Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AWS remote auth login #7578

Merged
merged 38 commits into from
Apr 10, 2024
Merged

Add AWS remote auth login #7578

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
ca02c1c
Add AWS remote auth login
idanovo Mar 19, 2024
ce5b5e0
Add a test
idanovo Mar 19, 2024
692916a
Fix
idanovo Mar 19, 2024
31f7761
Fix logic
idanovo Mar 20, 2024
60389b0
Add relevant tags
idanovo Mar 20, 2024
47ddb2b
Fix
idanovo Mar 20, 2024
b09b303
Fix
idanovo Mar 20, 2024
ed4042f
Fix
idanovo Mar 20, 2024
bde0214
Fix
idanovo Mar 20, 2024
5920fcc
Fix
idanovo Mar 20, 2024
134ba63
Fix PR comments
idanovo Mar 20, 2024
5cb4a8d
Fix
idanovo Mar 20, 2024
e91fe5d
Fix external login API call
idanovo Mar 21, 2024
cab7bdd
merged from master
idanovo Mar 25, 2024
462bee5
Revert
idanovo Mar 25, 2024
0247f49
Fix test
idanovo Mar 25, 2024
fb95a20
Return principal ID instead of user ID for ExternalPrincipalLogin
idanovo Mar 25, 2024
74cbb53
Changed request param
idanovo Mar 27, 2024
d2e77e2
Fix review
idanovo Mar 27, 2024
11bee35
Fix PR comments
idanovo Mar 27, 2024
fec0a34
Fix PR review
idanovo Mar 27, 2024
4628cd0
Merge branch 'master' of https://github.com/treeverse/lakeFS into 757…
idanovo Mar 31, 2024
2e4d425
Add potential status codes
idanovo Apr 2, 2024
714aba7
Fix
idanovo Apr 2, 2024
8fe9e61
Fix PR comments
idanovo Apr 2, 2024
bbbe23e
Fix test
idanovo Apr 2, 2024
9fbc1b0
Lint
idanovo Apr 2, 2024
7d1d27e
Pull from master
idanovo Apr 3, 2024
68422ae
Fix
idanovo Apr 3, 2024
e8a2349
Update docs
idanovo Apr 7, 2024
bf86e73
Merge branch 'master' of https://github.com/treeverse/lakeFS into 757…
idanovo Apr 9, 2024
77f7bb3
PR review
idanovo Apr 9, 2024
77b65c1
Return external login status code
idanovo Apr 10, 2024
6bdbe62
Error handling
idanovo Apr 10, 2024
92f99af
Merge branch 'master' of https://github.com/treeverse/lakeFS into 757…
idanovo Apr 10, 2024
05a794a
PR review
idanovo Apr 10, 2024
1a2755f
Docs update
idanovo Apr 10, 2024
1e5fa4c
Fix docs
idanovo Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 50 additions & 2 deletions api/authorization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ components:
type: http
scheme: bearer
bearerFormat: JWT
external_auth:
type: http
scheme: basic

parameters:
PaginationPrefix:
Expand Down Expand Up @@ -363,6 +366,15 @@ components:
items:
$ref: "#/components/schemas/ExternalPrincipal"

ExternalLoginInformation:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lakeFS should not be aware of the details of the identity token details fields or params.
it should pass it to the remote authentication services.
so in other words, it should be some generic object key/value in the body that will be passed to the remote authentication service as is.

The remote service on the other hand that does the login will seriallize this object and extract specific fields to create AWS request.

type: object
required:
- presigned_url
properties:
presigned_url:
type: string


paths:
/auth/users:
get:
Expand Down Expand Up @@ -1102,6 +1114,7 @@ paths:
$ref: "#/components/responses/Unauthorized"
default:
$ref: "#/components/responses/ServerError"

/auth/users/{userId}/external/principals/ls:
parameters:
- in: path
Expand All @@ -1112,6 +1125,7 @@ paths:
get:
tags:
- auth
- external
- experimental
parameters:
- $ref: "#/components/parameters/PaginationPrefix"
Expand Down Expand Up @@ -1148,6 +1162,7 @@ paths:
post:
tags:
- auth
- external
- experimental
operationId: createUserExternalPrincipal
summary: Create principal as external identity connected to lakeFS user
Expand All @@ -1164,8 +1179,9 @@ paths:
$ref: "#/components/responses/ServerError"
delete:
tags:
- auth
- experimental
- auth
- external
- experimental
operationId: deleteUserExternalPrincipal
summary: delete external principal from user's external principal list
responses:
Expand Down Expand Up @@ -1208,6 +1224,38 @@ paths:
default:
$ref: "#/components/responses/ServerError"

/auth/external/login:
post:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be part of the authentication API?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should.
I'll move it there once you merge your PR

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Sorry for blocking 😬

tags:
- auth
- external
- experimental
operationId: externalLogin
summary: perform a login using an external authenticator
security: []
requestBody:
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalLoginInformation"
responses:
200:
description: successful login
headers:
Set-Cookie:
schema:
type: string
content:
application/json:
schema:
$ref: "#/components/schemas/User"
401:
$ref: "#/components/responses/Unauthorized"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"

/healthcheck:
get:
operationId: healthCheck
Expand Down
45 changes: 44 additions & 1 deletion api/swagger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ security:
- cookie_auth: []
- oidc_auth: []
- saml_auth: []
- external_auth: []
Isan-Rivkin marked this conversation as resolved.
Show resolved Hide resolved
components:
securitySchemes:
basic_auth:
Expand All @@ -38,6 +39,10 @@ components:
type: apiKey
in: cookie
name: saml_auth_session
external_auth:
Isan-Rivkin marked this conversation as resolved.
Show resolved Hide resolved
type: http
scheme: basic

parameters:
PaginationPrefix:
in: query
Expand Down Expand Up @@ -1050,6 +1055,14 @@ components:
secret_access_key:
type: string

ExternalLoginInformation:
type: object
Isan-Rivkin marked this conversation as resolved.
Show resolved Hide resolved
required:
- presigned_url
properties:
presigned_url:
type: string

AuthenticationToken:
type: object
required:
Expand Down Expand Up @@ -1803,7 +1816,37 @@ paths:
default:
$ref: "#/components/responses/ServerError"


/auth/external/login:
Isan-Rivkin marked this conversation as resolved.
Show resolved Hide resolved
post:
tags:
- auth
- external
- experimental
operationId: externalLogin
summary: perform a login using an external authenticator
security: []
requestBody:
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalLoginInformation"
responses:
200:
description: successful login
headers:
Set-Cookie:
schema:
type: string
content:
application/json:
schema:
$ref: "#/components/schemas/AuthenticationToken"
401:
$ref: "#/components/responses/Unauthorized"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"

/auth/capabilities:
get:
Expand Down
3 changes: 3 additions & 0 deletions clients/java-legacy/.openapi-generator/FILES
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions clients/java-legacy/README.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

56 changes: 56 additions & 0 deletions clients/java-legacy/api/openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading