Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(EN-115): Deprecate X-BackendAI-SSO header for pipeline service authentication #3353

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

rapsealk
Copy link
Member

@rapsealk rapsealk commented Jan 2, 2025

Follow-up of #503 and #1350.

This pull request deprecates the JWT-based X-BackendAI-SSO header to reduce complexity in authentication process for the pipeline service.

AS-IS

sequenceDiagram
    Client->>+Backend.AI Gateway: POST /pipeline/login/ (X-BackendAI-SessionID: ...)
    Backend.AI Gateway-->>+Backend.AI FastTrack: POST /login/ (X-BackendAI-SessionID: ..., X-BackendAI-SSO: ...)
    Backend.AI FastTrack-->>-Backend.AI Gateway: 200 OK (X-BackendAI-SSO: ...)
    Backend.AI Gateway-->>-Client: 200 OK (X-BackendAI-SSO: ...)
    Client->>+Backend.AI Gateway: POST /pipeline/.../ (X-BackendAI-SessionID: ..., X-BackendAI-SSO: ...)
    Backend.AI Gateway-->>+Backend.AI FastTrack: POST /.../ (X-BackendAI-SessionID: ..., X-BackendAI-SSO: ...)
    Backend.AI FastTrack-->>-Backend.AI Gateway: 200 OK
    Backend.AI Gateway->>-Client: 200 OK
Loading

TO-BE

sequenceDiagram
    Client->>+Backend.AI Gateway: POST /pipeline/login/ (X-BackendAI-SessionID: ...)
    Backend.AI Gateway-->>+Backend.AI FastTrack: POST /login/ (X-BackendAI-SessionID: ...)
    Backend.AI FastTrack-->>-Backend.AI Gateway: 200 OK {"token": "AUTH_TOKEN"}
    Backend.AI Gateway-->>-Client: 200 OK {"token": "AUTH_TOKEN"}
    Client->>+Backend.AI Gateway: POST /pipeline/.../ (Authorization: "Bearer AUTH_TOKEN")
    Backend.AI Gateway-->>+Backend.AI FastTrack: POST /.../ (Authorization: "Bearer AUTH_TOKEN")
    Backend.AI FastTrack-->>-Backend.AI Gateway: 200 OK
    Backend.AI Gateway->>-Client: 200 OK
Loading

Checklist: (if applicable)

  • Milestone metadata specifying the target backport version
  • Mention to the original issue

@rapsealk rapsealk added this to the 24.12 milestone Jan 2, 2025
@github-actions github-actions bot added comp:webserver Related to Web Server component size:M 30~100 LoC labels Jan 2, 2025
Comment on lines 211 to 214
if proxy_path == "pipeline" and real_path.rstrip("/") == "login":
api_rqst.headers["X-BackendAI-SessionID"] = request.headers.get(
"X-BackendAI-SessionID", ""
)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont' think rqst is a commonly used abbreviation. Would it be possible to rename it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renaming the api_rqst will be a over-scoped task, as the name is used in various modules in this project.
Would you mind if I issue a new ticket for it and proceed in next work?
Thank you.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please create the rename task with priority: low and handle it when you have time. :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The task will be tracked by BA-469

Comment on lines -210 to -226
if proxy_path == "pipeline":
session_id = request.headers.get("X-BackendAI-SessionID", "")
if not (sso_token := request.headers.get("X-BackendAI-SSO")):
jwt_secret = config["pipeline"]["jwt"]["secret"]
now = datetime.now().astimezone()
payload = {
# Registered claims
"exp": now + timedelta(seconds=config["session"]["max_age"]),
"iss": "Backend.AI Webserver",
"iat": now,
# Private claims
"aiohttp_session": session_id,
"access_key": api_session.config.access_key, # since 23.03.10
}
sso_token = jwt.encode(payload, key=jwt_secret, algorithm="HS256")
api_rqst.headers["X-BackendAI-SSO"] = sso_token
api_rqst.headers["X-BackendAI-SessionID"] = session_id
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does Fasttrack handle version compatibility?
When making changes this time, is there any risk of breaking functionality for clients using previous versions?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is recommended to use the same version as Backend.AI Core.
To enhance version compatibility, we may adopt a dedicated header (e.g., X-BackendAI-FastTrack-Version).

Comment on lines 165 to 168
if real_path.rstrip("/") == "login":
api_session = await asyncio.shield(get_api_session(request, endpoint))
else:
api_session = await asyncio.shield(get_anonymous_session(request, endpoint))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there another way to identify it as a login path? Relying on the real_path could be fragile.

@rapsealk rapsealk marked this pull request as draft January 15, 2025 05:32
@rapsealk rapsealk marked this pull request as ready for review January 15, 2025 05:52
@rapsealk rapsealk requested a review from HyeockJinKim January 15, 2025 05:52
*,
is_anonymous: bool = False,
api_endpoint: Optional[str] = None,
extra_forwarding_headers: Iterable[str] | None = None,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any suggestion?

Suggested change
extra_forwarding_headers: Iterable[str] | None = None,
extra_http_headers_to_forward: Iterable[str] | None = None,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp:webserver Related to Web Server component size:M 30~100 LoC
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants