feat(sdk): migrate v1 auth to v2 (#7789)

* initial auth migration (@ji-yaqi) * clean up files * update imports * add type annotations * update docstrings * add tests
2022-09-06 17:54:29 -06:00 · 2022-09-06 17:54:29 -06:00 · e14a784327
parent a3c7c380a3
commit e14a784327
6 changed files with 268 additions and 3 deletions
--- a/sdk/python/kfp/client/init.py
+++ b/sdk/python/kfp/client/init.py
@ -18,3 +18,9 @@ __all__ = [
 ]

 from kfp.client.client import Client
+from kfp.client.set_volume_credentials import \
+    ServiceAccountTokenVolumeCredentials
+from kfp.client.token_credentials_base import TokenCredentialsBase
+
+KF_PIPELINES_SA_TOKEN_ENV = 'KF_PIPELINES_SA_TOKEN_PATH'
+KF_PIPELINES_SA_TOKEN_PATH = '/var/run/secrets/kubeflow/pipelines/token'
--- a/sdk/python/kfp/client/client.py
+++ b/sdk/python/kfp/client/client.py
@ -29,6 +29,7 @@ import zipfile

 from kfp import compiler
 from kfp.client import auth
+from kfp.client import set_volume_credentials
 from kfp.components import base_component
 import kfp_server_api
 import yaml
@ -367,9 +368,8 @@ class Client:
        # implement more and more credentials, we can have some heuristic and
        # choose from a number of options.
        # See https://github.com/kubeflow/pipelines/pull/5287#issuecomment-805654121
-
-        # TODO: auth.ServiceAccountCredentials does not exist... dead code path?
-        credentials = auth.ServiceAccountTokenVolumeCredentials()
+        credentials = set_volume_credentials.ServiceAccountTokenVolumeCredentials(
+        )
        config_copy = copy.deepcopy(config)

        try:
--- a/sdk/python/kfp/client/set_volume_credentials.py
+++ b/sdk/python/kfp/client/set_volume_credentials.py
@ -0,0 +1,84 @@
+# Copyright 2022 The Kubeflow Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import os
+from typing import Optional
+
+from kfp import client
+from kfp.client import token_credentials_base
+from kubernetes.client import configuration
+
+
+class ServiceAccountTokenVolumeCredentials(
+        token_credentials_base.TokenCredentialsBase):
+    """Audience-bound ServiceAccountToken in the local filesystem.
+
+    This is a credentials interface for audience-bound ServiceAccountTokens
+    found in the local filesystem, that get refreshed by the kubelet.
+
+    The constructor of the class expects a filesystem path.
+    If not provided, it uses the path stored in the environment variable
+    defined in ``client.KF_PIPELINES_SA_TOKEN_ENV``.
+    If the environment variable is also empty, it falls back to the path
+    specified in ``client.KF_PIPELINES_SA_TOKEN_PATH``.
+
+    This method of authentication is meant for use inside a Kubernetes cluster.
+
+    Relevant documentation:
+    https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection
+    """
+
+    def __init__(self, path: Optional[str] = None) -> None:
+        """Constructs ServiceAccountTokenVolumeCredentials.
+
+        Args:
+            path (Optional[str], optional): Path of file containing auth token. Defaults to None.
+        """
+        self._token_path = (
+            path or os.getenv(client.KF_PIPELINES_SA_TOKEN_ENV) or
+            client.KF_PIPELINES_SA_TOKEN_PATH)
+
+    def _get_token(self) -> str:
+        """Reads the token found in file provided as `path` argument to
+        ServiceAccountTokenVolumeCredentials constructor.
+
+        Returns:
+            str: The token.
+        """
+        token = None
+        try:
+            token = token_credentials_base.read_token_from_file(
+                self._token_path)
+        except OSError as e:
+            logging.error("Failed to read a token from file '%s' (%s).",
+                          self._token_path, str(e))
+            raise
+        return token
+
+    def refresh_api_key_hook(self, config: configuration.Configuration) -> None:
+        """Refreshes the api key using the token found in file provided as
+        `path` argument to ServiceAccountTokenVolumeCredentials constructor.
+
+        This is a helper function for registering token refresh with swagger
+        generated clients.
+
+        Args:
+            config (kubernetes.client.configuration.Configuration):
+                The configuration object that the client uses.
+
+                The Configuration object of the kubernetes client's is the same
+                with kfp_server_api.configuration.Configuration.
+        """
+        config.api_key['authorization'] = self._get_token()
--- a/sdk/python/kfp/client/set_volume_credentials_test.py
+++ b/sdk/python/kfp/client/set_volume_credentials_test.py
@ -0,0 +1,49 @@
+# Copyright 2022 The Kubeflow Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import tempfile
+import unittest
+
+from kfp.client import set_volume_credentials
+from kfp.client import token_credentials_base
+from kubernetes.client import configuration
+
+
+class TestServiceAccountTokenVolumeCredentials(unittest.TestCase):
+
+    def test_get_token(self):
+        with tempfile.TemporaryDirectory() as tempdir:
+            token_path = os.path.join(tempdir, 'token.txt')
+            with open(token_path, 'w') as f:
+                f.write('my_token')
+            service_account_tvc = set_volume_credentials.ServiceAccountTokenVolumeCredentials(
+                token_path)
+
+            self.assertEqual(service_account_tvc._get_token(), 'my_token')
+
+    def test_refresh_api_key_hook(self):
+        with tempfile.TemporaryDirectory() as tempdir:
+            token_path = os.path.join(tempdir, 'token.txt')
+            with open(token_path, 'w') as f:
+                f.write('my_token')
+            service_account_tvc = set_volume_credentials.ServiceAccountTokenVolumeCredentials(
+                token_path)
+            config = configuration.Configuration()
+
+            with self.assertRaisesRegex(KeyError, r'authorization'):
+                config.api_key['authorization']
+
+            service_account_tvc.refresh_api_key_hook(config)
+            self.assertEqual(config.api_key['authorization'], 'my_token')
--- a/sdk/python/kfp/client/token_credentials_base.py
+++ b/sdk/python/kfp/client/token_credentials_base.py
@ -0,0 +1,55 @@
+# Copyright 2022 The Kubeflow Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import abc
+from typing import Optional
+
+from kubernetes.client import configuration
+
+
+class TokenCredentialsBase(abc.ABC):
+
+    @abc.abstractmethod
+    def refresh_api_key_hook(self, config: configuration.Configuration) -> None:
+        """Refreshes the api key.
+
+        This is a helper function for registering token refresh with swagger
+        generated clients.
+
+        All classes that inherit from TokenCredentialsBase must implement this
+        method to refresh the credentials.
+
+        Args:
+            config (kubernetes.client.configuration.Configuration):
+                The configuration object that the client uses.
+
+                The Configuration object of the kubernetes client's is the same
+                with kfp_server_api.configuration.Configuration.
+        """
+        raise NotImplementedError()
+
+
+def read_token_from_file(path: Optional[str] = None) -> str:
+    """Reads a token found in some file.
+
+    Args:
+        path (Optional[str], optional): Path of file containing auth token. Defaults to None.
+
+    Returns:
+        str: The token.
+    """
+    token = None
+    with open(path) as f:
+        token = f.read().strip()
+    return token
--- a/sdk/python/kfp/client/token_credentials_base_test.py
+++ b/sdk/python/kfp/client/token_credentials_base_test.py
@ -0,0 +1,71 @@
+# Copyright 2022 The Kubeflow Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import os
+import tempfile
+import unittest
+
+from kfp.client import token_credentials_base
+from kubernetes.client import configuration
+
+
+class TestTokenCredentialsBase(unittest.TestCase):
+
+    def test_cannot_instantiate_abc(self):
+
+        class MyTokenGetter(token_credentials_base.TokenCredentialsBase):
+
+            def something(self) -> None:
+                pass
+
+        with self.assertRaisesRegex(TypeError,
+                                    r"Can't instantiate abstract class"):
+            MyTokenGetter()
+
+    def test_can_instantiate_with_refresh_api_key_hook(self):
+
+        class MyTokenGetter(token_credentials_base.TokenCredentialsBase):
+
+            def refresh_api_key_hook(
+                    self, config: configuration.Configuration) -> None:
+                pass
+
+        # does not raise Exception
+        MyTokenGetter()
+
+
+class TestReadTokenFromFile(unittest.TestCase):
+
+    def test_none_path(self):
+        with self.assertRaisesRegex(TypeError, r'^expected .* not NoneType'):
+            token_credentials_base.read_token_from_file()
+
+    def test_str_path(self):
+        with tempfile.TemporaryDirectory() as tempdir:
+            token_path = os.path.join(tempdir, 'token.txt')
+            with open(token_path, 'w') as f:
+                f.write('my_token')
+
+            self.assertEqual(
+                token_credentials_base.read_token_from_file(token_path),
+                'my_token')
+
+    def test_str_path_extra_spaces_in_token(self):
+        with tempfile.TemporaryDirectory() as tempdir:
+            token_path = os.path.join(tempdir, 'token.txt')
+            with open(token_path, 'w') as f:
+                f.write(' my_token ')
+
+            self.assertEqual(
+                token_credentials_base.read_token_from_file(token_path),
+                'my_token')