Improve KF authentication handling (#2257)

Enables the user to choose an authentication type for Kubeflow Runtime configurations Closes #2240 Closes #2107 Closes #2108
elyra-ai · Nov 8, 2021 · a4ec683 · a4ec683
1 parent a9d6044
commit a4ec683
Show file tree

Hide file tree

Showing 8 changed files with 921 additions and 249 deletions.
diff --git a/docs/source/user_guide/runtime-conf.md b/docs/source/user_guide/runtime-conf.md
@@ -92,6 +92,7 @@ To create a runtime configuration for a Kubeflow Pipelines deployment:
 elyra-metadata install runtimes \
        --display_name="My Kubeflow Pipelines Runtime" \
        --api_endpoint=https://kubernetes-service.ibm.com/pipeline \
+       --auth_type="DEX_STATIC_PASSWORDS" \
        [email protected] \
        --api_password=mypassword \
        --engine=Argo \
@@ -115,6 +116,7 @@ elyra-metadata install runtimes \
        --name="my_kubeflow_pipelines_runtime" \
        --display_name="My Kubeflow Pipelines Runtime" \
        --api_endpoint=https://kubernetes-service.ibm.com/pipeline \
+       --auth_type="DEX_STATIC_PASSWORDS" \
        [email protected] \
        --api_password=mynewpassword \
        --engine=Argo \
@@ -181,16 +183,23 @@ The namespace used to run your pipeline in Kubeflow Pipelines. This setting is r
 
 Example: `anonymous`
 
+##### Kubeflow authentication type (auth_type)
+Authentication type Elyra uses to gain access to Kubeflow Pipelines. This setting is required. Supported types are:
+- No authentication (`NO_AUTHENTICATION`).
+- Kubernetes service account token (`KUBERNETES_SERVICE _ACCOUNT_TOKEN`). This authentication type is only supported if Elyra runs as a pod in Kubernetes, e.g. as a Kubeflow notebook server. You must configure a service account token in Kubernetes, as outlined [here](https://www.kubeflow.org/docs/components/pipelines/sdk/connect-api/#multi-user-mode).
+- DEX configured for static password authentication (`DEX_STATIC_PASSWORDS`). This authentication requires a username and a password.
+- DEX configured for LDAP authentication (`DEX_LDAP`). This authentication requires a username and a  password.
+- DEX (`DEX_LEGACY`). Use this type only if none of the other authentication types applies or if your Kubeflow deployment is not configured for any other listed type. This authentication requires a username and a password.
+
 ##### Kubeflow Pipelines API endpoint username (api_username)
-Username used to access your KubeFlow Pipelines API endpoint. This setting is required if the Kubeflow Pipelines deployment is multi-user, auth enabled.
-Currently, only Dex `staticPasswords` and `LDAP Connector` authentication types are supported.
 
-(NOTE: if multiple Dex authentication types are enabled, we will try to use `staticPasswords`)
+A username is required for most authentication types. Refer to the Kubeflow authentication type setting for details.
 
 Example: `[email protected]`
 
-##### Kubeflow Pipelines API endpoint (api_password)
-Password used to access your KubeFlow Pipelines API endpoint. This setting is required if the Kubeflow Pipelines deployment is multi-user, auth enabled.
+##### Kubeflow Pipelines API endpoint password (api_password)
+
+A password is required for most authentication types. Refer to the Kubeflow authentication type setting for details.
 
 Example: `mypassword`
 

diff --git a/elyra/metadata/schemas/kfp.json b/elyra/metadata/schemas/kfp.json
@@ -6,6 +6,7 @@
   "display_name": "Kubeflow Pipelines",
   "schemaspace": "runtimes",
   "schemaspace_id": "130b8e00-de7c-4b32-b553-b4a52824a3b5",
+  "metadata_class_name": "elyra.pipeline.kfp.kfp_metadata.KfpMetadata",
   "uihints": {
     "title": "Kubeflow Pipelines runtimes",
     "icon": "elyra:runtimes",
@@ -53,6 +54,28 @@
             "category": "Kubeflow Pipelines"
           }
         },
+        "engine": {
+          "title": "Kubeflow Pipelines engine",
+          "description": "The Kubeflow Pipelines engine in use",
+          "type": "string",
+          "enum": ["Argo", "Tekton"],
+          "default": "Argo",
+          "uihints": {
+            "field_type": "dropdown",
+            "category": "Kubeflow Pipelines"
+          }
+        },
+        "auth_type": {
+          "title": "Authentication Type",
+          "description": "Authentication type Elyra uses to authenticate with Kubeflow",
+          "type": "string",
+          "enum": ["{AUTH_PROVIDER_PLACEHOLDERS}"],
+          "default": "{DEFAULT_AUTH_PROVIDER_PLACEHOLDER}",
+          "uihints": {
+            "field_type": "dropdown",
+            "category": "Kubeflow Pipelines"
+          }
+        },
         "api_username": {
           "title": "Kubeflow Pipelines API Endpoint Username",
           "description": "The Kubeflow Pipelines API endpoint username",
@@ -70,17 +93,6 @@
             "category": "Kubeflow Pipelines"
           }
         },
-        "engine": {
-          "title": "Kubeflow Pipelines engine",
-          "description": "The Kubeflow Pipelines engine in use",
-          "type": "string",
-          "enum": ["Argo", "Tekton"],
-          "default": "Argo",
-          "uihints": {
-            "field_type": "dropdown",
-            "category": "Kubeflow Pipelines"
-          }
-        },
         "cos_endpoint": {
           "title": "Cloud Object Storage Endpoint",
           "description": "The Cloud Object Storage endpoint",

diff --git a/elyra/metadata/schemasproviders.py b/elyra/metadata/schemasproviders.py
@@ -33,6 +33,7 @@
 from elyra.metadata.schemaspaces import ComponentRegistries
 from elyra.metadata.schemaspaces import RuntimeImages
 from elyra.metadata.schemaspaces import Runtimes
+from elyra.pipeline.kfp.kfp_authentication import SupportedAuthProviders
 
 
 class ElyraSchemasProvider(SchemasProvider, metaclass=ABCMeta):
@@ -96,6 +97,19 @@ def get_schemas(self) -> List[Dict]:
                         if 'Tekton' in engine_enum:
                             engine_enum.remove('Tekton')
                             schema['properties']['metadata']['properties']['engine']['enum'] = engine_enum
+
+            # For KFP schemas replace placeholders:
+            # - properties.metadata.properties.auth_type.enum ({AUTH_PROVIDER_PLACEHOLDERS})
+            # - properties.metadata.properties.auth_type.default ({DEFAULT_AUTH_PROVIDER_PLACEHOLDER})
+            auth_type_enum = SupportedAuthProviders.get_provider_names()
+            auth_type_default = SupportedAuthProviders.get_default_provider().name
+
+            for schema in runtime_schemas:
+                if schema['name'] == 'kfp':
+                    if schema['properties']['metadata']['properties'].get('auth_type') is not None:
+                        schema['properties']['metadata']['properties']['auth_type']['enum'] = auth_type_enum
+                        schema['properties']['metadata']['properties']['auth_type']['default'] = auth_type_default
+
         return runtime_schemas