(); | ||
| Metadata headers = new Metadata(); | ||
| headers.put( | ||
| AUTHORIZATION_METADATA_KEY, | ||
| String.format("%s %s", BEARER_TYPE, credentials.getIdToken().getTokenValue())); | ||
| applier.apply(headers); | ||
| } catch (Throwable e) { | ||
| applier.fail(Status.UNAUTHENTICATED.withCause(e)); | ||
| } | ||
| }); | ||
| } | ||
|
|
||
| @Override | ||
| public void thisUsesUnstableApi() { | ||
| // TODO Auto-generated method stub | ||
|
|
||
| } | ||
| } |
120 changes: 120 additions & 0 deletions
120
auth/src/main/java/feast/auth/credentials/OAuthCredentials.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * Copyright 2018-2020 The Feast Authors | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package feast.auth.credentials; | ||
|
|
||
| import static io.grpc.Metadata.ASCII_STRING_MARSHALLER; | ||
|
|
||
| import com.nimbusds.jose.util.JSONObjectUtils; | ||
| import io.grpc.CallCredentials; | ||
| import io.grpc.Metadata; | ||
| import io.grpc.Status; | ||
| import java.time.Instant; | ||
| import java.util.Map; | ||
| import java.util.concurrent.Executor; | ||
| import javax.security.sasl.AuthenticationException; | ||
| import net.minidev.json.JSONObject; | ||
| import okhttp3.FormBody; | ||
| import okhttp3.OkHttpClient; | ||
| import okhttp3.Request; | ||
| import okhttp3.RequestBody; | ||
| import okhttp3.Response; | ||
| import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; | ||
|
|
||
| /* | ||
| * Oauth Credentials Implementation for serving. | ||
| * Used by CoreSpecService to connect to core. | ||
| */ | ||
| public class OAuthCredentials extends CallCredentials { | ||
|
|
||
| private static final String JWK_ENDPOINT_URI = "jwkEndpointURI"; | ||
| static final String APPLICATION_JSON = "application/json"; | ||
| static final String CONTENT_TYPE = "content-type"; | ||
| static final String BEARER_TYPE = "Bearer"; | ||
| static final String GRANT_TYPE = "grant_type"; | ||
| static final String CLIENT_ID = "client_id"; | ||
| static final String CLIENT_SECRET = "client_secret"; | ||
| static final String AUDIENCE = "audience"; | ||
| static final String OAUTH_URL = "oauth_url"; | ||
| static final Metadata.Key<String> AUTHORIZATION_METADATA_KEY = | ||
| Metadata.Key.of("Authorization", ASCII_STRING_MARSHALLER); | ||
|
|
||
| private OkHttpClient httpClient; | ||
| private Request request; | ||
| private String accessToken; | ||
| private Instant tokenExpiryTime; | ||
| private NimbusJwtDecoder jwtDecoder; | ||
|
|
||
| public OAuthCredentials(Map<String, String> options) { | ||
| this.httpClient = new OkHttpClient(); | ||
| if (!(options.containsKey(GRANT_TYPE) | ||
| && options.containsKey(CLIENT_ID) | ||
| && options.containsKey(AUDIENCE) | ||
| && options.containsKey(CLIENT_SECRET) | ||
| && options.containsKey(OAUTH_URL) | ||
| && options.containsKey(JWK_ENDPOINT_URI))) { | ||
| throw new AssertionError( | ||
| "please configure the properties:" | ||
| + " grant_type, client_id, client_secret, audience, oauth_url, jwkEndpointURI"); | ||
| } | ||
| RequestBody requestBody = | ||
| new FormBody.Builder() | ||
| .add(GRANT_TYPE, options.get(GRANT_TYPE)) | ||
| .add(CLIENT_ID, options.get(CLIENT_ID)) | ||
| .add(CLIENT_SECRET, options.get(CLIENT_SECRET)) | ||
| .add(AUDIENCE, options.get(AUDIENCE)) | ||
| .build(); | ||
| this.request = | ||
| new Request.Builder() | ||
| .url(options.get(OAUTH_URL)) | ||
| .addHeader(CONTENT_TYPE, APPLICATION_JSON) | ||
| .post(requestBody) | ||
| .build(); | ||
| this.jwtDecoder = NimbusJwtDecoder.withJwkSetUri(options.get(JWK_ENDPOINT_URI)).build(); | ||
| } | ||
|
|
||
| @Override | ||
| public void thisUsesUnstableApi() { | ||
| // TODO Auto-generated method stub | ||
|
|
||
| } | ||
|
|
||
| @Override | ||
| public void applyRequestMetadata( | ||
| RequestInfo requestInfo, Executor appExecutor, MetadataApplier applier) { | ||
| appExecutor.execute( | ||
| () -> { | ||
| try { | ||
| // Fetches new token if it is not available or if token has expired. | ||
| if (this.accessToken == null || Instant.now().isAfter(this.tokenExpiryTime)) { | ||
| Response response = httpClient.newCall(request).execute(); | ||
| if (!response.isSuccessful()) { | ||
| throw new AuthenticationException(response.message()); | ||
| } | ||
| JSONObject json = JSONObjectUtils.parse(response.body().string()); | ||
| this.accessToken = json.getAsString("access_token"); | ||
| this.tokenExpiryTime = jwtDecoder.decode(this.accessToken).getExpiresAt(); | ||
| } | ||
| Metadata headers = new Metadata(); | ||
| headers.put( | ||
| AUTHORIZATION_METADATA_KEY, String.format("%s %s", BEARER_TYPE, this.accessToken)); | ||
| applier.apply(headers); | ||
| } catch (Throwable e) { | ||
| applier.fail(Status.UNAUTHENTICATED.withCause(e)); | ||
| } | ||
| }); | ||
| } | ||
| } |
63 changes: 63 additions & 0 deletions
63
auth/src/main/java/feast/auth/service/AuthorizationService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * Copyright 2018-2020 The Feast Authors | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package feast.auth.service; | ||
|
|
||
| import feast.auth.authorization.AuthorizationProvider; | ||
| import feast.auth.authorization.AuthorizationResult; | ||
| import feast.auth.config.SecurityProperties; | ||
| import lombok.AllArgsConstructor; | ||
| import org.springframework.beans.factory.ObjectProvider; | ||
| import org.springframework.beans.factory.annotation.Autowired; | ||
| import org.springframework.security.access.AccessDeniedException; | ||
| import org.springframework.security.core.Authentication; | ||
| import org.springframework.security.core.context.SecurityContext; | ||
| import org.springframework.stereotype.Service; | ||
|
|
||
| @AllArgsConstructor | ||
| @Service | ||
| public class AuthorizationService { | ||
|
|
||
| private final SecurityProperties securityProperties; | ||
| private final AuthorizationProvider authorizationProvider; | ||
|
|
||
| @Autowired | ||
| public AuthorizationService( | ||
| SecurityProperties securityProperties, | ||
| ObjectProvider<AuthorizationProvider> authorizationProvider) { | ||
| this.securityProperties = securityProperties; | ||
| this.authorizationProvider = authorizationProvider.getIfAvailable(); | ||
| } | ||
|
|
||
| /** | ||
| * Determine whether a user has access to a project. | ||
| * | ||
| * @param securityContext Spring Security Context used to identify a user or service. | ||
| * @param project Name of the project for which membership should be tested. | ||
| */ | ||
| public void authorizeRequest(SecurityContext securityContext, String project) { | ||
| Authentication authentication = securityContext.getAuthentication(); | ||
| if (!this.securityProperties.getAuthorization().isEnabled()) { | ||
| return; | ||
| } | ||
|
|
||
| AuthorizationResult result = | ||
| this.authorizationProvider.checkAccessToProject(project, authentication); | ||
| if (!result.isAllowed()) { | ||
| throw new AccessDeniedException(result.getFailureReason().orElse("Access Denied")); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.