From f179fa704385778dfc7842e466b0f34ba13411ba Mon Sep 17 00:00:00 2001 From: Scott Lyons Date: Wed, 6 Nov 2024 18:01:35 -0800 Subject: [PATCH 1/3] Adding api_key quickstart --- api_key/README.md | 44 +++++++++++++++++++++++++++++++++++++++++++ api_key/spicepod.yaml | 14 ++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 api_key/README.md create mode 100755 api_key/spicepod.yaml diff --git a/api_key/README.md b/api_key/README.md new file mode 100644 index 0000000..a8d7c63 --- /dev/null +++ b/api_key/README.md @@ -0,0 +1,44 @@ +# Spice API Key Authentication + +Spice supports protecting HTTP endpointa with API keys. + +Add the following configuration to your `spicepod.yaml` to enable authentication: + +```yaml +runtime: + auth: + api-key: + enabled: true + keys: + - ${ env: API_KEY } +``` + +Then create a `.env` file in the same location as your `spicepod.yaml` with a key of your choice. + +```shell +API_KEY=foobar +``` + +1. Start Spice with `spice run` and open a new terminal +2. Run `curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'`: +```shell +curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' +HTTP/1.1 401 Unauthorized +content-length: 12 +date: Thu, 07 Nov 2024 01:52:00 GMT + +Unauthorized +``` + +3. Run `curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'` +```shell +curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' +HTTP/1.1 200 OK +content-type: text/plain; charset=utf-8 +x-cache: Miss from spiceai +content-length: 16 +date: Thu, 07 Nov 2024 01:53:20 GMT + +[{"Int64(1)":1}] +``` + diff --git a/api_key/spicepod.yaml b/api_key/spicepod.yaml new file mode 100755 index 0000000..d68cda8 --- /dev/null +++ b/api_key/spicepod.yaml @@ -0,0 +1,14 @@ +version: v1beta1 +kind: Spicepod +name: api_key + +secrets: + - from: env + name: env + +runtime: + auth: + api-key: + enabled: true + keys: + - ${ env:API_KEY } \ No newline at end of file From 269cb06d7e8b785a36186a64d00dece331d80b8e Mon Sep 17 00:00:00 2001 From: Scott Lyons Date: Thu, 7 Nov 2024 08:34:59 -0800 Subject: [PATCH 2/3] Updating with Flight/FlightSQL endpoints, improving clarity --- api_key/README.md | 66 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 60 insertions(+), 6 deletions(-) diff --git a/api_key/README.md b/api_key/README.md index a8d7c63..83dd40e 100644 --- a/api_key/README.md +++ b/api_key/README.md @@ -1,8 +1,8 @@ # Spice API Key Authentication -Spice supports protecting HTTP endpointa with API keys. +Spice supports securing HTTP, Flight, and Flight SQL endpoints using API keys. -Add the following configuration to your `spicepod.yaml` to enable authentication: +To enable API key authentication, add the following configuration to your `spicepod.yaml` file: ```yaml runtime: @@ -13,16 +13,22 @@ runtime: - ${ env: API_KEY } ``` -Then create a `.env` file in the same location as your `spicepod.yaml` with a key of your choice. +Then, create a `.env` file in the same directory as `spicepod.yaml`, setting an API key of your choice: ```shell API_KEY=foobar ``` -1. Start Spice with `spice run` and open a new terminal -2. Run `curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'`: +## HTTP + +1. Start Spice with `spice run`, then open a new terminal +2. To test without an API key, run: ```shell curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' +``` +Expected response: +```shell +$ curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' HTTP/1.1 401 Unauthorized content-length: 12 date: Thu, 07 Nov 2024 01:52:00 GMT @@ -30,7 +36,12 @@ date: Thu, 07 Nov 2024 01:52:00 GMT Unauthorized ``` -3. Run `curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'` +3. Now, test with the API key by running: +```shell +curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' +``` + +Expected response: ```shell curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' HTTP/1.1 200 OK @@ -42,3 +53,46 @@ date: Thu, 07 Nov 2024 01:53:20 GMT [{"Int64(1)":1}] ``` +## CLI + +1. Start Spice with `spice run`, then open a new terminal +2. Run `spice status` without an API key +```bash +$ spice status +2024/11/07 17:29:48 ERROR getting spiced status error="error fetching runtime information: Unauthorized" +``` +3. Now, run `spice status` with the API key +```bash +$ spice status --api-key foobar + +NAME ENDPOINT STATUS +http 127.0.0.1:8090 Ready +flight 127.0.0.1:50051 Ready +metrics 127.0.0.1:9090 Ready +opentelemetry 127.0.0.1:50052 Ready +``` + +## SQL REPL + +1. Start Spice with `spice run`, then open a new terminal +2. Open the SQL REPL with `spice sql`, then attempt a SQL query: +```bash +$ spice sql + +sql> select 1; +Error The query could not be completed because the user does not have permission to access the requested data. +``` + +3. Now, open the SQL REPL with the API key and try the query again: +```bash +$ spice sql --api-key foobar + +sql> select 1; ++----------+ +| Int64(1) | ++----------+ +| 1 | ++----------+ + +Time: 0.007247375 seconds. 1 rows. +``` \ No newline at end of file From ad9cbd77cbb44e66a9b98c4324e0056815b93579 Mon Sep 17 00:00:00 2001 From: Phillip LeBlanc Date: Fri, 8 Nov 2024 15:56:27 +0900 Subject: [PATCH 3/3] Update the API key quickstart --- api_key/README.md | 136 +++++++++++++++++++++++++--------------------- 1 file changed, 73 insertions(+), 63 deletions(-) diff --git a/api_key/README.md b/api_key/README.md index 83dd40e..a154e32 100644 --- a/api_key/README.md +++ b/api_key/README.md @@ -1,8 +1,8 @@ # Spice API Key Authentication -Spice supports securing HTTP, Flight, and Flight SQL endpoints using API keys. +Spice supports securing its HTTP, Flight/FlightSQL, and OpenTelemetry endpoints using API keys. -To enable API key authentication, add the following configuration to your `spicepod.yaml` file: +Enable API key authentication with: ```yaml runtime: @@ -10,10 +10,10 @@ runtime: api-key: enabled: true keys: - - ${ env: API_KEY } + - ${ env:API_KEY } ``` -Then, create a `.env` file in the same directory as `spicepod.yaml`, setting an API key of your choice: +Create a `.env` file in the same directory as `spicepod.yaml` to set an API key that will be pulled from the environment: ```shell API_KEY=foobar @@ -22,77 +22,87 @@ API_KEY=foobar ## HTTP 1. Start Spice with `spice run`, then open a new terminal -2. To test without an API key, run: -```shell -curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' -``` -Expected response: -```shell -$ curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' -HTTP/1.1 401 Unauthorized -content-length: 12 -date: Thu, 07 Nov 2024 01:52:00 GMT +1. To test without an API key, run: -Unauthorized -``` + ```shell + curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' + ``` -3. Now, test with the API key by running: -```shell -curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' -``` + Expected response: -Expected response: -```shell -curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' -HTTP/1.1 200 OK -content-type: text/plain; charset=utf-8 -x-cache: Miss from spiceai -content-length: 16 -date: Thu, 07 Nov 2024 01:53:20 GMT - -[{"Int64(1)":1}] -``` + ```shell + $ curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' + HTTP/1.1 401 Unauthorized + content-length: 12 + date: Thu, 07 Nov 2024 01:52:00 GMT + + Unauthorized + ``` + +1. Test with the API key: + + ```shell + curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' + ``` + + Output: + + ```shell + curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1' + HTTP/1.1 200 OK + content-type: text/plain; charset=utf-8 + x-cache: Miss from spiceai + content-length: 16 + date: Thu, 07 Nov 2024 01:53:20 GMT + + [{"Int64(1)":1}] + ``` ## CLI 1. Start Spice with `spice run`, then open a new terminal -2. Run `spice status` without an API key -```bash -$ spice status -2024/11/07 17:29:48 ERROR getting spiced status error="error fetching runtime information: Unauthorized" -``` -3. Now, run `spice status` with the API key -```bash -$ spice status --api-key foobar - -NAME ENDPOINT STATUS -http 127.0.0.1:8090 Ready -flight 127.0.0.1:50051 Ready -metrics 127.0.0.1:9090 Ready -opentelemetry 127.0.0.1:50052 Ready -``` +1. Run `spice status` without an API key + + ```bash + $ spice status + 2024/11/07 17:29:48 ERROR getting spiced status error="error fetching runtime information: Unauthorized" + ``` + +1. Now, run `spice status` with the API key + + ```bash + $ spice status --api-key foobar + + NAME ENDPOINT STATUS + http 127.0.0.1:8090 Ready + flight 127.0.0.1:50051 Ready + metrics 127.0.0.1:9090 Ready + opentelemetry 127.0.0.1:50052 Ready + ``` ## SQL REPL 1. Start Spice with `spice run`, then open a new terminal -2. Open the SQL REPL with `spice sql`, then attempt a SQL query: -```bash -$ spice sql +1. Open the SQL REPL with `spice sql`, then attempt a SQL query: -sql> select 1; -Error The query could not be completed because the user does not have permission to access the requested data. -``` + ```bash + $ spice sql + + sql> select 1; + Authentication Error Access denied. Invalid credentials. + ``` + +1. Re-open the SQL REPL with the API key and try the query again: -3. Now, open the SQL REPL with the API key and try the query again: -```bash -$ spice sql --api-key foobar + ```bash + $ spice sql --api-key foobar -sql> select 1; -+----------+ -| Int64(1) | -+----------+ -| 1 | -+----------+ + sql> select 1; + +----------+ + | Int64(1) | + +----------+ + | 1 | + +----------+ -Time: 0.007247375 seconds. 1 rows. -``` \ No newline at end of file + Time: 0.007247375 seconds. 1 rows. + ```