chore: refactor a bunch of auth-related python [MLG-215] [MLG-1321] #8347
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for determined-ui canceled.
|
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
3 times, most recently
from
aeec327
to
f404228
Compare
rb-determined-ai
commented
Nov 9, 2023
rb-determined-ai
commented
Nov 9, 2023
rb-determined-ai
commented
Nov 9, 2023
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
6 times, most recently
from
78e76e9
to
8f340ab
Compare
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
from
8f340ab
to
08d859f
Compare
wes-turner
reviewed
Nov 28, 2023
wes-turner
reviewed
Nov 30, 2023
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
2 times, most recently
from
02ae907
to
0b9ebda
Compare
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
5 times, most recently
from
73424bd
to
9611dd4
Compare
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
3 times, most recently
from
89f9335
to
db43335
Compare
wes-turner
reviewed
Feb 8, 2024
wes-turner
reviewed
Feb 8, 2024
wes-turner
reviewed
Feb 8, 2024
wes-turner
reviewed
Feb 8, 2024
wes-turner
reviewed
Feb 9, 2024
wes-turner
reviewed
Feb 9, 2024
| session = api.Session( | ||
| info.master_url, None, None, cert, max_retries=util.get_max_retries_config() | ||
| ) | ||
| utp = authentication.login_with_cache(info.master_url, cert=cert) |
There was a problem hiding this comment.
This looks good. The magic is more explicit after this change. I think it's a good sign for the login part of your patch.
It'd be nice it could be done away with entirely, but that's outside the scope of this refactor.
Also note here that Session is a natural choice in this context for a login to return.
wes-turner
reviewed
Feb 9, 2024
wes-turner
reviewed
Feb 9, 2024
wes-turner
reviewed
Feb 9, 2024
wes-turner
reviewed
Feb 13, 2024
wes-turner
reviewed
Feb 14, 2024
| token_store.set_token(username, token) | ||
| token_store.set_active(username) | ||
| token_store = authentication.TokenStore(args.master) | ||
| utp = authentication.login(args.master, username, password, cli.cert) |
There was a problem hiding this comment.
Not your bug (exists both before this PR and after), but I just noticed that if you aren't logged in and you try to log in with a bad password you get
Failed to log in user: Unauthenticated: Please use 'det user login <username>' for password login, or for Enterprise users logging in with an SSO provider, use 'det auth login --provider=<provider>'.
Just in case you're interested in fixing it here.
Internet says:
Response to the User: A 401 error urges the user to log in or provide valid credentials. In contrast, a 403 error informs the user that access is forbidden, regardless of their authentication status.
There was a problem hiding this comment.
I am not interested in fixing it here, sorry.
There was a problem hiding this comment.
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
from
d192bb4
to
7c081a3
Compare
wes-turner
reviewed
Feb 15, 2024
wes-turner
reviewed
Feb 15, 2024
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
2 times, most recently
from
289a04e
to
334ae52
Compare
wes-turner
reviewed
Feb 20, 2024
| retry = api.default_retry() | ||
|
|
||
| return api.Session(master_url, args.user, authentication.cli_auth, cert, retry) | ||
| utp = authentication.login_with_cache( |
There was a problem hiding this comment.
I like how this refactor has landed for the CLI. I'm not asking for anything from this PR, in this comment.
I think this is a place where this refactor is a potential stepping-stone to a later state where we've set up a login path that is only for this particular use case. Curious if you think the same and can express it in a sentence or two for the wiki.
There was a problem hiding this comment.
I'm not sure I understand what you mean
wes-turner
reviewed
Feb 20, 2024
| resp = bindings.get_GetMaster(setup_session(args)) | ||
| if not resp.to_json().get("rbacEnabled"): | ||
| resp = bindings.get_GetMaster(unauth_session(args)) | ||
| if not resp.rbacEnabled: |
There was a problem hiding this comment.
I can't tell if you wanted feature_flag to be a parameter or if you wanted it rbacEnabled only.
There was a problem hiding this comment.
pre-existing bug
(I only changed the code from weirdly switching from strongly typed bindings objects to weakly typed json dicts)
wes-turner
reviewed
Feb 20, 2024
harness/determined/cli/version.py
Outdated
| from determined.cli import render | ||
| from determined.common import api | ||
| from determined.common.declarative_argparse import Cmd | ||
|
|
||
|
|
||
| def get_version(host: str) -> Dict[str, Any]: | ||
| client_info = {"version": determined.__version__} | ||
| def get_version(sess: api.BaseSession, host: str) -> Dict[str, Any]: |
There was a problem hiding this comment.
I think including host might be an unnecessary footgun.
There was a problem hiding this comment.
yeah, this is a carryover from when I had Session leaving certain of its attributes as private. It doesn't really make sense anymore.
Fixed.
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
from
334ae52
to
62c3b0b
Compare
wes-turner
approved these changes
Feb 21, 2024
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
2 times, most recently
from
42a02fc
to
9a867e9
Compare
- Remove the Authentication object.
Authentication was both a dataclass containing username and token, as
well as a complex login function disguised as an __init__.
Now the dataclass is called UsernameTokenPair and the complex login
function is called `login()` or `login_with_cache()`.
- Make Session the core of API calls, not the api.request() function.
The Session has a cache of authentication information and cert
customization, and is easy to reuse. The api.request() function
encourages the use of singletons and creates really confusing
configure-singleton-in-every-entrypoint behaviors.
- Introduce an UnauthSession which doesn't have an authentication token,
for those few calls that we need to make which are not authenticated.
- Add a detproc helper module to the e2e tests, so even tests requiring
the cli can be based on explicit sessions.
- Remove cli_auth and cli_cert singletons.
- Delete all singleton-based @authentication.required decorators from
the cli; just create a session instead.
- Remove all api.{get,post,whatever} calls.
- Refactor the Profiler a bit to accept a Session object. It used to
depend on the cli_auth as well.
- Add some Session helpers to the e2e tests, with much better caching.
- Redesign the e2e auth to be Session-centric rather than cached-login
centric, in particular:
- redesign api_utils.create_test_user()
- remove test_users.logged_in_user()
- remove test_users.log_in_cli()
- remove test_users.login_admin()
- replace any call to Determined() with Determined._from_session()
- Introduce detproc module in e2e tests for session-centric CLI calls,
replacing various adhoc helpers:
- test_user.det_spawn()
- test_user.det_run()
- test_exp_continue.det_cmd()
- test_groups.det_cmd()
- test_groups.det_cmd_json()
- test_groups.det_cmd_expect_error()
BREAKING CHANGE: This refactor removes the Session object from all
public API namespaces, and also adds the new requirement that all tasks
have a writable HOME directory. Previously, a small subset of
functionality existed for tasks which had no writable HOME directory.
rb-determined-ai
force-pushed
the
rb/boil-oceans
branch
from
9a867e9
to
1eef9fe
Compare
maxrussell
pushed a commit
that referenced
this pull request
Mar 21, 2024
- Remove the Authentication object.
Authentication was both a dataclass containing username and token, as
well as a complex login function disguised as an __init__.
Now the dataclass is called UsernameTokenPair and the complex login
function is called `login()` or `login_with_cache()`.
- Make Session the core of API calls, not the api.request() function.
The Session has a cache of authentication information and cert
customization, and is easy to reuse. The api.request() function
encourages the use of singletons and creates really confusing
configure-singleton-in-every-entrypoint behaviors.
- Introduce an UnauthSession which doesn't have an authentication token,
for those few calls that we need to make which are not authenticated.
- Add a detproc helper module to the e2e tests, so even tests requiring
the cli can be based on explicit sessions.
- Remove cli_auth and cli_cert singletons.
- Delete all singleton-based @authentication.required decorators from
the cli; just create a session instead.
- Remove all api.{get,post,whatever} calls.
- Refactor the Profiler a bit to accept a Session object. It used to
depend on the cli_auth as well.
- Add some Session helpers to the e2e tests, with much better caching.
- Redesign the e2e auth to be Session-centric rather than cached-login
centric, in particular:
- redesign api_utils.create_test_user()
- remove test_users.logged_in_user()
- remove test_users.log_in_cli()
- remove test_users.login_admin()
- replace any call to Determined() with Determined._from_session()
- Introduce detproc module in e2e tests for session-centric CLI calls,
replacing various adhoc helpers:
- test_user.det_spawn()
- test_user.det_run()
- test_exp_continue.det_cmd()
- test_groups.det_cmd()
- test_groups.det_cmd_json()
- test_groups.det_cmd_expect_error()
BREAKING CHANGE: This refactor removes the Session object from all
public API namespaces, and also adds the new requirement that all tasks
have a writable HOME directory. Previously, a small subset of
functionality existed for tasks which had no writable HOME directory.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Remove the Authentication object.
Authentication was both a dataclass containing username and token, as
well as a complex login function disguised as an init.
Now the dataclass is called UsernameTokenPair and the complex login
function is called
login()orlogin_with_cache().Make Session the core of API calls, not the api.request() function.
The Session has a cache of authentication information and cert
customization, and is easy to reuse. The api.request() function
encourages the use of singletons and creates really confusing
configure-singleton-in-every-entrypoint behaviors.
Introduce an UnauthSession which doesn't have an authentication token,
for those few calls that we need to make which are not authenticated.
Add a detproc helper module to the e2e tests, so even tests requiring
the cli can be based on explicit sessions.
Remove cli_auth and cli_cert singletons.
Delete all singleton-based @authentication.required decorators from
the cli; just create a session instead.
Remove all api.{get,post,whatever} calls.
Refactor the Profiler a bit to accept a Session object. It used to
depend on the cli_auth as well.
Add some Session helpers to the e2e tests, with much better caching.
Redesign the e2e auth to be Session-centric rather than cached-login
centric, in particular:
Introduce detproc module in e2e tests for session-centric CLI calls,
replacing various adhoc helpers: