-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(EN-115): Deprecate X-BackendAI-SSO
header for pipeline service authentication
#3353
base: main
Are you sure you want to change the base?
feat(EN-115): Deprecate X-BackendAI-SSO
header for pipeline service authentication
#3353
Conversation
…353.feature.md Co-authored-by: octodog <[email protected]>
src/ai/backend/web/proxy.py
Outdated
if proxy_path == "pipeline" and real_path.rstrip("/") == "login": | ||
api_rqst.headers["X-BackendAI-SessionID"] = request.headers.get( | ||
"X-BackendAI-SessionID", "" | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dont' think rqst is a commonly used abbreviation. Would it be possible to rename it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renaming the api_rqst
will be a over-scoped task, as the name is used in various modules in this project.
Would you mind if I issue a new ticket for it and proceed in next work?
Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please create the rename task with priority: low and handle it when you have time. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The task will be tracked by BA-469
if proxy_path == "pipeline": | ||
session_id = request.headers.get("X-BackendAI-SessionID", "") | ||
if not (sso_token := request.headers.get("X-BackendAI-SSO")): | ||
jwt_secret = config["pipeline"]["jwt"]["secret"] | ||
now = datetime.now().astimezone() | ||
payload = { | ||
# Registered claims | ||
"exp": now + timedelta(seconds=config["session"]["max_age"]), | ||
"iss": "Backend.AI Webserver", | ||
"iat": now, | ||
# Private claims | ||
"aiohttp_session": session_id, | ||
"access_key": api_session.config.access_key, # since 23.03.10 | ||
} | ||
sso_token = jwt.encode(payload, key=jwt_secret, algorithm="HS256") | ||
api_rqst.headers["X-BackendAI-SSO"] = sso_token | ||
api_rqst.headers["X-BackendAI-SessionID"] = session_id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does Fasttrack handle version compatibility?
When making changes this time, is there any risk of breaking functionality for clients using previous versions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is recommended to use the same version as Backend.AI Core.
To enhance version compatibility, we may adopt a dedicated header (e.g., X-BackendAI-FastTrack-Version
).
src/ai/backend/web/proxy.py
Outdated
if real_path.rstrip("/") == "login": | ||
api_session = await asyncio.shield(get_api_session(request, endpoint)) | ||
else: | ||
api_session = await asyncio.shield(get_anonymous_session(request, endpoint)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there another way to identify it as a login path? Relying on the real_path
could be fragile.
*, | ||
is_anonymous: bool = False, | ||
api_endpoint: Optional[str] = None, | ||
extra_forwarding_headers: Iterable[str] | None = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any suggestion?
extra_forwarding_headers: Iterable[str] | None = None, | |
extra_http_headers_to_forward: Iterable[str] | None = None, |
Follow-up of #503 and #1350.
This pull request deprecates the JWT-based
X-BackendAI-SSO
header to reduce complexity in authentication process for the pipeline service.AS-IS
TO-BE
Checklist: (if applicable)