Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow specifying disable-auth when creating the server #1251

Merged
merged 13 commits into from
Oct 23, 2023
Merged

feat: allow specifying disable-auth when creating the server #1251

merged 13 commits into from
Oct 23, 2023

Conversation

KeranYang
Copy link
Member

@KeranYang KeranYang commented Oct 23, 2023
edited
Loading

User can update the numaflow deployment to turn on and off AuthN/AuthZ by passing in an argument.

...
containers:
        - name: main
          image: quay.io/numaproj/numaflow:latest
          args:
            - server
            - '--disable-auth=true'
...

Tested by turning on and off the auth and verifying that after turning it off, my read-only role can perform write operations like CreatePipeline.

@KeranYang
can get the parameter
93ca195 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang
working
fd7cf7d 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang
.
fd040f5 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang
clean up
c767751 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang
Merge branch 'ged-rbac' into ged-rbac-1
8370acd
@KeranYang KeranYang marked this pull request as ready for review October 23, 2023 20:06
@KeranYang KeranYang requested review from jy4096 and kohlisid October 23, 2023 20:15
whynowy
whynowy reviewed Oct 23, 2023
View reviewed changes
server/routes/routes.go Outdated
@@ -30,6 +30,8 @@ type SystemInfo struct {
ManagedNamespace string `json:"managedNamespace"`
Namespaced bool `json:"namespaced"`
Version string `json:"version"`
DisableAuth bool `json:"disableAuth"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This SystemInfo is exposed to the client, do not add those information to this struct.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. I am going to create a separate struct AuthInfo to hold the DisableAuth and DexServerAddr, hence the /systemInfo API call won't expose auth configurations.

@KeranYang
check if e2e can pass
8512156 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang
address comments
6cc5c3e 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang KeranYang marked this pull request as draft October 23, 2023 20:52
@KeranYang
.
0e1dc0f 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang
.
58bb90f 
Signed-off-by: Keran Yang <[email protected]>
@vigith
Copy link
Member

vigith commented Oct 23, 2023

isn't it better to disable auth by default, and enable only on-demand. which experience will be better for users testing it out?

KeranYang
KeranYang commented Oct 23, 2023
View reviewed changes
config/base/numaflow-server/numaflow-server-deployment.yaml
@@ -38,6 +38,8 @@ spec:
image: quay.io/numaproj/numaflow:latest
args:
- "server"
# By default, turn off authentication and authorization.
Copy link
Member Author

@KeranYang KeranYang Oct 23, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made this change, thinking if we by default enable auth, it could add complexity to first-time numaflow users. @jy4096 also mentioned that we want to disable auth for e2e API testing.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc: @vigith This also replies to your comment above. :)

@KeranYang KeranYang marked this pull request as ready for review October 23, 2023 21:24
@KeranYang KeranYang requested a review from whynowy October 23, 2023 21:25
whynowy
whynowy reviewed Oct 23, 2023
View reviewed changes
cmd/commands/server.go Outdated
@@ -64,7 +64,7 @@ func NewServerCommand() *cobra.Command {
command.Flags().BoolVar(&namespaced, "namespaced", false, "Whether to run in namespaced scope, defaults to false.")
command.Flags().StringVar(&managedNamespace, "managed-namespace", sharedutil.LookupEnvStringOr("NAMESPACE", "numaflow-system"), "The namespace that the server watches when \"--namespaced\" is \"true\".")
command.Flags().StringVar(&baseHref, "base-href", "/", "Base href for Numaflow server, defaults to '/'.")
command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Whether to disable authentication, defaults to false.")
command.Flags().BoolVar(&disableAuth, "disable-auth", true, "Whether to disable authentication and authorization, defaults to true for easy on-boarding.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to set the default to false here, but add the arg true in the manifests.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good.

@KeranYang
.
11e3efd 
Signed-off-by: Keran Yang <[email protected]>
@KeranYang KeranYang requested a review from whynowy October 23, 2023 22:52
@KeranYang KeranYang merged commit f61bddf into numaproj:ged-rbac Oct 23, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whynowy whynowy whynowy approved these changes

@vigith vigith Awaiting requested review from vigith

@jy4096 jy4096 Awaiting requested review from jy4096

@kohlisid kohlisid Awaiting requested review from kohlisid

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KeranYang @vigith @whynowy