-
Notifications
You must be signed in to change notification settings - Fork 349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: refactor a bunch of auth-related python [MLG-215] [MLG-1321] #8347
Conversation
✅ Deploy Preview for determined-ui canceled.
|
aeec327
to
f404228
Compare
78e76e9
to
8f340ab
Compare
8f340ab
to
08d859f
Compare
02ae907
to
0b9ebda
Compare
73424bd
to
9611dd4
Compare
89f9335
to
db43335
Compare
session = api.Session( | ||
info.master_url, None, None, cert, max_retries=util.get_max_retries_config() | ||
) | ||
utp = authentication.login_with_cache(info.master_url, cert=cert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. The magic is more explicit after this change. I think it's a good sign for the login part of your patch.
It'd be nice it could be done away with entirely, but that's outside the scope of this refactor.
Also note here that Session
is a natural choice in this context for a login
to return.
token_store.set_token(username, token) | ||
token_store.set_active(username) | ||
token_store = authentication.TokenStore(args.master) | ||
utp = authentication.login(args.master, username, password, cli.cert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not your bug (exists both before this PR and after), but I just noticed that if you aren't logged in and you try to log in with a bad password you get
Failed to log in user: Unauthenticated: Please use 'det user login <username>' for password login, or for Enterprise users logging in with an SSO provider, use 'det auth login --provider=<provider>'.
Just in case you're interested in fixing it here.
Internet says:
Response to the User: A 401 error urges the user to log in or provide valid credentials. In contrast, a 403 error informs the user that access is forbidden, regardless of their authentication status.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not interested in fixing it here, sorry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
d192bb4
to
7c081a3
Compare
289a04e
to
334ae52
Compare
retry = api.default_retry() | ||
|
||
return api.Session(master_url, args.user, authentication.cli_auth, cert, retry) | ||
utp = authentication.login_with_cache( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like how this refactor has landed for the CLI. I'm not asking for anything from this PR, in this comment.
I think this is a place where this refactor is a potential stepping-stone to a later state where we've set up a login path that is only for this particular use case. Curious if you think the same and can express it in a sentence or two for the wiki.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand what you mean
resp = bindings.get_GetMaster(setup_session(args)) | ||
if not resp.to_json().get("rbacEnabled"): | ||
resp = bindings.get_GetMaster(unauth_session(args)) | ||
if not resp.rbacEnabled: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't tell if you wanted feature_flag
to be a parameter or if you wanted it rbacEnabled
only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pre-existing bug
(I only changed the code from weirdly switching from strongly typed bindings objects to weakly typed json dicts)
harness/determined/cli/version.py
Outdated
from determined.cli import render | ||
from determined.common import api | ||
from determined.common.declarative_argparse import Cmd | ||
|
||
|
||
def get_version(host: str) -> Dict[str, Any]: | ||
client_info = {"version": determined.__version__} | ||
def get_version(sess: api.BaseSession, host: str) -> Dict[str, Any]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think including host
might be an unnecessary footgun.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, this is a carryover from when I had Session leaving certain of its attributes as private. It doesn't really make sense anymore.
Fixed.
334ae52
to
62c3b0b
Compare
42a02fc
to
9a867e9
Compare
- Remove the Authentication object. Authentication was both a dataclass containing username and token, as well as a complex login function disguised as an __init__. Now the dataclass is called UsernameTokenPair and the complex login function is called `login()` or `login_with_cache()`. - Make Session the core of API calls, not the api.request() function. The Session has a cache of authentication information and cert customization, and is easy to reuse. The api.request() function encourages the use of singletons and creates really confusing configure-singleton-in-every-entrypoint behaviors. - Introduce an UnauthSession which doesn't have an authentication token, for those few calls that we need to make which are not authenticated. - Add a detproc helper module to the e2e tests, so even tests requiring the cli can be based on explicit sessions. - Remove cli_auth and cli_cert singletons. - Delete all singleton-based @authentication.required decorators from the cli; just create a session instead. - Remove all api.{get,post,whatever} calls. - Refactor the Profiler a bit to accept a Session object. It used to depend on the cli_auth as well. - Add some Session helpers to the e2e tests, with much better caching. - Redesign the e2e auth to be Session-centric rather than cached-login centric, in particular: - redesign api_utils.create_test_user() - remove test_users.logged_in_user() - remove test_users.log_in_cli() - remove test_users.login_admin() - replace any call to Determined() with Determined._from_session() - Introduce detproc module in e2e tests for session-centric CLI calls, replacing various adhoc helpers: - test_user.det_spawn() - test_user.det_run() - test_exp_continue.det_cmd() - test_groups.det_cmd() - test_groups.det_cmd_json() - test_groups.det_cmd_expect_error() BREAKING CHANGE: This refactor removes the Session object from all public API namespaces, and also adds the new requirement that all tasks have a writable HOME directory. Previously, a small subset of functionality existed for tasks which had no writable HOME directory.
9a867e9
to
1eef9fe
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
- Remove the Authentication object. Authentication was both a dataclass containing username and token, as well as a complex login function disguised as an __init__. Now the dataclass is called UsernameTokenPair and the complex login function is called `login()` or `login_with_cache()`. - Make Session the core of API calls, not the api.request() function. The Session has a cache of authentication information and cert customization, and is easy to reuse. The api.request() function encourages the use of singletons and creates really confusing configure-singleton-in-every-entrypoint behaviors. - Introduce an UnauthSession which doesn't have an authentication token, for those few calls that we need to make which are not authenticated. - Add a detproc helper module to the e2e tests, so even tests requiring the cli can be based on explicit sessions. - Remove cli_auth and cli_cert singletons. - Delete all singleton-based @authentication.required decorators from the cli; just create a session instead. - Remove all api.{get,post,whatever} calls. - Refactor the Profiler a bit to accept a Session object. It used to depend on the cli_auth as well. - Add some Session helpers to the e2e tests, with much better caching. - Redesign the e2e auth to be Session-centric rather than cached-login centric, in particular: - redesign api_utils.create_test_user() - remove test_users.logged_in_user() - remove test_users.log_in_cli() - remove test_users.login_admin() - replace any call to Determined() with Determined._from_session() - Introduce detproc module in e2e tests for session-centric CLI calls, replacing various adhoc helpers: - test_user.det_spawn() - test_user.det_run() - test_exp_continue.det_cmd() - test_groups.det_cmd() - test_groups.det_cmd_json() - test_groups.det_cmd_expect_error() BREAKING CHANGE: This refactor removes the Session object from all public API namespaces, and also adds the new requirement that all tasks have a writable HOME directory. Previously, a small subset of functionality existed for tasks which had no writable HOME directory.
Remove the Authentication object.
Authentication was both a dataclass containing username and token, as
well as a complex login function disguised as an init.
Now the dataclass is called UsernameTokenPair and the complex login
function is called
login()
orlogin_with_cache()
.Make Session the core of API calls, not the api.request() function.
The Session has a cache of authentication information and cert
customization, and is easy to reuse. The api.request() function
encourages the use of singletons and creates really confusing
configure-singleton-in-every-entrypoint behaviors.
Introduce an UnauthSession which doesn't have an authentication token,
for those few calls that we need to make which are not authenticated.
Add a detproc helper module to the e2e tests, so even tests requiring
the cli can be based on explicit sessions.
Remove cli_auth and cli_cert singletons.
Delete all singleton-based @authentication.required decorators from
the cli; just create a session instead.
Remove all api.{get,post,whatever} calls.
Refactor the Profiler a bit to accept a Session object. It used to
depend on the cli_auth as well.
Add some Session helpers to the e2e tests, with much better caching.
Redesign the e2e auth to be Session-centric rather than cached-login
centric, in particular:
Introduce detproc module in e2e tests for session-centric CLI calls,
replacing various adhoc helpers: