Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authorization to kserve #2625

Merged
merged 1 commit into from
Apr 5, 2024
Merged

Add authorization to kserve #2625

merged 1 commit into from
Apr 5, 2024

Conversation

lucferbux
Copy link
Contributor

@lucferbux lucferbux commented Mar 22, 2024
edited
Loading

Closes https://issues.redhat.com/browse/RHOAIENG-2223

Description

Add the following changes:

Add section to enable route protection in kserve Screenshot 2024-04-02 at 23 29 17
New token section in kserve deployments Screenshot 2024-04-02 at 23 30 02
Check of Authorino availability to enable/disable the feature in kserve Screenshot 2024-04-03 at 12 45 29

How Has This Been Tested?

Local environment

  1. Go to backend/src/utils/dsci.ts and add the following code in line 15
Code 
const result: DataScienceClusterInitializationKind | null = await fastify.kube.customObjectsApi
  .listClusterCustomObject('dscinitialization.opendatahub.io', 'v1', 'dscinitializations')
  .then((res) => (res.body as DataScienceClusterInitializationList).items[0])
  .then((dsci) => {
    return {
      ...dsci,
      status: {
        ...dsci.status,
        conditions: [
          {
            lastHeartbeatTime: '2024-04-03T18:25:35Z',
            lastTransitionTime: '2024-04-03T18:25:35Z',
            message: 'Initializing DSCInitialization resource',
            reason: 'ReconcileInit',
            status: 'Unknown',
            type: 'ReconcileComplete',
          },
          {
            lastHeartbeatTime: '2024-04-03T18:25:35Z',
            lastTransitionTime: '2024-04-03T18:25:35Z',
            message: 'Initializing DSCInitialization resource',
            reason: 'ReconcileInit',
            status: 'False',
            type: 'Available',
          },
          {
            lastHeartbeatTime: '2024-04-03T18:25:35Z',
            lastTransitionTime: '2024-04-03T18:25:35Z',
            message: 'Initializing DSCInitialization resource',
            reason: 'ReconcileInit',
            status: 'True',
            type: 'Progressing',
          },
          {
            lastHeartbeatTime: '2024-04-03T18:25:35Z',
            lastTransitionTime: '2024-04-03T18:25:35Z',
            message: 'Initializing DSCInitialization resource',
            reason: 'ReconcileInit',
            status: 'False',
            type: 'Degraded',
          },
          {
            lastHeartbeatTime: '2024-04-03T18:25:35Z',
            lastTransitionTime: '2024-04-03T18:25:35Z',
            message: 'Initializing DSCInitialization resource',
            reason: 'ReconcileInit',
            status: 'Unknown',
            type: 'Upgradeable',
          },
          {
            lastHeartbeatTime: '2024-04-03T19:11:08Z',
            lastTransitionTime: '2024-04-03T18:49:23Z',
            message: 'Service Mesh configured properly',
            reason: 'Configured',
            status: 'True',
            type: 'CapabilityServiceMesh',
          },
          {
            lastHeartbeatTime: '2024-04-03T19:11:09Z',
            lastTransitionTime: '2024-04-03T19:10:27Z',
            message:
              'Authorino operator is not installed on the cluster, skipping authorization capability',
            reason: 'MissingOperator',
            status: 'True',
            type: 'CapabilityServiceMeshAuthorization',
          },
        ],
      },
    };
  })
  .catch((e) => {
    fastify.log.error(`Failure to fetch dsci: ${e.response.body}`);
    return null;
  });

(note: you should add the feature flag and the crd with oc apply)

  1. Go to model serving section and deploy a new model
  2. You should see the auth token section
  3. Deploy the model and check that you cannot access the model without the bearer token (you should have the authorino operator installed)
  4. Add the bearer token to the request, it should work now
  5. Edit the model and uncheck the auth token
  6. You should. be able to do a request without authentication
  7. Delete the block of code you've added
  8. Token section should be hidden

Test Impact

Testing added

Request review criteria:

Self checklist (all need to be checked):

  • The developer has manually tested the changes and verified that the changes work
  • Commits have been squashed into descriptive, self-contained units of work (e.g. 'WIP' and 'Implements feedback' style messages have been removed)
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

  • Included any necessary screenshots or gifs if it was a UI change.
  • Included tags to the UX team if it was a UI/UX change (find relevant UX in the SMEs section).

After the PR is posted & before it merges:

  • The developer has tested their solution on a cluster by using the image produced by the PR to main

@lucferbux
Copy link
Contributor Author

/hold

@openshift-ci openshift-ci bot requested review from dpanshug and ppadti March 22, 2024 17:59
@openshift-ci openshift-ci bot added the do-not-merge/hold This PR is hold for some reason label Mar 22, 2024
@lucferbux lucferbux force-pushed the rhoaieng-2489 branch 2 times, most recently from 6ec1b0e to 75a388d Compare March 22, 2024 19:04
@christianvogt
Copy link
Contributor

/retest

@lucferbux lucferbux force-pushed the rhoaieng-2489 branch 5 times, most recently from 93a6911 to 9d263f8 Compare April 4, 2024 12:05
@dgutride dgutride added the priority/high Important issue that needs to be resolved asap. Releases should not have too many of these. label Apr 4, 2024
andrewballantyne
andrewballantyne reviewed Apr 4, 2024
View reviewed changes
Copy link
Member

@andrewballantyne andrewballantyne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skimmed it, reviewed the Area stuff -- needs a more contextual review and testing.

@lucferbux
Copy link
Contributor Author

@vconzola Can you check the screenshots to make sure everything is right here?

@lucferbux lucferbux removed the do-not-merge/hold This PR is hold for some reason label Apr 4, 2024
@christianvogt
Copy link
Contributor

Tested various scenarios with @lucferbux
One minor issue with form errors not clearing regarding duplicate SA names which Lucas will log separately.
Overall it seems to be working.

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Apr 5, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: christianvogt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Apr 5, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 7458216 into opendatahub-io:main Apr 5, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewballantyne andrewballantyne andrewballantyne left review comments

@christianvogt christianvogt christianvogt left review comments

@dpanshug dpanshug Awaiting requested review from dpanshug

@ppadti ppadti Awaiting requested review from ppadti

Assignees

@christianvogt christianvogt

Labels
approved lgtm priority/high Important issue that needs to be resolved asap. Releases should not have too many of these.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lucferbux @christianvogt @andrewballantyne @dgutride