Provide login endpoint for the REST API with JWT authentication method#14219
Provide login endpoint for the REST API with JWT authentication method#14219ephraimbuddy wants to merge 26 commits into
Conversation
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
|
Can you add a little more docs? |
Hi @mik-laj , I have provided more info. Let me know what you think. Thanks |
|
The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason. |
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
ashb
left a comment
There was a problem hiding this comment.
We need to think more about how this plays with the configurable/pluggable auth backends.
As it's written now it only works for U:P which is far from ideal
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
e1815ca to
12cee4a
Compare
|
The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason. |
|
The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason. |
a680ffc to
64e02d9
Compare
|
The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason. |
64e02d9 to
5b9bb91
Compare
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Backport packages$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
7d7f585 to
c1a69c6
Compare
|
The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason. |
|
Currently, I believe this can handle any type of authentication. The /login endpoint just looks for current user in security manager, and if there is, it generates a token. If the endpoint is called with basic authentication header, it verifies and logs the user in and then generates the auth token. If not called with any authentication header, it checks for current_user which might have logged in through Oauth and then generate a token. If no user is logged in, it raises 404. I have a unittest where I used Any thoughts on this implementation? |
|
Taking a look |
56c5929 to
41ce948
Compare
…h suggestions from code review
8e32352 to
b3dc520
Compare
| default: "airflow.api.auth.backend.deny_all" | ||
| - name: jwt_access_token_expires | ||
| description: How long an access token should live before it expires(in minutes). | ||
| version_added: 2.0.2 |
ashb
left a comment
There was a problem hiding this comment.
The general approach of the login/logout endpoints are fine, and the way of handling JWT is okay, but the auth_current_user approach needs re-thinking.
We have essentially built a parallel auth backend system here, but one that is not pluggable (can only disable).
Instead we should use the existing auth_backend mechanism, and accept that if the user has set the mechanism to DenyAll then they won't be able to log in via the new UI.
In future we will also then extend the API to add an endpoint for the UI to introspect the server about the auth mechanisms (i.e. "Should I show a username-password form? Or should I show some 'Log In with X' buttons?)
| description: Logout user by unsetting cookies | ||
| x-openapi-router-controller: airflow.api_connexion.endpoints.auth_endpoint | ||
| operationId: logout | ||
| tags: [WebserverAuth] |
There was a problem hiding this comment.
| tags: [WebserverAuth] | |
| tags: [Authentication] |
| Verify user and set jwt token in cookies | ||
| x-openapi-router-controller: airflow.api_connexion.endpoints.auth_endpoint | ||
| operationId: login | ||
| tags: [WebserverAuth] |
There was a problem hiding this comment.
| tags: [WebserverAuth] | |
| tags: [Authentication] |
| log = logging.getLogger(__name__) | ||
|
|
||
|
|
||
| def auth_current_user(): |
There was a problem hiding this comment.
This isn't strictly only tied to webserver use of the API, so lets have this function live in security.py
| raise Unauthenticated(headers=response.headers) | ||
| if response.status_code == 200: | ||
| return | ||
| if auth_current_user(): |
There was a problem hiding this comment.
By having this here, it means that any/all requests would accept and process Authorization headers, which is probably not what we want?
|
closing this for #15042 |
Currently, the REST API uses a separate authentication method to the webserver authentication. The current authentication method through the auth_backend won't allow us to build a modern UI based on the REST API. This is because it's too flexible. Users can customise it and if we use it for a new UI, it posses the problem that misconfiguration can make the new UI to fail.
This PR seeks to add
/loginendpoint with jwt authentication backend. This will help us to build a new UI using the REST API.The JWT authentication works alongside other auth_backends.
The idea is to create a separate authentication for accessing the REST API without failure. When the
/loginendpoint is requested with email and password. If the email and password are correct, a jwt token is generated for the request and sent back together with the user data. This token can then be used in subsequent requests to other endpoints and are verified/authenticated.The token is signed with an expiration time which I took from the
session_lifetime_minutesconfiguration.User data to be returned after a successful login is also being worked on in this PR.
As I want to return the full user data, I'm also working on the permission and role data
Note:
auth_backendstill works as this new auth backend is just an addition and strictly for v1 stable API^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.