Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Add authorization to both ReadArtifacts and ReportMetrics endpoints #7818

Closed
difince opened this issue Jun 1, 2022 · 2 comments · Fixed by #7819
Closed

[feature] Add authorization to both ReadArtifacts and ReportMetrics endpoints #7818

difince opened this issue Jun 1, 2022 · 2 comments · Fixed by #7819
Assignees
@chensun
Labels
kind/feature

Comments

@difince
Copy link
Member

difince commented Jun 1, 2022

Feature Area

</area backend >

What feature would you like to see?

Ensure that the user has permission to call ReadArtifacts and ReportMetrics

ReadArtifacts and ReportMetrics could lavarage an existsing function - canAccessRun to enable authorization.

What is the use case or pain point?

Currently, both ReadArtifacts and ReportMetrics does not check if the user has permissions to call these endpoints.

Is there a workaround currently?

No.
A security issue is exposed

Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.
@difince difince mentioned this issue Jun 1, 2022
Merged
1 task
difince added a commit to difince/pipelines that referenced this issue Jun 16, 2022
@difince
Authorize Persistent Agent
f6f7944 
Persistent Agent authorize itself based ot the namespace and the current user

Fixes: kubeflow#7818
difince added a commit to difince/pipelines that referenced this issue Jun 16, 2022
@difince
Add authorization when Persistent Agent communicate with the api-server
2cb41ef 
Persistent Agent authorize itself based ot the namespace and the current user

Fixes: kubeflow#7818
difince added a commit to difince/pipelines that referenced this issue Jun 20, 2022
@difince
Add authorization when Persistent Agent communicate with the api-server
772321d 
Persistent Agent authorize itself based ot the namespace and the current user

Fixes: kubeflow#7818
@zijianjoy
Copy link
Collaborator

/assign @chensun

@zijianjoy
Copy link
Collaborator

Related: #4649

difince added a commit to difince/pipelines that referenced this issue Jun 29, 2022
@difince
Add authorization when Persistent Agent communicate with the api-server
5e558c0 
Persistent Agent authorize itself based ot the namespace and the current user

Fixes: kubeflow#7818
difince added a commit to difince/pipelines that referenced this issue Jul 25, 2022
@difince
Add authorization when Persistent Agent communicate with the api-server
928bd42 
Persistent Agent authorize itself based ot the namespace and the current user

Fixes: kubeflow#7818
google-oss-prow bot pushed a commit that referenced this issue Aug 4, 2022
@difince
feat(backend): authorize readArtifacts and ReportMetrics endpoints (#…
1caa8e0 
…7819)

* Authorize readArtifacts and ReportMetrics endpoints

New Verbs (reportMetrics and readArtifact) are added to ClusterRole with name: aggregate-to-kubeflow-pipelines-edit

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* Add authorization when Persistent Agent communicate with the api-server

Persistent Agent authorize itself based ot the namespace and the current user

Fixes: #7818

* Update persistence_agent.csv license file

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* Fix lexical error in persistent agent cluster role

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* Fix integration tests/Fix MULTIUSER= false usecase

Cover MULTIUSER=false usecase/Standalone pipeline installation.
In this case the namespace doesn't have `user` annotation and
there is no need to provide `kubeflow-userid` Header when making
a request against kfp-api-server

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* rebase: fix conflixt in license file

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* rebase add new line in the end of licensing file

Signed-off-by: Diana Atanasova <dianaa@vmware.com>
jlyaoyuli pushed a commit to jlyaoyuli/pipelines that referenced this issue Jan 5, 2023
@difince @jlyaoyuli
feat(backend): authorize readArtifacts and ReportMetrics endpoints (k…
a50fc1d 
…ubeflow#7819)

* Authorize readArtifacts and ReportMetrics endpoints

New Verbs (reportMetrics and readArtifact) are added to ClusterRole with name: aggregate-to-kubeflow-pipelines-edit

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* Add authorization when Persistent Agent communicate with the api-server

Persistent Agent authorize itself based ot the namespace and the current user

Fixes: kubeflow#7818

* Update persistence_agent.csv license file

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* Fix lexical error in persistent agent cluster role

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* Fix integration tests/Fix MULTIUSER= false usecase

Cover MULTIUSER=false usecase/Standalone pipeline installation.
In this case the namespace doesn't have `user` annotation and
there is no need to provide `kubeflow-userid` Header when making
a request against kfp-api-server

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* rebase: fix conflixt in license file

Signed-off-by: Diana Atanasova <dianaa@vmware.com>

* rebase add new line in the end of licensing file

Signed-off-by: Diana Atanasova <dianaa@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chensun chensun

Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(backend): authorize readArtifacts and ReportMetrics endpoints difince/pipelines
3 participants
@chensun @difince @zijianjoy