Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(bff): user info endpoint #630

Merged
merged 2 commits into from
Dec 11, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions clients/ui/bff/README.md
Original file line number Diff line number Diff line change
@@ -57,6 +57,7 @@ make docker-build
| URL Pattern | Handler | Action |
|----------------------------------------------------------------------------------------------|----------------------------------------------|-------------------------------------------------------------|
| GET /v1/healthcheck | HealthcheckHandler | Show application information. |
| GET /v1/user | UserHandler | Show "kubeflow-user-id" from header information. |
| GET /v1/model_registry | ModelRegistryHandler | Get all model registries, |
| GET /v1/model_registry/{model_registry_id}/registered_models | GetAllRegisteredModelsHandler | Gets a list of all RegisteredModel entities. |
| POST /v1/model_registry/{model_registry_id}/registered_models | CreateRegisteredModelHandler | Create a RegisteredModel entity. |
@@ -78,6 +79,10 @@ You will need to inject your requests with a kubeflow-userid header for authoriz
curl -i -H "kubeflow-userid: [email protected]" localhost:4000/api/v1/healthcheck
```
```
# GET /v1/user
curl -i -H "kubeflow-userid: [email protected]" localhost:4000/api/v1/user
```
```
# GET /v1/model_registry
curl -i -H "kubeflow-userid: [email protected]" localhost:4000/api/v1/model_registry
```
2 changes: 2 additions & 0 deletions clients/ui/bff/internal/api/app.go
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@ const (
ModelVersionId = "model_version_id"
ModelArtifactId = "model_artifact_id"
HealthCheckPath = PathPrefix + "/healthcheck"
UserPath = PathPrefix + "/user"
ModelRegistryListPath = PathPrefix + "/model_registry"
ModelRegistryPath = ModelRegistryListPath + "/:" + ModelRegistryId
RegisteredModelListPath = ModelRegistryPath + "/registered_models"
@@ -103,6 +104,7 @@ func (app *App) Routes() http.Handler {
router.POST(ModelVersionArtifactListPath, app.AttachRESTClient(app.CreateModelArtifactByModelVersionHandler))

// Kubernetes client routes
router.GET(UserPath, app.UserHandler)
router.GET(ModelRegistryListPath, app.ModelRegistryHandler)
router.PATCH(ModelRegistryPath, app.AttachRESTClient(app.UpdateModelVersionHandler))

6 changes: 6 additions & 0 deletions clients/ui/bff/internal/api/middleware.go
Original file line number Diff line number Diff line change
@@ -83,6 +83,12 @@ func (app *App) RequireAccessControl(next http.Handler) http.Handler {
return
}

// Skip SAR for user info
if r.URL.Path == UserPath {
next.ServeHTTP(w, r)
return
}

user := r.Header.Get(kubeflowUserId)
if user == "" {
app.forbiddenResponse(w, r, "missing kubeflow-userid header")
36 changes: 36 additions & 0 deletions clients/ui/bff/internal/api/user_handler.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
package api

import (
"errors"
"github.com/julienschmidt/httprouter"
"github.com/kubeflow/model-registry/ui/bff/internal/models"
"net/http"
)

type UserEnvelope Envelope[*models.User, None]

func (app *App) UserHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {

userHeader := r.Header.Get(kubeflowUserId)
if userHeader == "" {
app.serverErrorResponse(w, r, errors.New("kubeflow-userid not present on header"))
return
}

user, err := app.repositories.User.GetUser(app.kubernetesClient, userHeader)
if err != nil {
app.serverErrorResponse(w, r, err)
return
}

userRes := UserEnvelope{
Data: user,
}

err = app.WriteJSON(w, http.StatusOK, userRes, nil)

if err != nil {
app.serverErrorResponse(w, r, err)
}

}
119 changes: 119 additions & 0 deletions clients/ui/bff/internal/api/user_handler_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
package api

import (
"encoding/json"
"io"
"net/http"
"net/http/httptest"

"github.com/kubeflow/model-registry/ui/bff/internal/repositories"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)

const (
KubeflowUserIDHeaderValue = "[email protected]"
DoraNonAdminUser = "[email protected]"
)

var _ = Describe("TestUserHandler", func() {
Context("fetching user details", Ordered, func() {
var testApp App

BeforeAll(func() {
By("creating the test app")
testApp = App{
kubernetesClient: k8sClient,
repositories: repositories.NewRepositories(mockMRClient),
logger: logger,
}
})

It("should show that KubeflowUserIDHeaderValue ([email protected]) is a cluster-admin", func() {
By("creating the http request")
req, err := http.NewRequest(http.MethodGet, UserPath, nil)
Expect(err).NotTo(HaveOccurred())

req.Header.Set(kubeflowUserId, KubeflowUserIDHeaderValue)

By("creating the http test infrastructure")
rr := httptest.NewRecorder()

By("invoking the UserHandler")
testApp.UserHandler(rr, req, nil)
rs := rr.Result()
defer rs.Body.Close()
body, err := io.ReadAll(rs.Body)
Expect(err).NotTo(HaveOccurred())

By("unmarshalling the user response")
var actual UserEnvelope
err = json.Unmarshal(body, &actual)
Expect(err).NotTo(HaveOccurred())
Expect(rr.Code).To(Equal(http.StatusOK))

By("checking that the user is cluster-admin")
Expect(actual.Data.UserID).To(Equal(KubeflowUserIDHeaderValue))
Expect(actual.Data.ClusterAdmin).To(BeTrue(), "Expected this user to be cluster-admin")
})

It("should show that DoraNonAdminUser ([email protected]) is not a cluster-admin", func() {
By("creating the http request")
req, err := http.NewRequest(http.MethodGet, UserPath, nil)
Expect(err).NotTo(HaveOccurred())

req.Header.Set(kubeflowUserId, DoraNonAdminUser)

By("creating the http test infrastructure")
rr := httptest.NewRecorder()

By("invoking the UserHandler")
testApp.UserHandler(rr, req, nil)
rs := rr.Result()
defer rs.Body.Close()
body, err := io.ReadAll(rs.Body)
Expect(err).NotTo(HaveOccurred())

By("unmarshalling the user response")
var actual UserEnvelope
err = json.Unmarshal(body, &actual)
Expect(err).NotTo(HaveOccurred())
Expect(rr.Code).To(Equal(http.StatusOK))

By("checking that the user is not cluster-admin")
Expect(actual.Data.UserID).To(Equal(DoraNonAdminUser))
Expect(actual.Data.ClusterAdmin).To(BeFalse(), "Expected this user to not be cluster-admin")
})

It("should show that a random non-existent user is not a cluster-admin", func() {
randomUser := "[email protected]"

By("creating the http request")
req, err := http.NewRequest(http.MethodGet, UserPath, nil)
Expect(err).NotTo(HaveOccurred())

req.Header.Set(kubeflowUserId, randomUser)

By("creating the http test infrastructure")
rr := httptest.NewRecorder()

By("invoking the UserHandler")
testApp.UserHandler(rr, req, nil)
rs := rr.Result()
defer rs.Body.Close()
body, err := io.ReadAll(rs.Body)
Expect(err).NotTo(HaveOccurred())

By("unmarshalling the user response")
var actual UserEnvelope
err = json.Unmarshal(body, &actual)
Expect(err).NotTo(HaveOccurred())
Expect(rr.Code).To(Equal(http.StatusOK))

By("checking that the user is not cluster-admin")
Expect(actual.Data.UserID).To(Equal(randomUser))
Expect(actual.Data.ClusterAdmin).To(BeFalse(), "Expected this user to not be cluster-admin")
})
})

})
28 changes: 28 additions & 0 deletions clients/ui/bff/internal/integrations/k8s.go
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ import (
helper "github.com/kubeflow/model-registry/ui/bff/internal/helpers"
authv1 "k8s.io/api/authorization/v1"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
@@ -27,6 +28,7 @@ type KubernetesClientInterface interface {
Shutdown(ctx context.Context, logger *slog.Logger) error
IsInCluster() bool
PerformSAR(user string) (bool, error)
IsClusterAdmin(user string) (bool, error)
}

type ServiceDetails struct {
@@ -286,3 +288,29 @@ func (kc *KubernetesClient) PerformSAR(user string) (bool, error) {

return true, nil
}

func (kc *KubernetesClient) IsClusterAdmin(user string) (bool, error) {
//using a context here, because checking ClusterRoleBindings could be expensive in large clusters
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()

clusterRoleBindings := &rbacv1.ClusterRoleBindingList{}
err := kc.ControllerRuntimeClient.List(ctx, clusterRoleBindings)
if err != nil {
return false, fmt.Errorf("failed to list ClusterRoleBindings: %w", err)
}

for _, crb := range clusterRoleBindings.Items {
if crb.RoleRef.Name != "cluster-admin" {
continue
}
for _, subject := range crb.Subjects {

if subject.Kind == "User" && subject.Name == user {
return true, nil
}
}
}

return false, nil
}
Loading