diff --git a/.secrets.baseline b/.secrets.baseline index 4059b5219fb..96bf780809c 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -934,7 +934,7 @@ "filename": "infra/feast-operator/api/v1/featurestore_types.go", "hashed_secret": "44e17306b837162269a410204daaa5ecee4ec22c", "is_verified": false, - "line_number": 734 + "line_number": 761 } ], "infra/feast-operator/api/v1/zz_generated.deepcopy.go": [ @@ -950,14 +950,14 @@ "filename": "infra/feast-operator/api/v1/zz_generated.deepcopy.go", "hashed_secret": "44e17306b837162269a410204daaa5ecee4ec22c", "is_verified": false, - "line_number": 1261 + "line_number": 754 }, { "type": "Secret Keyword", "filename": "infra/feast-operator/api/v1/zz_generated.deepcopy.go", "hashed_secret": "c2028031c154bbe86fd69bef740855c74b927dcf", "is_verified": false, - "line_number": 1266 + "line_number": 1300 } ], "infra/feast-operator/api/v1alpha1/featurestore_types.go": [ @@ -1140,14 +1140,14 @@ "filename": "infra/feast-operator/internal/controller/services/repo_config.go", "hashed_secret": "44e17306b837162269a410204daaa5ecee4ec22c", "is_verified": false, - "line_number": 109 + "line_number": 114 }, { "type": "Secret Keyword", "filename": "infra/feast-operator/internal/controller/services/repo_config.go", "hashed_secret": "e2fb052132fd6a07a56af2013e0b62a1f510572c", "is_verified": false, - "line_number": 148 + "line_number": 205 } ], "infra/feast-operator/internal/controller/services/services.go": [ @@ -1539,5 +1539,5 @@ } ] }, - "generated_at": "2026-04-04T12:08:20Z" + "generated_at": "2026-04-07T15:56:56Z" } diff --git a/docs/getting-started/components/authz_manager.md b/docs/getting-started/components/authz_manager.md index e5aa0661619..eae3fece50b 100644 --- a/docs/getting-started/components/authz_manager.md +++ b/docs/getting-started/components/authz_manager.md @@ -40,52 +40,87 @@ auth: With OIDC authorization, the Feast client proxies retrieve the JWT token from an OIDC server (or [Identity Provider](https://openid.net/developers/how-connect-works/)) and append it in every request to a Feast server, using an [Authorization Bearer Token](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#bearer). -The server, in turn, uses the same OIDC server to validate the token and extract the user roles from the token itself. +The server, in turn, uses the same OIDC server to validate the token and extract user details — including username, roles, and groups — from the token itself. Some assumptions are made in the OIDC server configuration: * The OIDC token refers to a client with roles matching the RBAC roles of the configured `Permission`s (*) -* The roles are exposed in the access token that is passed to the server +* The roles are exposed in the access token under `resource_access..roles` * The JWT token is expected to have a verified signature and not be expired. The Feast OIDC token parser logic validates for `verify_signature` and `verify_exp` so make sure that the given OIDC provider is configured to meet these requirements. -* The preferred_username should be part of the JWT token claim. - +* The `preferred_username` should be part of the JWT token claim. +* For `GroupBasedPolicy` support, the `groups` claim should be present in the access token (requires a "Group Membership" protocol mapper in Keycloak). (*) Please note that **the role match is case-sensitive**, e.g. the name of the role in the OIDC server and in the `Permission` configuration must be exactly the same. -For example, the access token for a client `app` of a user with `reader` role should have the following `resource_access` section: +For example, the access token for a client `app` of a user with `reader` role and membership in the `data-team` group should have the following claims: ```json { + "preferred_username": "alice", "resource_access": { "app": { "roles": [ "reader" ] } - } + }, + "groups": [ + "data-team" + ] } ``` -An example of feast OIDC authorization configuration on the server side is the following: +#### Server-Side Configuration + +The server requires `auth_discovery_url` and `client_id` to validate incoming JWT tokens via JWKS: ```yaml project: my-project auth: type: oidc - client_id: _CLIENT_ID__ + client_id: _CLIENT_ID_ auth_discovery_url: _OIDC_SERVER_URL_/realms/master/.well-known/openid-configuration ... ``` -In case of client configuration, the following settings username, password and client_secret must be added to specify the current user: +When the OIDC provider uses a self-signed or untrusted TLS certificate (e.g. internal Keycloak on OpenShift), set `verify_ssl` to `false` to disable certificate verification: +```yaml +auth: + type: oidc + client_id: _CLIENT_ID_ + auth_discovery_url: https://keycloak.internal/realms/master/.well-known/openid-configuration + verify_ssl: false +``` + +{% hint style="warning" %} +Setting `verify_ssl: false` disables TLS certificate verification for all OIDC provider communication (discovery, JWKS, token endpoint). Only use this in development or internal environments where you accept the security risk. +{% endhint %} + +#### Client-Side Configuration + +The client supports multiple token source modes. The SDK resolves tokens in the following priority order: + +1. **Intra-communication token** — internal server-to-server calls (via `INTRA_COMMUNICATION_BASE64` env var) +2. **`token`** — a static JWT string provided directly in the configuration +3. **`token_env_var`** — the name of an environment variable containing the JWT +4. **`client_secret`** — fetches a token from the OIDC provider using client credentials or ROPC flow (requires `auth_discovery_url` and `client_id`) +5. **`FEAST_OIDC_TOKEN`** — default fallback environment variable +6. **Kubernetes service account token** — read from `/var/run/secrets/kubernetes.io/serviceaccount/token` when running inside a pod + +**Token passthrough** (for use with external token providers like [kube-authkit](https://github.com/opendatahub-io/kube-authkit)): +```yaml +project: my-project +auth: + type: oidc + token_env_var: FEAST_OIDC_TOKEN +``` + +Or with a bare `type: oidc` (no other fields) — the SDK falls back to the `FEAST_OIDC_TOKEN` environment variable or a mounted Kubernetes service account token: ```yaml +project: my-project auth: type: oidc - ... - username: _USERNAME_ - password: _PASSWORD_ - client_secret: _CLIENT_SECRET__ ``` -Below is an example of feast full OIDC client auth configuration: +**Client credentials / ROPC flow** (existing behavior, unchanged): ```yaml project: my-project auth: @@ -97,6 +132,12 @@ auth: auth_discovery_url: http://localhost:8080/realms/master/.well-known/openid-configuration ``` +When using client credentials or ROPC flows, the `verify_ssl` setting also applies to the discovery and token endpoint requests. + +#### Multi-Token Support (OIDC + Kubernetes Service Account) + +When the Feast server is configured with OIDC auth and deployed on Kubernetes, the `OidcTokenParser` can handle both Keycloak JWT tokens and Kubernetes service account tokens. Incoming tokens that contain a `kubernetes.io` claim are validated via the Kubernetes Token Access Review API and the namespace is extracted from the authenticated identity — no RBAC queries are performed, so the server service account only needs `tokenreviews/create` permission. All other tokens follow the standard OIDC/Keycloak JWKS validation path. This enables `NamespaceBasedPolicy` enforcement for service account tokens while using `GroupBasedPolicy` and `RoleBasedPolicy` for OIDC user tokens. + ### Kubernetes RBAC Authorization With Kubernetes RBAC Authorization, the client uses the service account token as the authorizarion bearer token, and the server fetches the associated roles from the Kubernetes RBAC resources. Feast supports advanced authorization by extracting user groups and namespaces from Kubernetes tokens, enabling fine-grained access control beyond simple role matching. This is achieved by leveraging Kubernetes Token Access Review, which allows Feast to determine the groups and namespaces associated with a user or service account. diff --git a/infra/feast-operator/api/v1/featurestore_types.go b/infra/feast-operator/api/v1/featurestore_types.go index 11a975b2c67..95d8130ab99 100644 --- a/infra/feast-operator/api/v1/featurestore_types.go +++ b/infra/feast-operator/api/v1/featurestore_types.go @@ -713,7 +713,34 @@ type KubernetesAuthz struct { // OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider. // https://auth0.com/docs/authenticate/protocols/openid-connect-protocol type OidcAuthz struct { - SecretRef corev1.LocalObjectReference `json:"secretRef"` + // OIDC issuer URL. The operator appends /.well-known/openid-configuration to derive the discovery endpoint. + // +optional + // +kubebuilder:validation:Pattern=`^https://\S+$` + IssuerUrl string `json:"issuerUrl,omitempty"` + // Secret with OIDC properties (auth_discovery_url, client_id, client_secret). issuerUrl takes precedence. + // +optional + SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"` + // Key in the Secret containing all OIDC properties as a YAML value. If unset, each key is a property. + // +optional + SecretKeyName string `json:"secretKeyName,omitempty"` + // Env var name for client pods to read an OIDC token from. Sets token_env_var in client config. + // +optional + TokenEnvVar *string `json:"tokenEnvVar,omitempty"` + // Verify SSL certificates for the OIDC provider. Defaults to true. + // +optional + VerifySSL *bool `json:"verifySSL,omitempty"` + // ConfigMap with the CA certificate for self-signed OIDC providers. Auto-detected on RHOAI/ODH. + // +optional + CACertConfigMap *OidcCACertConfigMap `json:"caCertConfigMap,omitempty"` +} + +// OidcCACertConfigMap references a ConfigMap containing a CA certificate for OIDC provider TLS. +type OidcCACertConfigMap struct { + // ConfigMap name. + Name string `json:"name"` + // Key in the ConfigMap holding the PEM certificate. Defaults to "ca-bundle.crt". + // +optional + Key string `json:"key,omitempty"` } // TlsConfigs configures server TLS for a feast service. in an openshift cluster, this is configured by default using service serving certificates. diff --git a/infra/feast-operator/api/v1/zz_generated.deepcopy.go b/infra/feast-operator/api/v1/zz_generated.deepcopy.go index 8a86c588f9c..8d0e4848f5f 100644 --- a/infra/feast-operator/api/v1/zz_generated.deepcopy.go +++ b/infra/feast-operator/api/v1/zz_generated.deepcopy.go @@ -41,7 +41,7 @@ func (in *AuthzConfig) DeepCopyInto(out *AuthzConfig) { if in.OidcAuthz != nil { in, out := &in.OidcAuthz, &out.OidcAuthz *out = new(OidcAuthz) - **out = **in + (*in).DeepCopyInto(*out) } } @@ -751,7 +751,26 @@ func (in *OfflineStorePersistence) DeepCopy() *OfflineStorePersistence { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OidcAuthz) DeepCopyInto(out *OidcAuthz) { *out = *in - out.SecretRef = in.SecretRef + if in.SecretRef != nil { + in, out := &in.SecretRef, &out.SecretRef + *out = new(corev1.LocalObjectReference) + **out = **in + } + if in.TokenEnvVar != nil { + in, out := &in.TokenEnvVar, &out.TokenEnvVar + *out = new(string) + **out = **in + } + if in.VerifySSL != nil { + in, out := &in.VerifySSL, &out.VerifySSL + *out = new(bool) + **out = **in + } + if in.CACertConfigMap != nil { + in, out := &in.CACertConfigMap, &out.CACertConfigMap + *out = new(OidcCACertConfigMap) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcAuthz. @@ -764,6 +783,21 @@ func (in *OidcAuthz) DeepCopy() *OidcAuthz { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OidcCACertConfigMap) DeepCopyInto(out *OidcCACertConfigMap) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcCACertConfigMap. +func (in *OidcCACertConfigMap) DeepCopy() *OidcCACertConfigMap { + if in == nil { + return nil + } + out := new(OidcCACertConfigMap) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OnlineStore) DeepCopyInto(out *OnlineStore) { *out = *in diff --git a/infra/feast-operator/bundle/manifests/feast-operator.clusterserviceversion.yaml b/infra/feast-operator/bundle/manifests/feast-operator.clusterserviceversion.yaml index 64e6886444f..11b7ceaf425 100644 --- a/infra/feast-operator/bundle/manifests/feast-operator.clusterserviceversion.yaml +++ b/infra/feast-operator/bundle/manifests/feast-operator.clusterserviceversion.yaml @@ -50,7 +50,7 @@ metadata: } ] capabilities: Basic Install - createdAt: "2026-03-10T20:00:10Z" + createdAt: "2026-04-07T13:49:25Z" operators.operatorframework.io/builder: operator-sdk-v1.38.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 name: feast-operator.v0.61.0 @@ -175,6 +175,17 @@ spec: - get - patch - update + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - patch + - watch - apiGroups: - policy resources: @@ -259,6 +270,7 @@ spec: value: quay.io/feastdev/feature-server:0.61.0 - name: RELATED_IMAGE_CRON_JOB value: quay.io/openshift/origin-cli:4.17 + - name: OIDC_ISSUER_URL image: quay.io/feastdev/feast-operator:0.61.0 livenessProbe: httpGet: diff --git a/infra/feast-operator/bundle/manifests/feast.dev_featurestores.yaml b/infra/feast-operator/bundle/manifests/feast.dev_featurestores.yaml index 6bdfbd830b0..ce1d34b5fca 100644 --- a/infra/feast-operator/bundle/manifests/feast.dev_featurestores.yaml +++ b/infra/feast-operator/bundle/manifests/feast.dev_featurestores.yaml @@ -62,10 +62,32 @@ spec: OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider. https://auth0. properties: + caCertConfigMap: + description: ConfigMap with the CA certificate for self-signed + OIDC providers. Auto-detected on RHOAI/ODH. + properties: + key: + description: Key in the ConfigMap holding the PEM certificate. + Defaults to "ca-bundle.crt". + type: string + name: + description: ConfigMap name. + type: string + required: + - name + type: object + issuerUrl: + description: OIDC issuer URL. The operator appends /.well-known/openid-configuration + to derive the discovery endpoint. + pattern: ^https://\S+$ + type: string + secretKeyName: + description: Key in the Secret containing all OIDC properties + as a YAML value. If unset, each key is a property. + type: string secretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: Secret with OIDC properties (auth_discovery_url, + client_id, client_secret). issuerUrl takes precedence. properties: name: default: "" @@ -76,8 +98,14 @@ spec: type: string type: object x-kubernetes-map-type: atomic - required: - - secretRef + tokenEnvVar: + description: Env var name for client pods to read an OIDC + token from. Sets token_env_var in client config. + type: string + verifySSL: + description: Verify SSL certificates for the OIDC provider. + Defaults to true. + type: boolean type: object type: object x-kubernetes-validations: @@ -3135,6 +3163,10 @@ spec: x-kubernetes-validations: - message: One selection required. rule: '[has(self.local), has(self.remote)].exists_one(c, c)' + runFeastApplyOnInit: + description: Runs feast apply on pod start to populate the registry. + Defaults to true. Ignored when DisableInitContainers is true. + type: boolean scaling: description: Scaling configures horizontal scaling for the FeatureStore deployment (e.g. HPA autoscaling). @@ -5701,7 +5733,6 @@ spec: type: object required: - feastProject - - replicas type: object x-kubernetes-validations: - message: replicas > 1 and services.scaling.autoscaling are mutually @@ -5760,10 +5791,32 @@ spec: OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider. https://auth0. properties: + caCertConfigMap: + description: ConfigMap with the CA certificate for self-signed + OIDC providers. Auto-detected on RHOAI/ODH. + properties: + key: + description: Key in the ConfigMap holding the PEM + certificate. Defaults to "ca-bundle.crt". + type: string + name: + description: ConfigMap name. + type: string + required: + - name + type: object + issuerUrl: + description: OIDC issuer URL. The operator appends /.well-known/openid-configuration + to derive the discovery endpoint. + pattern: ^https://\S+$ + type: string + secretKeyName: + description: Key in the Secret containing all OIDC properties + as a YAML value. If unset, each key is a property. + type: string secretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: Secret with OIDC properties (auth_discovery_url, + client_id, client_secret). issuerUrl takes precedence. properties: name: default: "" @@ -5774,8 +5827,14 @@ spec: type: string type: object x-kubernetes-map-type: atomic - required: - - secretRef + tokenEnvVar: + description: Env var name for client pods to read an OIDC + token from. Sets token_env_var in client config. + type: string + verifySSL: + description: Verify SSL certificates for the OIDC provider. + Defaults to true. + type: boolean type: object type: object x-kubernetes-validations: @@ -8883,6 +8942,11 @@ spec: - message: One selection required. rule: '[has(self.local), has(self.remote)].exists_one(c, c)' + runFeastApplyOnInit: + description: Runs feast apply on pod start to populate the + registry. Defaults to true. Ignored when DisableInitContainers + is true. + type: boolean scaling: description: Scaling configures horizontal scaling for the FeatureStore deployment (e.g. HPA autoscaling). @@ -11470,7 +11534,6 @@ spec: type: object required: - feastProject - - replicas type: object x-kubernetes-validations: - message: replicas > 1 and services.scaling.autoscaling are mutually @@ -13932,6 +13995,10 @@ spec: x-kubernetes-validations: - message: One selection required. rule: '[has(self.local), has(self.remote)].exists_one(c, c)' + runFeastApplyOnInit: + description: Runs feast apply on pod start to populate the registry. + Defaults to true. Ignored when DisableInitContainers is true. + type: boolean securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. @@ -18175,6 +18242,11 @@ spec: - message: One selection required. rule: '[has(self.local), has(self.remote)].exists_one(c, c)' + runFeastApplyOnInit: + description: Runs feast apply on pod start to populate the + registry. Defaults to true. Ignored when DisableInitContainers + is true. + type: boolean securityContext: description: PodSecurityContext holds pod-level security attributes and common container settings. diff --git a/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml b/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml index 5f8c64b8c5d..2631a049fb9 100644 --- a/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml +++ b/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml @@ -62,10 +62,32 @@ spec: OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider. https://auth0. properties: + caCertConfigMap: + description: ConfigMap with the CA certificate for self-signed + OIDC providers. Auto-detected on RHOAI/ODH. + properties: + key: + description: Key in the ConfigMap holding the PEM certificate. + Defaults to "ca-bundle.crt". + type: string + name: + description: ConfigMap name. + type: string + required: + - name + type: object + issuerUrl: + description: OIDC issuer URL. The operator appends /.well-known/openid-configuration + to derive the discovery endpoint. + pattern: ^https://\S+$ + type: string + secretKeyName: + description: Key in the Secret containing all OIDC properties + as a YAML value. If unset, each key is a property. + type: string secretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: Secret with OIDC properties (auth_discovery_url, + client_id, client_secret). issuerUrl takes precedence. properties: name: default: "" @@ -76,8 +98,14 @@ spec: type: string type: object x-kubernetes-map-type: atomic - required: - - secretRef + tokenEnvVar: + description: Env var name for client pods to read an OIDC + token from. Sets token_env_var in client config. + type: string + verifySSL: + description: Verify SSL certificates for the OIDC provider. + Defaults to true. + type: boolean type: object type: object x-kubernetes-validations: @@ -5763,10 +5791,32 @@ spec: OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider. https://auth0. properties: + caCertConfigMap: + description: ConfigMap with the CA certificate for self-signed + OIDC providers. Auto-detected on RHOAI/ODH. + properties: + key: + description: Key in the ConfigMap holding the PEM + certificate. Defaults to "ca-bundle.crt". + type: string + name: + description: ConfigMap name. + type: string + required: + - name + type: object + issuerUrl: + description: OIDC issuer URL. The operator appends /.well-known/openid-configuration + to derive the discovery endpoint. + pattern: ^https://\S+$ + type: string + secretKeyName: + description: Key in the Secret containing all OIDC properties + as a YAML value. If unset, each key is a property. + type: string secretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: Secret with OIDC properties (auth_discovery_url, + client_id, client_secret). issuerUrl takes precedence. properties: name: default: "" @@ -5777,8 +5827,14 @@ spec: type: string type: object x-kubernetes-map-type: atomic - required: - - secretRef + tokenEnvVar: + description: Env var name for client pods to read an OIDC + token from. Sets token_env_var in client config. + type: string + verifySSL: + description: Verify SSL certificates for the OIDC provider. + Defaults to true. + type: boolean type: object type: object x-kubernetes-validations: diff --git a/infra/feast-operator/config/manager/manager.yaml b/infra/feast-operator/config/manager/manager.yaml index 8107749fce5..2fddf4725ba 100644 --- a/infra/feast-operator/config/manager/manager.yaml +++ b/infra/feast-operator/config/manager/manager.yaml @@ -77,6 +77,10 @@ spec: value: feast:latest - name: RELATED_IMAGE_CRON_JOB value: origin-cli:latest + # Injected from params.env via kustomize replacements (ODH/RHOAI overlays). + # Open Data Hub operator sets this from GatewayConfig when the cluster uses external OIDC. + - name: OIDC_ISSUER_URL + value: "" livenessProbe: httpGet: path: /healthz diff --git a/infra/feast-operator/config/overlays/odh/kustomization.yaml b/infra/feast-operator/config/overlays/odh/kustomization.yaml index cf751d178bd..044614f01fe 100644 --- a/infra/feast-operator/config/overlays/odh/kustomization.yaml +++ b/infra/feast-operator/config/overlays/odh/kustomization.yaml @@ -52,3 +52,13 @@ replacements: name: controller-manager fieldPaths: - spec.template.spec.containers.[name=manager].env.[name=RELATED_IMAGE_CRON_JOB].value + - source: + kind: ConfigMap + name: feast-operator-parameters + fieldPath: data.OIDC_ISSUER_URL + targets: + - select: + kind: Deployment + name: controller-manager + fieldPaths: + - spec.template.spec.containers.[name=manager].env.[name=OIDC_ISSUER_URL].value diff --git a/infra/feast-operator/config/overlays/odh/params.env b/infra/feast-operator/config/overlays/odh/params.env index d7b0233b998..6add626285c 100644 --- a/infra/feast-operator/config/overlays/odh/params.env +++ b/infra/feast-operator/config/overlays/odh/params.env @@ -1,3 +1,5 @@ RELATED_IMAGE_FEAST_OPERATOR=quay.io/feastdev/feast-operator:0.61.0 RELATED_IMAGE_FEATURE_SERVER=quay.io/feastdev/feature-server:0.61.0 RELATED_IMAGE_CRON_JOB=quay.io/openshift/origin-cli:4.17 +# Set at deploy time by the Open Data Hub operator from GatewayConfig (external OIDC). +OIDC_ISSUER_URL= diff --git a/infra/feast-operator/config/overlays/rhoai/kustomization.yaml b/infra/feast-operator/config/overlays/rhoai/kustomization.yaml index 4917579ef28..b9d075bdf39 100644 --- a/infra/feast-operator/config/overlays/rhoai/kustomization.yaml +++ b/infra/feast-operator/config/overlays/rhoai/kustomization.yaml @@ -52,3 +52,13 @@ replacements: name: controller-manager fieldPaths: - spec.template.spec.containers.[name=manager].env.[name=RELATED_IMAGE_CRON_JOB].value + - source: + kind: ConfigMap + name: feast-operator-parameters + fieldPath: data.OIDC_ISSUER_URL + targets: + - select: + kind: Deployment + name: controller-manager + fieldPaths: + - spec.template.spec.containers.[name=manager].env.[name=OIDC_ISSUER_URL].value diff --git a/infra/feast-operator/config/overlays/rhoai/params.env b/infra/feast-operator/config/overlays/rhoai/params.env index ce50a9f1412..12585765ee5 100644 --- a/infra/feast-operator/config/overlays/rhoai/params.env +++ b/infra/feast-operator/config/overlays/rhoai/params.env @@ -1,3 +1,5 @@ RELATED_IMAGE_FEAST_OPERATOR=quay.io/feastdev/feast-operator:0.61.0 RELATED_IMAGE_FEATURE_SERVER=quay.io/feastdev/feature-server:0.61.0 -RELATED_IMAGE_CRON_JOB=registry.redhat.io/openshift4/ose-cli@sha256:bc35a9fc663baf0d6493cc57e89e77a240a36c43cf38fb78d8e61d3b87cf5cc5 \ No newline at end of file +RELATED_IMAGE_CRON_JOB=registry.redhat.io/openshift4/ose-cli@sha256:bc35a9fc663baf0d6493cc57e89e77a240a36c43cf38fb78d8e61d3b87cf5cc5 +# Set at deploy time by the Open Data Hub operator from GatewayConfig (external OIDC). +OIDC_ISSUER_URL= \ No newline at end of file diff --git a/infra/feast-operator/dist/install.yaml b/infra/feast-operator/dist/install.yaml index f67b0d622f9..ef98baefd62 100644 --- a/infra/feast-operator/dist/install.yaml +++ b/infra/feast-operator/dist/install.yaml @@ -70,10 +70,32 @@ spec: OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider. https://auth0. properties: + caCertConfigMap: + description: ConfigMap with the CA certificate for self-signed + OIDC providers. Auto-detected on RHOAI/ODH. + properties: + key: + description: Key in the ConfigMap holding the PEM certificate. + Defaults to "ca-bundle.crt". + type: string + name: + description: ConfigMap name. + type: string + required: + - name + type: object + issuerUrl: + description: OIDC issuer URL. The operator appends /.well-known/openid-configuration + to derive the discovery endpoint. + pattern: ^https://\S+$ + type: string + secretKeyName: + description: Key in the Secret containing all OIDC properties + as a YAML value. If unset, each key is a property. + type: string secretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: Secret with OIDC properties (auth_discovery_url, + client_id, client_secret). issuerUrl takes precedence. properties: name: default: "" @@ -84,8 +106,14 @@ spec: type: string type: object x-kubernetes-map-type: atomic - required: - - secretRef + tokenEnvVar: + description: Env var name for client pods to read an OIDC + token from. Sets token_env_var in client config. + type: string + verifySSL: + description: Verify SSL certificates for the OIDC provider. + Defaults to true. + type: boolean type: object type: object x-kubernetes-validations: @@ -5771,10 +5799,32 @@ spec: OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider. https://auth0. properties: + caCertConfigMap: + description: ConfigMap with the CA certificate for self-signed + OIDC providers. Auto-detected on RHOAI/ODH. + properties: + key: + description: Key in the ConfigMap holding the PEM + certificate. Defaults to "ca-bundle.crt". + type: string + name: + description: ConfigMap name. + type: string + required: + - name + type: object + issuerUrl: + description: OIDC issuer URL. The operator appends /.well-known/openid-configuration + to derive the discovery endpoint. + pattern: ^https://\S+$ + type: string + secretKeyName: + description: Key in the Secret containing all OIDC properties + as a YAML value. If unset, each key is a property. + type: string secretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: Secret with OIDC properties (auth_discovery_url, + client_id, client_secret). issuerUrl takes precedence. properties: name: default: "" @@ -5785,8 +5835,14 @@ spec: type: string type: object x-kubernetes-map-type: atomic - required: - - secretRef + tokenEnvVar: + description: Env var name for client pods to read an OIDC + token from. Sets token_env_var in client config. + type: string + verifySSL: + description: Verify SSL certificates for the OIDC provider. + Defaults to true. + type: boolean type: object type: object x-kubernetes-validations: @@ -20598,6 +20654,8 @@ spec: value: quay.io/feastdev/feature-server:0.61.0 - name: RELATED_IMAGE_CRON_JOB value: quay.io/openshift/origin-cli:4.17 + - name: OIDC_ISSUER_URL + value: "" image: quay.io/feastdev/feast-operator:0.61.0 livenessProbe: httpGet: diff --git a/infra/feast-operator/docs/api/markdown/ref.md b/infra/feast-operator/docs/api/markdown/ref.md index f964d592adc..df3e3456967 100644 --- a/infra/feast-operator/docs/api/markdown/ref.md +++ b/infra/feast-operator/docs/api/markdown/ref.md @@ -545,7 +545,27 @@ _Appears in:_ | Field | Description | | --- | --- | -| `secretRef` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#localobjectreference-v1-core)_ | | +| `issuerUrl` _string_ | OIDC issuer URL. The operator appends /.well-known/openid-configuration to derive the discovery endpoint. | +| `secretRef` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#localobjectreference-v1-core)_ | Secret with OIDC properties (auth_discovery_url, client_id, client_secret). issuerUrl takes precedence. | +| `secretKeyName` _string_ | Key in the Secret containing all OIDC properties as a YAML value. If unset, each key is a property. | +| `tokenEnvVar` _string_ | Env var name for client pods to read an OIDC token from. Sets token_env_var in client config. | +| `verifySSL` _boolean_ | Verify SSL certificates for the OIDC provider. Defaults to true. | +| `caCertConfigMap` _[OidcCACertConfigMap](#oidccacertconfigmap)_ | ConfigMap with the CA certificate for self-signed OIDC providers. Auto-detected on RHOAI/ODH. | + + +#### OidcCACertConfigMap + + + +OidcCACertConfigMap references a ConfigMap containing a CA certificate for OIDC provider TLS. + +_Appears in:_ +- [OidcAuthz](#oidcauthz) + +| Field | Description | +| --- | --- | +| `name` _string_ | ConfigMap name. | +| `key` _string_ | Key in the ConfigMap holding the PEM certificate. Defaults to "ca-bundle.crt". | #### OnlineStore diff --git a/infra/feast-operator/docs/odh-operator-parameters.md b/infra/feast-operator/docs/odh-operator-parameters.md new file mode 100644 index 00000000000..8b29d4d1ca8 --- /dev/null +++ b/infra/feast-operator/docs/odh-operator-parameters.md @@ -0,0 +1,15 @@ +# Open Data Hub / RHOAI operator parameters + +These values are supplied through the Feast operator **`params.env`** files in the **ODH** and **RHOAI** overlays (`config/overlays/odh/params.env`, `config/overlays/rhoai/params.env`). The Open Data Hub operator updates keys in `params.env` before rendering; Kustomize **`replacements`** copy them into the controller Deployment. + +## `OIDC_ISSUER_URL` + +**Purpose:** OIDC issuer URL when the OpenShift cluster uses external OIDC (for example Keycloak). The Feast operator process receives it as the **`OIDC_ISSUER_URL`** environment variable. An empty value means the cluster is not using external OIDC in this integration path (OpenShift OAuth / default behavior). + +**Manifest parameter:** `OIDC_ISSUER_URL` in `params.env`. + +**Injected into:** `controller-manager` Deployment, `manager` container. + +**Set by:** Open Data Hub operator (Feast component reconcile), from `GatewayConfig.spec.oidc.issuerURL` when cluster authentication is OIDC. + +**Consumption:** Operator code should read `os.Getenv("OIDC_ISSUER_URL")` (or equivalent) where JWKS / OIDC discovery is required for managed workloads. diff --git a/infra/feast-operator/internal/controller/authz/authz.go b/infra/feast-operator/internal/controller/authz/authz.go index 9cb5b7c9554..e9811c1c789 100644 --- a/infra/feast-operator/internal/controller/authz/authz.go +++ b/infra/feast-operator/internal/controller/authz/authz.go @@ -25,6 +25,16 @@ func (authz *FeastAuthorization) Deploy() error { _ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRole()) _ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRoleBinding()) apimeta.RemoveStatusCondition(&authz.Handler.FeatureStore.Status.Conditions, feastKubernetesAuthConditions[metav1.ConditionTrue].Type) + + if authz.isOidcAuth() { + if err := authz.createFeastClusterRole(); err != nil { + return err + } + if err := authz.createFeastClusterRoleBinding(); err != nil { + return err + } + } + return nil } @@ -33,6 +43,11 @@ func (authz *FeastAuthorization) isKubernetesAuth() bool { return authzConfig != nil && authzConfig.KubernetesAuthz != nil } +func (authz *FeastAuthorization) isOidcAuth() bool { + authzConfig := authz.Handler.FeatureStore.Status.Applied.AuthzConfig + return authzConfig != nil && authzConfig.OidcAuthz != nil +} + func (authz *FeastAuthorization) deployKubernetesAuth() error { if authz.isKubernetesAuth() { authz.removeOrphanedRoles() diff --git a/infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go b/infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go index b8af9484acc..16b57f8d7f5 100644 --- a/infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go +++ b/infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go @@ -77,7 +77,7 @@ var _ = Describe("FeatureStore Controller-OIDC authorization", func() { if err != nil && errors.IsNotFound(err) { resource := createFeatureStoreResource(resourceName, image, pullPolicy, &[]corev1.EnvVar{}, withEnvFrom()) resource.Spec.AuthzConfig = &feastdevv1.AuthzConfig{OidcAuthz: &feastdevv1.OidcAuthz{ - SecretRef: corev1.LocalObjectReference{ + SecretRef: &corev1.LocalObjectReference{ Name: oidcSecretName, }, }} @@ -134,7 +134,7 @@ var _ = Describe("FeatureStore Controller-OIDC authorization", func() { Expect(resource.Status.Applied.FeastProject).To(Equal(resource.Spec.FeastProject)) expectedAuthzConfig := &feastdevv1.AuthzConfig{ OidcAuthz: &feastdevv1.OidcAuthz{ - SecretRef: corev1.LocalObjectReference{ + SecretRef: &corev1.LocalObjectReference{ Name: oidcSecretName, }, }, @@ -476,7 +476,7 @@ var _ = Describe("FeatureStore Controller-OIDC authorization", func() { Expect(cond.Status).To(Equal(metav1.ConditionFalse)) Expect(cond.Reason).To(Equal(feastdevv1.FailedReason)) Expect(cond.Type).To(Equal(feastdevv1.ReadyType)) - Expect(cond.Message).To(ContainSubstring("missing OIDC")) + Expect(cond.Message).To(ContainSubstring("OIDC discovery URL")) }) }) }) @@ -496,12 +496,6 @@ func expectedServerOidcAuthorizConfig() services.AuthzConfig { func expectedClientOidcAuthorizConfig() services.AuthzConfig { return services.AuthzConfig{ Type: services.OidcAuthType, - OidcParameters: map[string]interface{}{ - string(services.OidcClientId): "client-id", - string(services.OidcAuthDiscoveryUrl): "auth-discovery-url", - string(services.OidcClientSecret): "client-secret", - string(services.OidcUsername): "username", - string(services.OidcPassword): "password"}, } } @@ -529,7 +523,7 @@ func createValidOidcSecret(secretName string) *corev1.Secret { func createInvalidOidcSecret(secretName string) *corev1.Secret { oidcProperties := validOidcSecretMap() - delete(oidcProperties, string(services.OidcClientId)) + delete(oidcProperties, string(services.OidcAuthDiscoveryUrl)) secret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, diff --git a/infra/feast-operator/internal/controller/services/client.go b/infra/feast-operator/internal/controller/services/client.go index fbd972368fb..6ce01ed0cc2 100644 --- a/infra/feast-operator/internal/controller/services/client.go +++ b/infra/feast-operator/internal/controller/services/client.go @@ -47,7 +47,7 @@ func (feast *FeastServices) createClientConfigMap() error { func (feast *FeastServices) setClientConfigMap(cm *corev1.ConfigMap) error { cm.Labels = feast.getFeastTypeLabels(ClientFeastType) - clientYaml, err := feast.getClientFeatureStoreYaml(feast.extractConfigFromSecret) + clientYaml, err := feast.getClientFeatureStoreYaml() if err != nil { return err } diff --git a/infra/feast-operator/internal/controller/services/repo_config.go b/infra/feast-operator/internal/controller/services/repo_config.go index 9b20955f324..b67d948033b 100644 --- a/infra/feast-operator/internal/controller/services/repo_config.go +++ b/infra/feast-operator/internal/controller/services/repo_config.go @@ -19,6 +19,7 @@ package services import ( "encoding/base64" "fmt" + "os" "path" "strings" @@ -26,6 +27,8 @@ import ( "gopkg.in/yaml.v3" ) +const oidcIssuerUrlEnvVar = "OIDC_ISSUER_URL" + // GetServiceFeatureStoreYamlBase64 returns a base64 encoded feature_store.yaml config for the feast service func (feast *FeastServices) GetServiceFeatureStoreYamlBase64() (string, error) { fsYaml, err := feast.getServiceFeatureStoreYaml() @@ -44,14 +47,16 @@ func (feast *FeastServices) getServiceFeatureStoreYaml() ([]byte, error) { } func (feast *FeastServices) getServiceRepoConfig() (RepoConfig, error) { - return getServiceRepoConfig(feast.Handler.FeatureStore, feast.extractConfigFromSecret, feast.extractConfigFromConfigMap) + odhCaBundleExists := feast.GetCustomCertificatesBundle().IsDefined + return getServiceRepoConfig(feast.Handler.FeatureStore, feast.extractConfigFromSecret, feast.extractConfigFromConfigMap, odhCaBundleExists) } func getServiceRepoConfig( featureStore *feastdevv1.FeatureStore, secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error), - configMapExtractionFunc func(configMapRef string, configMapKey string) (map[string]interface{}, error)) (RepoConfig, error) { - repoConfig, err := getBaseServiceRepoConfig(featureStore, secretExtractionFunc) + configMapExtractionFunc func(configMapRef string, configMapKey string) (map[string]interface{}, error), + odhCaBundleExists bool) (RepoConfig, error) { + repoConfig, err := getBaseServiceRepoConfig(featureStore, secretExtractionFunc, odhCaBundleExists) if err != nil { return repoConfig, err } @@ -91,39 +96,91 @@ func getServiceRepoConfig( func getBaseServiceRepoConfig( featureStore *feastdevv1.FeatureStore, - secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) { + secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error), + odhCaBundleExists bool) (RepoConfig, error) { repoConfig := defaultRepoConfig(featureStore) - clientRepoConfig, err := getClientRepoConfig(featureStore, secretExtractionFunc, nil) - if err != nil { - return repoConfig, err - } + clientRepoConfig := getClientRepoConfig(featureStore, nil) if isRemoteRegistry(featureStore) { repoConfig.Registry = clientRepoConfig.Registry } - repoConfig.AuthzConfig = clientRepoConfig.AuthzConfig - appliedSpec := featureStore.Status.Applied if appliedSpec.AuthzConfig != nil && appliedSpec.AuthzConfig.OidcAuthz != nil { - propertiesMap, authSecretErr := secretExtractionFunc("", appliedSpec.AuthzConfig.OidcAuthz.SecretRef.Name, "") - if authSecretErr != nil { - return repoConfig, authSecretErr - } - + repoConfig.AuthzConfig = AuthzConfig{Type: OidcAuthType} + oidcAuthz := appliedSpec.AuthzConfig.OidcAuthz oidcParameters := map[string]interface{}{} - for _, oidcProperty := range OidcProperties { - if val, exists := propertiesMap[string(oidcProperty)]; exists { - oidcParameters[string(oidcProperty)] = val - } else { - return repoConfig, missingOidcSecretProperty(oidcProperty) + + var secretProperties map[string]interface{} + if oidcAuthz.SecretRef != nil { + var err error + secretProperties, err = secretExtractionFunc("", oidcAuthz.SecretRef.Name, oidcAuthz.SecretKeyName) + if err != nil { + return repoConfig, err + } + for _, prop := range OidcOptionalSecretProperties { + if val, exists := secretProperties[string(prop)]; exists { + oidcParameters[string(prop)] = val + } } } + + discoveryUrl, err := resolveAuthDiscoveryUrl(oidcAuthz, secretProperties) + if err != nil { + return repoConfig, err + } + oidcParameters[string(OidcAuthDiscoveryUrl)] = discoveryUrl + + if oidcAuthz.VerifySSL != nil { + oidcParameters[string(OidcVerifySsl)] = *oidcAuthz.VerifySSL + } + if caCertPath := resolveOidcCACertPath(oidcAuthz, odhCaBundleExists); caCertPath != "" { + oidcParameters[string(OidcCaCertPath)] = caCertPath + } repoConfig.AuthzConfig.OidcParameters = oidcParameters + } else { + repoConfig.AuthzConfig = clientRepoConfig.AuthzConfig } return repoConfig, nil } +// resolveAuthDiscoveryUrl determines the OIDC discovery URL from the first available source. +// Priority: CR issuerUrl > Secret auth_discovery_url > OIDC_ISSUER_URL env var. +func resolveAuthDiscoveryUrl(oidcAuthz *feastdevv1.OidcAuthz, secretProperties map[string]interface{}) (string, error) { + if oidcAuthz.IssuerUrl != "" { + return issuerToDiscoveryUrl(oidcAuthz.IssuerUrl), nil + } + + if val, ok := secretProperties[string(OidcAuthDiscoveryUrl)]; ok { + if s, ok := val.(string); ok && s != "" { + return s, nil + } + } + + if envIssuer := os.Getenv(oidcIssuerUrlEnvVar); envIssuer != "" { + return issuerToDiscoveryUrl(envIssuer), nil + } + + return "", fmt.Errorf("no OIDC discovery URL configured: set issuerUrl on the OidcAuthz CR, "+ + "include auth_discovery_url in the referenced Secret, or ensure the %s environment variable is set on the operator pod", oidcIssuerUrlEnvVar) +} + +func issuerToDiscoveryUrl(issuerUrl string) string { + return strings.TrimRight(issuerUrl, "/") + "/.well-known/openid-configuration" +} + +// resolveOidcCACertPath determines the CA cert file path for OIDC provider TLS verification. +// Priority: explicit CRD caCertConfigMap > ODH auto-detected bundle > empty (system CA fallback). +func resolveOidcCACertPath(oidcAuthz *feastdevv1.OidcAuthz, odhCaBundleExists bool) string { + if oidcAuthz.CACertConfigMap != nil { + return tlsPathOidcCA + } + if odhCaBundleExists { + return tlsPathOdhCABundle + } + return "" +} + func setRepoConfigRegistry(services *feastdevv1.FeatureStoreServices, secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error), repoConfig *RepoConfig) error { registryPersistence := services.Registry.Local.Persistence @@ -284,24 +341,17 @@ func setRepoConfigBatchEngine( return nil } -func (feast *FeastServices) getClientFeatureStoreYaml(secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) ([]byte, error) { - clientRepo, err := getClientRepoConfig(feast.Handler.FeatureStore, secretExtractionFunc, feast) - if err != nil { - return []byte{}, err - } +func (feast *FeastServices) getClientFeatureStoreYaml() ([]byte, error) { + clientRepo := getClientRepoConfig(feast.Handler.FeatureStore, feast) return yaml.Marshal(clientRepo) } func getClientRepoConfig( featureStore *feastdevv1.FeatureStore, - secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error), - feast *FeastServices) (RepoConfig, error) { + feast *FeastServices) RepoConfig { status := featureStore.Status appliedServices := status.Applied.Services - clientRepoConfig, err := getRepoConfig(featureStore, secretExtractionFunc) - if err != nil { - return clientRepoConfig, err - } + clientRepoConfig := getRepoConfig(featureStore) if len(status.ServiceHostnames.OfflineStore) > 0 { clientRepoConfig.OfflineStore = OfflineStoreConfig{ Type: OfflineRemoteConfigType, @@ -339,12 +389,10 @@ func getClientRepoConfig( } } - return clientRepoConfig, nil + return clientRepoConfig } -func getRepoConfig( - featureStore *feastdevv1.FeatureStore, - secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) { +func getRepoConfig(featureStore *feastdevv1.FeatureStore) RepoConfig { status := featureStore.Status repoConfig := initRepoConfig(status.Applied.FeastProject) if status.Applied.AuthzConfig != nil { @@ -356,24 +404,16 @@ func getRepoConfig( repoConfig.AuthzConfig = AuthzConfig{ Type: OidcAuthType, } - - propertiesMap, err := secretExtractionFunc("", status.Applied.AuthzConfig.OidcAuthz.SecretRef.Name, "") - if err != nil { - return repoConfig, err - } - oidcClientProperties := map[string]interface{}{} - for _, oidcProperty := range OidcProperties { - if val, exists := propertiesMap[string(oidcProperty)]; exists { - oidcClientProperties[string(oidcProperty)] = val - } else { - return repoConfig, missingOidcSecretProperty(oidcProperty) - } + if status.Applied.AuthzConfig.OidcAuthz.TokenEnvVar != nil { + oidcClientProperties[string(OidcTokenEnvVar)] = *status.Applied.AuthzConfig.OidcAuthz.TokenEnvVar + } + if len(oidcClientProperties) > 0 { + repoConfig.AuthzConfig.OidcParameters = oidcClientProperties } - repoConfig.AuthzConfig.OidcParameters = oidcClientProperties } } - return repoConfig, nil + return repoConfig } func getActualPath(filePath string, pvcConfig *feastdevv1.PvcConfig) string { diff --git a/infra/feast-operator/internal/controller/services/repo_config_test.go b/infra/feast-operator/internal/controller/services/repo_config_test.go index 70869568dea..20fff934f19 100644 --- a/infra/feast-operator/internal/controller/services/repo_config_test.go +++ b/infra/feast-operator/internal/controller/services/repo_config_test.go @@ -46,7 +46,7 @@ var _ = Describe("Repo Config", func() { Path: EphemeralPath + "/" + DefaultOnlineStorePath, } - repoConfig, err := getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap) + repoConfig, err := getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.AuthzConfig.Type).To(Equal(NoAuthAuthType)) Expect(repoConfig.OfflineStore).To(Equal(emptyOfflineStoreConfig)) @@ -74,7 +74,7 @@ var _ = Describe("Repo Config", func() { Path: testPath, } - repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap) + repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.AuthzConfig.Type).To(Equal(NoAuthAuthType)) Expect(repoConfig.OfflineStore).To(Equal(emptyOfflineStoreConfig)) @@ -96,7 +96,7 @@ var _ = Describe("Repo Config", func() { Expect(appliedServices.OnlineStore).NotTo(BeNil()) Expect(appliedServices.Registry.Local).NotTo(BeNil()) - repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap) + repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.OfflineStore).To(Equal(defaultOfflineStoreConfig)) Expect(repoConfig.AuthzConfig.Type).To(Equal(NoAuthAuthType)) @@ -115,7 +115,7 @@ var _ = Describe("Repo Config", func() { }, } ApplyDefaultsToStatus(featureStore) - repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap) + repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.AuthzConfig.Type).To(Equal(NoAuthAuthType)) Expect(repoConfig.OfflineStore).To(Equal(emptyOfflineStoreConfig)) @@ -163,7 +163,7 @@ var _ = Describe("Repo Config", func() { Path: "/data/online.db", } - repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap) + repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.AuthzConfig.Type).To(Equal(NoAuthAuthType)) Expect(repoConfig.OfflineStore).To(Equal(expectedOfflineConfig)) @@ -188,17 +188,17 @@ var _ = Describe("Repo Config", func() { Type: "dask", } - repoConfig, err = getServiceRepoConfig(featureStore, mockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap) + repoConfig, err = getServiceRepoConfig(featureStore, mockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.AuthzConfig.Type).To(Equal(KubernetesAuthType)) Expect(repoConfig.OfflineStore).To(Equal(expectedOfflineConfig)) Expect(repoConfig.OnlineStore).To(Equal(defaultOnlineStoreConfig(featureStore))) Expect(repoConfig.Registry).To(Equal(defaultRegistryConfig(featureStore))) - By("Having oidc authorization") + By("Having oidc authorization with Secret") featureStore.Spec.AuthzConfig = &feastdevv1.AuthzConfig{ OidcAuthz: &feastdevv1.OidcAuthz{ - SecretRef: corev1.LocalObjectReference{ + SecretRef: &corev1.LocalObjectReference{ Name: "oidc-secret", }, }, @@ -211,7 +211,7 @@ var _ = Describe("Repo Config", func() { string(OidcClientSecret): "client-secret", string(OidcUsername): "username", string(OidcPassword): "password"}) - repoConfig, err = getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap) + repoConfig, err = getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.AuthzConfig.Type).To(Equal(OidcAuthType)) Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveLen(5)) @@ -224,15 +224,35 @@ var _ = Describe("Repo Config", func() { Expect(repoConfig.OnlineStore).To(Equal(defaultOnlineStoreConfig(featureStore))) Expect(repoConfig.Registry).To(Equal(defaultRegistryConfig(featureStore))) - repoConfig, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil) + repoConfig = getClientRepoConfig(featureStore, nil) + Expect(repoConfig.AuthzConfig.Type).To(Equal(OidcAuthType)) + + By("Having oidc authorization with issuerUrl only (no Secret)") + featureStore.Spec.AuthzConfig = &feastdevv1.AuthzConfig{ + OidcAuthz: &feastdevv1.OidcAuthz{ + IssuerUrl: "https://keycloak.example.com/realms/test", + }, + } + ApplyDefaultsToStatus(featureStore) + repoConfig, err = getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) Expect(repoConfig.AuthzConfig.Type).To(Equal(OidcAuthType)) - Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveLen(5)) - Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcClientId))) - Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcAuthDiscoveryUrl))) - Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcClientSecret))) - Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcUsername))) - Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcPassword))) + Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveLen(1)) + Expect(repoConfig.AuthzConfig.OidcParameters[string(OidcAuthDiscoveryUrl)]).To(Equal("https://keycloak.example.com/realms/test/.well-known/openid-configuration")) + + By("Having oidc with issuerUrl on CR and auth_discovery_url in Secret — CR wins") + featureStore.Spec.AuthzConfig = &feastdevv1.AuthzConfig{ + OidcAuthz: &feastdevv1.OidcAuthz{ + IssuerUrl: "https://keycloak.example.com/realms/cr-wins", + SecretRef: &corev1.LocalObjectReference{ + Name: "oidc-secret", + }, + }, + } + ApplyDefaultsToStatus(featureStore) + repoConfig, err = getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap, false) + Expect(err).NotTo(HaveOccurred()) + Expect(repoConfig.AuthzConfig.OidcParameters[string(OidcAuthDiscoveryUrl)]).To(Equal("https://keycloak.example.com/realms/cr-wins/.well-known/openid-configuration")) By("Having the all the db services") featureStore = minimalFeatureStore() @@ -275,7 +295,7 @@ var _ = Describe("Repo Config", func() { featureStore.Spec.Services.OfflineStore.Persistence.FilePersistence = nil featureStore.Spec.Services.OnlineStore.Persistence.FilePersistence = nil featureStore.Spec.Services.Registry.Local.Persistence.FilePersistence = nil - repoConfig, err = getServiceRepoConfig(featureStore, mockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap) + repoConfig, err = getServiceRepoConfig(featureStore, mockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) Expect(err).NotTo(HaveOccurred()) newMap := CopyMap(parameterMap) port := parameterMap["port"].(int) @@ -301,10 +321,20 @@ var _ = Describe("Repo Config", func() { It("should fail to create the repo configs", func() { featureStore := minimalFeatureStore() - By("Having invalid server oidc authorization") + By("Having oidc with no issuerUrl, no Secret, no env var — should fail") + featureStore.Spec.AuthzConfig = &feastdevv1.AuthzConfig{ + OidcAuthz: &feastdevv1.OidcAuthz{}, + } + ApplyDefaultsToStatus(featureStore) + + _, err := getServiceRepoConfig(featureStore, emptyMockExtractConfigFromSecret, emptyMockExtractConfigFromConfigMap, false) + Expect(err).To(HaveOccurred()) + Expect(err.Error()).To(ContainSubstring("no OIDC discovery URL configured")) + + By("Having oidc with Secret missing auth_discovery_url and no issuerUrl — should fail") featureStore.Spec.AuthzConfig = &feastdevv1.AuthzConfig{ OidcAuthz: &feastdevv1.OidcAuthz{ - SecretRef: corev1.LocalObjectReference{ + SecretRef: &corev1.LocalObjectReference{ Name: "oidc-secret", }, }, @@ -316,17 +346,14 @@ var _ = Describe("Repo Config", func() { string(OidcClientSecret): "client-secret", string(OidcUsername): "username", string(OidcPassword): "password"}) - _, err := getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap) - Expect(err).To(HaveOccurred()) - Expect(err.Error()).To(ContainSubstring("missing OIDC secret")) - _, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil) + _, err = getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap, false) Expect(err).To(HaveOccurred()) - Expect(err.Error()).To(ContainSubstring("missing OIDC secret")) + Expect(err.Error()).To(ContainSubstring("no OIDC discovery URL configured")) By("Having invalid client oidc authorization") featureStore.Spec.AuthzConfig = &feastdevv1.AuthzConfig{ OidcAuthz: &feastdevv1.OidcAuthz{ - SecretRef: corev1.LocalObjectReference{ + SecretRef: &corev1.LocalObjectReference{ Name: "oidc-secret", }, }, @@ -338,12 +365,9 @@ var _ = Describe("Repo Config", func() { string(OidcClientId): "client-id", string(OidcUsername): "username", string(OidcPassword): "password"}) - _, err = getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap) - Expect(err).To(HaveOccurred()) - Expect(err.Error()).To(ContainSubstring("missing OIDC secret")) - _, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil) - Expect(err).To(HaveOccurred()) - Expect(err.Error()).To(ContainSubstring("missing OIDC secret")) + _, err = getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap, false) + Expect(err).NotTo(HaveOccurred()) + getClientRepoConfig(featureStore, nil) }) }) @@ -519,8 +543,7 @@ var _ = Describe("TLS Certificate Path Configuration", func() { } // Test with nil feast parameter (no custom CA bundle) - repoConfig, err := getClientRepoConfig(featureStore, emptyMockExtractConfigFromSecret, nil) - Expect(err).NotTo(HaveOccurred()) + repoConfig := getClientRepoConfig(featureStore, nil) // Verify individual service certificate paths are used Expect(repoConfig.OfflineStore.Cert).To(Equal("/tls/offline/tls.crt")) @@ -589,8 +612,7 @@ var _ = Describe("TLS Certificate Path Configuration", func() { } // Test with nil feast parameter (no custom CA bundle available) - repoConfig, err := getClientRepoConfig(featureStore, emptyMockExtractConfigFromSecret, nil) - Expect(err).NotTo(HaveOccurred()) + repoConfig := getClientRepoConfig(featureStore, nil) Expect(repoConfig.OfflineStore.Cert).To(Equal("/tls/offline/tls.crt")) }) }) diff --git a/infra/feast-operator/internal/controller/services/services_types.go b/infra/feast-operator/internal/controller/services/services_types.go index 10ac3538a99..5b4479698f3 100644 --- a/infra/feast-operator/internal/controller/services/services_types.go +++ b/infra/feast-operator/internal/controller/services/services_types.go @@ -50,6 +50,11 @@ const ( caBundleAnnotation = "config.openshift.io/inject-trusted-cabundle" caBundleName = "odh-trusted-ca-bundle" + odhCaBundleKey = "odh-ca-bundle.crt" + tlsPathOdhCABundle = "/etc/pki/tls/custom-certs/odh-ca-bundle.crt" + tlsPathOidcCA = "/etc/pki/tls/oidc-ca/ca.crt" + oidcCaVolumeName = "oidc-ca-cert" + defaultCACertKey = "ca-bundle.crt" DefaultOfflineStorageRequest = "20Gi" DefaultOnlineStorageRequest = "5Gi" @@ -91,6 +96,9 @@ const ( OidcClientSecret OidcPropertyType = "client_secret" OidcUsername OidcPropertyType = "username" OidcPassword OidcPropertyType = "password" + OidcTokenEnvVar OidcPropertyType = "token_env_var" + OidcVerifySsl OidcPropertyType = "verify_ssl" + OidcCaCertPath OidcPropertyType = "ca_cert_path" OidcMissingSecretError string = "missing OIDC secret: %s" ) @@ -208,9 +216,7 @@ var ( }, } - OidcServerProperties = []OidcPropertyType{OidcClientId, OidcAuthDiscoveryUrl} - OidcClientProperties = []OidcPropertyType{OidcClientSecret, OidcUsername, OidcPassword} - OidcProperties = []OidcPropertyType{OidcClientId, OidcAuthDiscoveryUrl, OidcClientSecret, OidcUsername, OidcPassword} + OidcOptionalSecretProperties = []OidcPropertyType{OidcAuthDiscoveryUrl, OidcClientId, OidcClientSecret, OidcUsername, OidcPassword} ) // Feast server types: Reserved only for server types like Online, Offline, and Registry servers. Should not be used for client types like the UI, etc. diff --git a/infra/feast-operator/internal/controller/services/tls.go b/infra/feast-operator/internal/controller/services/tls.go index a2224d923ee..cd1121f770c 100644 --- a/infra/feast-operator/internal/controller/services/tls.go +++ b/infra/feast-operator/internal/controller/services/tls.go @@ -210,6 +210,10 @@ func (feast *FeastServices) mountTlsConfigs(podSpec *corev1.PodSpec) { feast.mountTlsConfig(OnlineFeastType, podSpec) feast.mountTlsConfig(UIFeastType, podSpec) feast.mountCustomCABundle(podSpec) + appliedSpec := feast.Handler.FeatureStore.Status.Applied + if appliedSpec.AuthzConfig != nil && appliedSpec.AuthzConfig.OidcAuthz != nil { + feast.mountOidcCACert(podSpec, appliedSpec.AuthzConfig.OidcAuthz) + } } func (feast *FeastServices) mountTlsConfig(feastType FeastServiceType, podSpec *corev1.PodSpec) { @@ -281,17 +285,58 @@ func (feast *FeastServices) mountCustomCABundle(podSpec *corev1.PodSpec) { ReadOnly: true, SubPath: "ca-bundle.crt", } + odhCaMount := corev1.VolumeMount{ + Name: customCaBundle.VolumeName, + MountPath: tlsPathOdhCABundle, + ReadOnly: true, + SubPath: odhCaBundleKey, + } for i := range podSpec.Containers { - podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, caMount) + podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, caMount, odhCaMount) } for i := range podSpec.InitContainers { - podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, caMount) + podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, caMount, odhCaMount) } log.FromContext(feast.Handler.Context).Info("Mounted custom CA bundle ConfigMap to Feast pods.") } } +func (feast *FeastServices) mountOidcCACert(podSpec *corev1.PodSpec, oidcAuthz *feastdevv1.OidcAuthz) { + if oidcAuthz.CACertConfigMap == nil { + return + } + cmName := oidcAuthz.CACertConfigMap.Name + cmKey := oidcAuthz.CACertConfigMap.Key + if cmKey == "" { + cmKey = defaultCACertKey + } + + podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{ + Name: oidcCaVolumeName, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{Name: cmName}, + }, + }, + }) + + mount := corev1.VolumeMount{ + Name: oidcCaVolumeName, + MountPath: tlsPathOidcCA, + ReadOnly: true, + SubPath: cmKey, + } + for i := range podSpec.Containers { + podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, mount) + } + for i := range podSpec.InitContainers { + podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, mount) + } + + log.FromContext(feast.Handler.Context).Info("Mounted OIDC CA certificate ConfigMap to Feast pods.", "configMap", cmName, "key", cmKey) +} + // GetCustomCertificatesBundle retrieves the custom CA bundle ConfigMap if it exists when deployed with RHOAI or ODH func (feast *FeastServices) GetCustomCertificatesBundle() CustomCertificatesBundle { var customCertificatesBundle CustomCertificatesBundle diff --git a/infra/feast-operator/internal/controller/services/tls_test.go b/infra/feast-operator/internal/controller/services/tls_test.go index b59ef80181e..0bd3bb82694 100644 --- a/infra/feast-operator/internal/controller/services/tls_test.go +++ b/infra/feast-operator/internal/controller/services/tls_test.go @@ -128,8 +128,7 @@ var _ = Describe("TLS Config", func() { err = feast.ApplyDefaults() Expect(err).ToNot(HaveOccurred()) - repoConfig, err := getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret, &feast) - Expect(err).NotTo(HaveOccurred()) + repoConfig := getClientRepoConfig(feast.Handler.FeatureStore, &feast) Expect(repoConfig.OfflineStore.Port).To(Equal(HttpsPort)) Expect(repoConfig.OfflineStore.Scheme).To(Equal(HttpsScheme)) Expect(repoConfig.OfflineStore.Cert).To(ContainSubstring(string(OfflineFeastType))) @@ -275,8 +274,7 @@ var _ = Describe("TLS Config", func() { err = feast.ApplyDefaults() Expect(err).ToNot(HaveOccurred()) - repoConfig, err = getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret, &feast) - Expect(err).NotTo(HaveOccurred()) + repoConfig = getClientRepoConfig(feast.Handler.FeatureStore, &feast) Expect(repoConfig.OfflineStore.Port).To(Equal(HttpsPort)) Expect(repoConfig.OfflineStore.Scheme).To(Equal(HttpsScheme)) Expect(repoConfig.OfflineStore.Cert).To(ContainSubstring(string(OfflineFeastType))) diff --git a/infra/feast-operator/internal/controller/services/util.go b/infra/feast-operator/internal/controller/services/util.go index 3c9fedbe49d..ecf97f2f865 100644 --- a/infra/feast-operator/internal/controller/services/util.go +++ b/infra/feast-operator/internal/controller/services/util.go @@ -407,10 +407,6 @@ func SetIsOpenShift(cfg *rest.Config) { } } -func missingOidcSecretProperty(property OidcPropertyType) error { - return fmt.Errorf(OidcMissingSecretError, property) -} - // getEnvVar returns the position of the EnvVar found by name func getEnvVar(envName string, env []corev1.EnvVar) int { for pos, v := range env { diff --git a/sdk/python/feast/permissions/auth/oidc_token_parser.py b/sdk/python/feast/permissions/auth/oidc_token_parser.py index ffff7e7ad34..7940c9d7525 100644 --- a/sdk/python/feast/permissions/auth/oidc_token_parser.py +++ b/sdk/python/feast/permissions/auth/oidc_token_parser.py @@ -1,5 +1,6 @@ import logging import os +import ssl from typing import Optional from unittest.mock import Mock @@ -21,8 +22,13 @@ class OidcTokenParser(TokenParser): """ - A `TokenParser` to use an OIDC server to retrieve the user details. - Server settings are retrieved from the `auth` configurationof the Feature store. + A ``TokenParser`` to use an OIDC server to retrieve the user details. + Server settings are retrieved from the ``auth`` configuration of the Feature store. + + Incoming tokens that contain a ``kubernetes.io`` claim (i.e. Kubernetes + service-account tokens) are handled via a lightweight TokenReview that + extracts only the namespace — no RBAC queries needed. All other tokens + follow the standard OIDC/Keycloak JWKS validation path. """ _auth_config: OidcAuthConfig @@ -30,8 +36,11 @@ class OidcTokenParser(TokenParser): def __init__(self, auth_config: OidcAuthConfig): self._auth_config = auth_config self.oidc_discovery_service = OIDCDiscoveryService( - self._auth_config.auth_discovery_url + self._auth_config.auth_discovery_url, + verify_ssl=self._auth_config.verify_ssl, + ca_cert_path=self._auth_config.ca_cert_path, ) + self._k8s_auth_api = None async def _validate_token(self, access_token: str): """ @@ -50,79 +59,201 @@ async def _validate_token(self, access_token: str): await oauth_2_scheme(request=request) + @staticmethod + def _extract_username_or_raise_error(data: dict) -> str: + """Extract the username from the decoded JWT. Raises if missing — identity is mandatory. + + Checks ``preferred_username`` first (Keycloak default), then falls back + to ``upn`` (Azure AD / Entra ID). + """ + if "preferred_username" in data: + return data["preferred_username"] + if "upn" in data: + return data["upn"] + raise AuthenticationError( + "Missing preferred_username or upn field in access token." + ) + + @staticmethod + def _extract_claim(data: dict, *keys: str, expected_type: type = list): + """Walk *keys* into *data* and return the leaf value, or ``expected_type()`` if any key is missing or the wrong type.""" + node = data + path = ".".join(keys) + for key in keys: + if not isinstance(node, dict) or key not in node: + logger.debug( + f"Missing {key} in access token claim path '{path}'. Defaulting to {expected_type()}." + ) + return expected_type() + node = node[key] + if not isinstance(node, expected_type): + logger.debug( + f"Expected {expected_type.__name__} at '{path}', got {type(node).__name__}. Defaulting to {expected_type()}." + ) + return expected_type() + return node + + @staticmethod + def _is_ssl_error(exc: BaseException) -> bool: + """Walk the exception chain looking for SSL-related errors.""" + current: Optional[BaseException] = exc + while current is not None: + if isinstance(current, ssl.SSLError): + return True + current = current.__cause__ or current.__context__ + return False + + def _decode_token(self, access_token: str) -> dict: + """Fetch the JWKS signing key and decode + verify the JWT.""" + optional_custom_headers = {"User-agent": "custom-user-agent"} + ssl_ctx = ssl.create_default_context() + if not self._auth_config.verify_ssl: + ssl_ctx.check_hostname = False + ssl_ctx.verify_mode = ssl.CERT_NONE + elif self._auth_config.ca_cert_path and os.path.exists( + self._auth_config.ca_cert_path + ): + ssl_ctx.load_verify_locations(self._auth_config.ca_cert_path) + jwks_client = PyJWKClient( + self.oidc_discovery_service.get_jwks_url(), + headers=optional_custom_headers, + ssl_context=ssl_ctx, + ) + signing_key = jwks_client.get_signing_key_from_jwt(access_token) + return jwt.decode( + access_token, + signing_key.key, + algorithms=["RS256"], + audience="account", + options={ + "verify_aud": False, + "verify_signature": True, + "verify_exp": True, + }, + leeway=10, # accepts tokens generated up to 10 seconds in the past, in case of clock skew + ) + async def user_details_from_access_token(self, access_token: str) -> User: """ - Validate the access token then decode it to extract the user credential and roles. + Validate the access token then decode it to extract the user credentials, + roles, and groups. + + A single unverified decode is performed upfront for lightweight routing: + intra-server communication, Kubernetes SA tokens (identified by the + ``kubernetes.io`` claim), or standard OIDC/Keycloak JWKS validation. Returns: - User: Current user, with associated roles. + User: Current user, with associated roles, groups, or namespaces. Raises: AuthenticationError if any error happens. """ + try: + unverified = jwt.decode(access_token, options={"verify_signature": False}) + except jwt.exceptions.DecodeError as e: + raise AuthenticationError(f"Failed to decode token: {e}") - # check if intra server communication - user = self._get_intra_comm_user(access_token) + user = self._get_intra_comm_user(unverified) if user: return user + if isinstance(unverified.get("kubernetes.io"), dict): + logger.debug("Detected kubernetes.io claim — validating via TokenReview") + try: + return await self._validate_k8s_sa_token_and_extract_namespace( + access_token + ) + except AuthenticationError: + raise + except Exception as e: + logger.error(f"Kubernetes token validation failed: {e}") + raise AuthenticationError(f"Kubernetes token validation failed: {e}") + + # Standard OIDC / Keycloak flow try: await self._validate_token(access_token) logger.debug("Token successfully validated.") except Exception as e: + if self._is_ssl_error(e): + logger.error( + "OIDC provider SSL certificate verification failed. " + "If using a self-signed certificate, set verify_ssl: false " + "or provide a CA certificate via ca_cert_path." + ) logger.error(f"Token validation failed: {e}") raise AuthenticationError(f"Invalid token: {e}") - optional_custom_headers = {"User-agent": "custom-user-agent"} - jwks_client = PyJWKClient( - self.oidc_discovery_service.get_jwks_url(), headers=optional_custom_headers - ) - try: - signing_key = jwks_client.get_signing_key_from_jwt(access_token) - data = jwt.decode( - access_token, - signing_key.key, - algorithms=["RS256"], - audience="account", - options={ - "verify_aud": False, - "verify_signature": True, - "verify_exp": True, - }, - leeway=10, # accepts tokens generated up to 10 seconds in the past, in case of clock skew - ) + data = self._decode_token(access_token) - if "preferred_username" not in data: - raise AuthenticationError( - "Missing preferred_username field in access token." - ) - current_user = data["preferred_username"] - - if "resource_access" not in data: - logger.warning("Missing resource_access field in access token.") - client_id = self._auth_config.client_id - if client_id not in data["resource_access"]: - logger.warning( - f"Missing resource_access.{client_id} field in access token. Defaulting to empty roles." + current_user = self._extract_username_or_raise_error(data) + roles = ( + self._extract_claim( + data, "resource_access", self._auth_config.client_id, "roles" ) - roles = [] - else: - roles = data["resource_access"][client_id]["roles"] + if self._auth_config.client_id + else [] + ) + groups = self._extract_claim(data, "groups") - logger.info(f"Extracted user {current_user} and roles {roles}") - return User(username=current_user, roles=roles) - except jwt.exceptions.InvalidTokenError: + logger.info( + f"Extracted user {current_user} with roles {roles}, groups {groups}" + ) + return User( + username=current_user, + roles=roles, + groups=groups, + ) + except jwt.exceptions.PyJWTError as e: + if self._is_ssl_error(e): + logger.error( + "OIDC JWKS endpoint SSL certificate verification failed. " + "If using a self-signed certificate, set verify_ssl: false " + "or provide a CA certificate via ca_cert_path." + ) logger.exception("Exception while parsing the token:") raise AuthenticationError("Invalid token.") - def _get_intra_comm_user(self, access_token: str) -> Optional[User]: + async def _validate_k8s_sa_token_and_extract_namespace( + self, access_token: str + ) -> User: + """Validate a K8s SA token via TokenReview and extract the namespace. + + Lightweight alternative to full KubernetesTokenParser — only validates + the token and extracts the namespace from the authenticated identity. + No RBAC queries (RoleBindings, ClusterRoleBindings) are performed, + so the server SA needs only ``tokenreviews/create`` permission. + """ + from kubernetes import client, config + + if self._k8s_auth_api is None: + config.load_incluster_config() + self._k8s_auth_api = client.AuthenticationV1Api() + + token_review = client.V1TokenReview( + spec=client.V1TokenReviewSpec(token=access_token) + ) + auth_api: client.AuthenticationV1Api = self._k8s_auth_api + response = auth_api.create_token_review(token_review) + + if not response.status.authenticated: + raise AuthenticationError( + f"Kubernetes token validation failed: {response.status.error}" + ) + + username = getattr(response.status.user, "username", "") or "" + namespaces = [] + if username.startswith("system:serviceaccount:") and username.count(":") >= 3: + namespaces.append(username.split(":")[2]) + + logger.info(f"SA token validated — user: {username}, namespaces: {namespaces}") + return User(username=username, roles=[], groups=[], namespaces=namespaces) + + @staticmethod + def _get_intra_comm_user(decoded_token: dict) -> Optional[User]: intra_communication_base64 = os.getenv("INTRA_COMMUNICATION_BASE64") if intra_communication_base64: - decoded_token = jwt.decode( - access_token, options={"verify_signature": False} - ) if "preferred_username" in decoded_token: preferred_username: str = decoded_token["preferred_username"] if ( diff --git a/sdk/python/feast/permissions/auth_model.py b/sdk/python/feast/permissions/auth_model.py index 3690d62b728..aa38c0d8937 100644 --- a/sdk/python/feast/permissions/auth_model.py +++ b/sdk/python/feast/permissions/auth_model.py @@ -1,63 +1,68 @@ -# -------------------------------------------------------------------- -# Extends OIDC client auth model with an optional `token` field. -# Works on Pydantic v2-only. -# -# Accepted credential sets (exactly **one** of): -# 1 pre-issued `token` -# 2 `client_secret` (client-credentials flow) -# 3 `username` + `password` + `client_secret` (ROPG) -# -------------------------------------------------------------------- from __future__ import annotations -from typing import Literal, Optional +from typing import Literal, Optional, Tuple from pydantic import ConfigDict, model_validator from feast.repo_config import FeastConfigBaseModel +def _check_mutually_exclusive(**groups: Tuple[object, ...]) -> None: + """Validate that at most one named group is configured, and completely. + + Each *group* is a tuple of field values. + A group is **active** only when *all* its values are truthy. + A group is **partial** (error) when *any* but not *all* values are truthy. + At most one active group may exist. + """ + partial = [name for name, vals in groups.items() if any(vals) and not all(vals)] + if partial: + raise ValueError( + f"Incomplete configuration for '{partial[0]}': " + f"configure all of these fields together, or none at all. " + f"Check the documentation for valid credential combinations." + ) + active = [name for name, vals in groups.items() if all(vals)] + if len(active) > 1: + raise ValueError( + f"Only one of [{', '.join(groups)}] may be set, " + f"but got: {', '.join(active)}" + ) + + class AuthConfig(FeastConfigBaseModel): type: Literal["oidc", "kubernetes", "no_auth"] = "no_auth" class OidcAuthConfig(AuthConfig): auth_discovery_url: str - client_id: str + client_id: Optional[str] = None + verify_ssl: bool = True + ca_cert_path: str = "" class OidcClientAuthConfig(OidcAuthConfig): - # any **one** of the four fields below is sufficient + auth_discovery_url: Optional[str] = None # type: ignore[assignment] + client_id: Optional[str] = None + username: Optional[str] = None password: Optional[str] = None client_secret: Optional[str] = None - token: Optional[str] = None # pre-issued `token` + token: Optional[str] = None + token_env_var: Optional[str] = None @model_validator(mode="after") def _validate_credentials(self): - """Enforce exactly one valid credential set.""" - has_user_pass = bool(self.username) and bool(self.password) - has_secret = bool(self.client_secret) - has_token = bool(self.token) - - # 1 static token - if has_token and not (has_user_pass or has_secret): - return self - - # 2 client_credentials - if has_secret and not has_user_pass and not has_token: - return self - - # 3 ROPG - if has_user_pass and has_secret and not has_token: - return self - - raise ValueError( - "Invalid OIDC client auth combination: " - "provide either\n" - " • token\n" - " • client_secret (without username/password)\n" - " • username + password + client_secret" + network = (self.client_secret, self.auth_discovery_url, self.client_id) + if self.username or self.password: + network += (self.username, self.password) + + _check_mutually_exclusive( + token=(self.token,), + token_env_var=(self.token_env_var,), + client_credentials=network, ) + return self class NoAuthConfig(AuthConfig): @@ -65,7 +70,6 @@ class NoAuthConfig(AuthConfig): class KubernetesAuthConfig(AuthConfig): - # Optional user token for users (not service accounts) user_token: Optional[str] = None model_config = ConfigDict(arbitrary_types_allowed=True, extra="allow") diff --git a/sdk/python/feast/permissions/client/oidc_authentication_client_manager.py b/sdk/python/feast/permissions/client/oidc_authentication_client_manager.py index e7db600cab5..84a0c0115c9 100644 --- a/sdk/python/feast/permissions/client/oidc_authentication_client_manager.py +++ b/sdk/python/feast/permissions/client/oidc_authentication_client_manager.py @@ -1,5 +1,6 @@ import logging import os +from typing import Optional import jwt import requests @@ -10,6 +11,8 @@ logger = logging.getLogger(__name__) +SA_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token" + class OidcAuthClientManager(AuthenticationClientManager): def __init__(self, auth_config: OidcClientAuthConfig): @@ -17,24 +20,66 @@ def __init__(self, auth_config: OidcClientAuthConfig): def get_token(self): intra_communication_base64 = os.getenv("INTRA_COMMUNICATION_BASE64") - # If intra server communication call if intra_communication_base64: payload = { - "preferred_username": f"{intra_communication_base64}", # Subject claim + "preferred_username": f"{intra_communication_base64}", } - return jwt.encode(payload, "") - # Fetch the token endpoint from the discovery URL - token_endpoint = OIDCDiscoveryService( - self.auth_config.auth_discovery_url - ).get_token_url() - - # 1) pre-issued JWT supplied in config - if getattr(self.auth_config, "token", None): + if self.auth_config.token: return self.auth_config.token + elif self.auth_config.token_env_var: + env_token = os.getenv(self.auth_config.token_env_var) + if env_token: + return env_token + else: + raise PermissionError( + f"token_env_var='{self.auth_config.token_env_var}' is configured " + f"but the environment variable is not set or is empty." + ) + elif self.auth_config.client_secret: + return self._fetch_token_from_idp() + else: + env_token = os.getenv("FEAST_OIDC_TOKEN") + if env_token: + return env_token + + sa_token = self._read_sa_token() + if sa_token: + return sa_token + + raise PermissionError( + "No OIDC token source configured. Provide one of: " + "'token', 'token_env_var', 'client_secret' (with " + "'auth_discovery_url' and 'client_id'), set the " + "FEAST_OIDC_TOKEN environment variable, or run inside " + "a Kubernetes pod with a mounted service account token." + ) + + @staticmethod + def _read_sa_token() -> Optional[str]: + """Read the Kubernetes service account token from the standard mount path.""" + if os.path.isfile(SA_TOKEN_PATH): + with open(SA_TOKEN_PATH) as f: + token = f.read().strip() + if token: + return token + return None + + def _fetch_token_from_idp(self) -> str: + """Obtain an access token via client_credentials or ROPG flow.""" + if self.auth_config.auth_discovery_url is None: + raise ValueError( + "auth_discovery_url is required for IDP token fetch " + "(client_credentials or ROPG flow)." + ) + discovery = OIDCDiscoveryService( + self.auth_config.auth_discovery_url, + verify_ssl=self.auth_config.verify_ssl, + ca_cert_path=self.auth_config.ca_cert_path, + ) + token_endpoint = discovery.get_token_url() - # 2) client_credentials if self.auth_config.client_secret and not ( self.auth_config.username and self.auth_config.password ): @@ -43,7 +88,6 @@ def get_token(self): "client_id": self.auth_config.client_id, "client_secret": self.auth_config.client_secret, } - # 3) ROPG (username + password + client_secret) else: token_request_body = { "grant_type": "password", @@ -52,11 +96,15 @@ def get_token(self): "username": self.auth_config.username, "password": self.auth_config.password, } - headers = {"Content-Type": "application/x-www-form-urlencoded"} + headers = {"Content-Type": "application/x-www-form-urlencoded"} token_response = requests.post( - token_endpoint, data=token_request_body, headers=headers + token_endpoint, + data=token_request_body, + headers=headers, + verify=discovery._get_verify(), ) + if token_response.status_code == 200: access_token = token_response.json()["access_token"] if not access_token: diff --git a/sdk/python/feast/permissions/oidc_service.py b/sdk/python/feast/permissions/oidc_service.py index 73d0ec8f1b7..48edccd3d44 100644 --- a/sdk/python/feast/permissions/oidc_service.py +++ b/sdk/python/feast/permissions/oidc_service.py @@ -1,9 +1,15 @@ +import os + import requests class OIDCDiscoveryService: - def __init__(self, discovery_url: str): + def __init__( + self, discovery_url: str, verify_ssl: bool = True, ca_cert_path: str = "" + ): self.discovery_url = discovery_url + self._verify_ssl = verify_ssl + self._ca_cert_path = ca_cert_path self._discovery_data = None # Initialize it lazily. @property @@ -13,9 +19,16 @@ def discovery_data(self): self._discovery_data = self._fetch_discovery_data() return self._discovery_data + def _get_verify(self): + if not self._verify_ssl: + return False + if self._ca_cert_path and os.path.exists(self._ca_cert_path): + return self._ca_cert_path + return True + def _fetch_discovery_data(self) -> dict: try: - response = requests.get(self.discovery_url) + response = requests.get(self.discovery_url, verify=self._get_verify()) response.raise_for_status() return response.json() except requests.RequestException as e: diff --git a/sdk/python/feast/repo_config.py b/sdk/python/feast/repo_config.py index 93fb2070cfd..208307dc5d5 100644 --- a/sdk/python/feast/repo_config.py +++ b/sdk/python/feast/repo_config.py @@ -120,6 +120,24 @@ "oidc_client": "feast.permissions.auth_model.OidcClientAuthConfig", } +_OIDC_CLIENT_KEYS = frozenset( + {"client_secret", "token", "token_env_var", "username", "password"} +) + + +def _is_oidc_client_config(auth_dict: dict) -> bool: + """Decide whether an OIDC auth dict should be routed to OidcClientAuthConfig. + + True when the dict carries any client-credential key, or when it is a bare + ``{"type": "oidc"}`` dict with no server-side keys (auth_discovery_url / + client_id), which signals token-passthrough via FEAST_OIDC_TOKEN. + """ + if auth_dict.get("type") != AuthType.OIDC.value: + return False + has_client_keys = bool(_OIDC_CLIENT_KEYS & auth_dict.keys()) + has_server_keys = "auth_discovery_url" in auth_dict + return has_client_keys or not has_server_keys + class FeastBaseModel(BaseModel): """Feast Pydantic Configuration Class""" @@ -407,26 +425,12 @@ def offline_store(self): def auth_config(self): if not self._auth: if isinstance(self.auth, Dict): - # treat this auth block as *client-side* OIDC when it matches - # 1) ROPG – username + password + client_secret - # 2) client-credentials – client_secret only - # 3) static token – token - is_oidc_client = self.auth.get("type") == AuthType.OIDC.value and ( - ( - "username" in self.auth - and "password" in self.auth - and "client_secret" in self.auth - ) # 1 - or ( - "client_secret" in self.auth - and "username" not in self.auth - and "password" not in self.auth - ) # 2 - or ("token" in self.auth) # 3 + config_type = ( + "oidc_client" + if _is_oidc_client_config(self.auth) + else self.auth.get("type") ) - self._auth = get_auth_config_from_type( - "oidc_client" if is_oidc_client else self.auth.get("type") - )(**self.auth) + self._auth = get_auth_config_from_type(config_type)(**self.auth) elif isinstance(self.auth, str): self._auth = get_auth_config_from_type(self.auth)() elif self.auth: diff --git a/sdk/python/tests/unit/permissions/auth/server/mock_utils.py b/sdk/python/tests/unit/permissions/auth/server/mock_utils.py index 5bde4d4ecbc..4d62bbf4348 100644 --- a/sdk/python/tests/unit/permissions/auth/server/mock_utils.py +++ b/sdk/python/tests/unit/permissions/auth/server/mock_utils.py @@ -32,14 +32,14 @@ async def mock_oath2(self, request): } monkeypatch.setattr( "feast.permissions.client.oidc_authentication_client_manager.requests.get", - lambda url: discovery_response, + lambda url, verify=True: discovery_response, ) token_response = Mock(spec=Response) token_response.status_code = 200 token_response.json.return_value = {"access_token": "my-token"} monkeypatch.setattr( "feast.permissions.client.oidc_authentication_client_manager.requests.post", - lambda url, data, headers: token_response, + lambda url, data, headers, verify=True: token_response, ) monkeypatch.setattr( diff --git a/sdk/python/tests/unit/permissions/auth/test_token_parser.py b/sdk/python/tests/unit/permissions/auth/test_token_parser.py index 8ac0f2b6d5e..fdec71e109a 100644 --- a/sdk/python/tests/unit/permissions/auth/test_token_parser.py +++ b/sdk/python/tests/unit/permissions/auth/test_token_parser.py @@ -50,10 +50,138 @@ def test_oidc_token_validation_success( assertpy.assert_that(user).is_type_of(User) if isinstance(user, User): assertpy.assert_that(user.username).is_equal_to("my-name") - assertpy.assert_that(user.roles.sort()).is_equal_to(["reader", "writer"].sort()) + assertpy.assert_that(sorted(user.roles)).is_equal_to( + sorted(["reader", "writer"]) + ) assertpy.assert_that(user.has_matching_role(["reader"])).is_true() assertpy.assert_that(user.has_matching_role(["writer"])).is_true() assertpy.assert_that(user.has_matching_role(["updater"])).is_false() + assertpy.assert_that(user.groups).is_equal_to([]) + assertpy.assert_that(user.namespaces).is_equal_to([]) + + +@patch( + "feast.permissions.auth.oidc_token_parser.OAuth2AuthorizationCodeBearer.__call__" +) +@patch("feast.permissions.auth.oidc_token_parser.PyJWKClient.get_signing_key_from_jwt") +@patch("feast.permissions.auth.oidc_token_parser.jwt.decode") +@patch("feast.permissions.oidc_service.OIDCDiscoveryService._fetch_discovery_data") +def test_oidc_token_missing_roles_key_returns_empty( + mock_discovery_data, mock_jwt, mock_signing_key, mock_oauth2, oidc_config +): + signing_key = MagicMock() + signing_key.key = "a-key" + mock_signing_key.return_value = signing_key + + mock_discovery_data.return_value = { + "authorization_endpoint": "https://localhost:8080/realms/master/protocol/openid-connect/auth", + "token_endpoint": "https://localhost:8080/realms/master/protocol/openid-connect/token", + "jwks_uri": "https://localhost:8080/realms/master/protocol/openid-connect/certs", + } + + user_data = { + "preferred_username": "my-name", + "resource_access": {_CLIENT_ID: {}}, + } + mock_jwt.return_value = user_data + + access_token = "aaa-bbb-ccc" + token_parser = OidcTokenParser(auth_config=oidc_config) + user = asyncio.run( + token_parser.user_details_from_access_token(access_token=access_token) + ) + + assertpy.assert_that(user).is_type_of(User) + if isinstance(user, User): + assertpy.assert_that(user.username).is_equal_to("my-name") + assertpy.assert_that(user.roles).is_equal_to([]) + + +@patch( + "feast.permissions.auth.oidc_token_parser.OAuth2AuthorizationCodeBearer.__call__" +) +@patch("feast.permissions.auth.oidc_token_parser.PyJWKClient.get_signing_key_from_jwt") +@patch("feast.permissions.auth.oidc_token_parser.jwt.decode") +@patch("feast.permissions.oidc_service.OIDCDiscoveryService._fetch_discovery_data") +def test_oidc_token_extracts_groups( + mock_discovery_data, mock_jwt, mock_signing_key, mock_oauth2, oidc_config +): + signing_key = MagicMock() + signing_key.key = "a-key" + mock_signing_key.return_value = signing_key + + mock_discovery_data.return_value = { + "authorization_endpoint": "https://localhost:8080/realms/master/protocol/openid-connect/auth", + "token_endpoint": "https://localhost:8080/realms/master/protocol/openid-connect/token", + "jwks_uri": "https://localhost:8080/realms/master/protocol/openid-connect/certs", + } + + user_data = { + "preferred_username": "my-name", + "resource_access": {_CLIENT_ID: {"roles": ["reader"]}}, + "groups": ["banking-admin", "data-engineers"], + } + mock_jwt.return_value = user_data + + access_token = "aaa-bbb-ccc" + token_parser = OidcTokenParser(auth_config=oidc_config) + user = asyncio.run( + token_parser.user_details_from_access_token(access_token=access_token) + ) + + assertpy.assert_that(user).is_type_of(User) + if isinstance(user, User): + assertpy.assert_that(user.groups).is_equal_to( + ["banking-admin", "data-engineers"] + ) + assertpy.assert_that(user.has_matching_group(["banking-admin"])).is_true() + assertpy.assert_that(user.has_matching_group(["unknown-group"])).is_false() + assertpy.assert_that(user.namespaces).is_equal_to([]) + + +@patch( + "feast.permissions.auth.oidc_token_parser.OAuth2AuthorizationCodeBearer.__call__" +) +@patch("feast.permissions.auth.oidc_token_parser.PyJWKClient.get_signing_key_from_jwt") +@patch("feast.permissions.auth.oidc_token_parser.jwt.decode") +@patch("feast.permissions.oidc_service.OIDCDiscoveryService._fetch_discovery_data") +def test_oidc_token_extracts_groups_and_roles( + mock_discovery_data, mock_jwt, mock_signing_key, mock_oauth2, oidc_config +): + signing_key = MagicMock() + signing_key.key = "a-key" + mock_signing_key.return_value = signing_key + + mock_discovery_data.return_value = { + "authorization_endpoint": "https://localhost:8080/realms/master/protocol/openid-connect/auth", + "token_endpoint": "https://localhost:8080/realms/master/protocol/openid-connect/token", + "jwks_uri": "https://localhost:8080/realms/master/protocol/openid-connect/certs", + } + + user_data = { + "preferred_username": "my-name", + "resource_access": {_CLIENT_ID: {"roles": ["reader", "writer"]}}, + "groups": ["banking-admin", "data-engineers"], + } + mock_jwt.return_value = user_data + + access_token = "aaa-bbb-ccc" + token_parser = OidcTokenParser(auth_config=oidc_config) + user = asyncio.run( + token_parser.user_details_from_access_token(access_token=access_token) + ) + + assertpy.assert_that(user).is_type_of(User) + if isinstance(user, User): + assertpy.assert_that(user.username).is_equal_to("my-name") + assertpy.assert_that(sorted(user.roles)).is_equal_to( + sorted(["reader", "writer"]) + ) + assertpy.assert_that(user.groups).is_equal_to( + ["banking-admin", "data-engineers"] + ) + assertpy.assert_that(user.has_matching_role(["reader"])).is_true() + assertpy.assert_that(user.has_matching_group(["banking-admin"])).is_true() @patch( @@ -131,8 +259,8 @@ async def mock_oath2(self, request): assertpy.assert_that(user).is_type_of(User) if isinstance(user, User): assertpy.assert_that(user.username).is_equal_to("my-name") - assertpy.assert_that(user.roles.sort()).is_equal_to( - ["reader", "writer"].sort() + assertpy.assert_that(sorted(user.roles)).is_equal_to( + sorted(["reader", "writer"]) ) assertpy.assert_that(user.has_matching_role(["reader"])).is_true() assertpy.assert_that(user.has_matching_role(["writer"])).is_true() @@ -175,7 +303,7 @@ def test_k8s_token_validation_success( assertpy.assert_that(user).is_type_of(User) if isinstance(user, User): assertpy.assert_that(user.username).is_equal_to(f"{sa_namespace}:{sa_name}") - assertpy.assert_that(user.roles.sort()).is_equal_to(roles.sort()) + assertpy.assert_that(sorted(user.roles)).is_equal_to(sorted(roles)) for r in roles: assertpy.assert_that(user.has_matching_role([r])).is_true() assertpy.assert_that(user.has_matching_role(["foo"])).is_false() @@ -259,7 +387,91 @@ def test_k8s_inter_server_comm( assertpy.assert_that(user).is_type_of(User) if isinstance(user, User): assertpy.assert_that(user.username).is_equal_to(f"{sa_namespace}:{sa_name}") - assertpy.assert_that(user.roles.sort()).is_equal_to(roles.sort()) + assertpy.assert_that(sorted(user.roles)).is_equal_to(sorted(roles)) for r in roles: assertpy.assert_that(user.has_matching_role([r])).is_true() assertpy.assert_that(user.has_matching_role(["foo"])).is_false() + + +# --------------------------------------------------------------------------- +# OidcTokenParser — SA token routing +# --------------------------------------------------------------------------- + + +@patch("feast.permissions.auth.oidc_token_parser.jwt.decode") +@patch("feast.permissions.oidc_service.OIDCDiscoveryService._fetch_discovery_data") +def test_oidc_parser_handles_sa_token_via_token_review( + mock_discovery_data, mock_jwt_decode, oidc_config +): + """When a token contains kubernetes.io claim, _handle_sa_token is called (not the OIDC JWKS path).""" + mock_discovery_data.return_value = { + "authorization_endpoint": "https://localhost:8080/auth", + "token_endpoint": "https://localhost:8080/token", + "jwks_uri": "https://localhost:8080/certs", + } + + mock_jwt_decode.return_value = { + "kubernetes.io": {"namespace": "feast"}, + "sub": "system:serviceaccount:feast:feast", + } + + sa_user = User( + username="system:serviceaccount:feast:feast", + roles=[], + groups=[], + namespaces=["feast"], + ) + + token_parser = OidcTokenParser(auth_config=oidc_config) + + with patch.object( + token_parser, + "_validate_k8s_sa_token_and_extract_namespace", + return_value=sa_user, + ) as mock_handle: + user = asyncio.run( + token_parser.user_details_from_access_token(access_token="sa-token") + ) + mock_handle.assert_called_once_with("sa-token") + + assertpy.assert_that(user.username).is_equal_to("system:serviceaccount:feast:feast") + assertpy.assert_that(user.namespaces).is_equal_to(["feast"]) + assertpy.assert_that(user.roles).is_equal_to([]) + assertpy.assert_that(user.groups).is_equal_to([]) + + +@patch( + "feast.permissions.auth.oidc_token_parser.OAuth2AuthorizationCodeBearer.__call__" +) +@patch("feast.permissions.auth.oidc_token_parser.PyJWKClient.get_signing_key_from_jwt") +@patch("feast.permissions.auth.oidc_token_parser.jwt.decode") +@patch("feast.permissions.oidc_service.OIDCDiscoveryService._fetch_discovery_data") +def test_oidc_parser_routes_keycloak_token_normally( + mock_discovery_data, mock_jwt_decode, mock_signing_key, mock_oauth2, oidc_config +): + """When a token does NOT contain kubernetes.io claim, it should follow the OIDC path.""" + signing_key = MagicMock() + signing_key.key = "a-key" + mock_signing_key.return_value = signing_key + + mock_discovery_data.return_value = { + "authorization_endpoint": "https://localhost:8080/auth", + "token_endpoint": "https://localhost:8080/token", + "jwks_uri": "https://localhost:8080/certs", + } + + keycloak_payload = { + "preferred_username": "testuser", + "resource_access": {_CLIENT_ID: {"roles": ["reader"]}}, + "groups": ["data-team"], + } + mock_jwt_decode.return_value = keycloak_payload + + token_parser = OidcTokenParser(auth_config=oidc_config) + user = asyncio.run( + token_parser.user_details_from_access_token(access_token="keycloak-jwt") + ) + + assertpy.assert_that(user.username).is_equal_to("testuser") + assertpy.assert_that(user.roles).is_equal_to(["reader"]) + assertpy.assert_that(user.groups).is_equal_to(["data-team"]) diff --git a/sdk/python/tests/unit/permissions/test_oidc_token_passthrough.py b/sdk/python/tests/unit/permissions/test_oidc_token_passthrough.py new file mode 100644 index 00000000000..e0766ad6b0e --- /dev/null +++ b/sdk/python/tests/unit/permissions/test_oidc_token_passthrough.py @@ -0,0 +1,431 @@ +""" +Tests for OIDC client-side token passthrough feature. + +Covers: + - Config validation (OidcClientAuthConfig) + - Token manager (OidcAuthClientManager.get_token) + - Routing (RepoConfig.auth_config property) +""" + +import os +from unittest.mock import MagicMock, patch + +import pytest + +from feast.permissions.auth_model import OidcClientAuthConfig +from feast.permissions.client.oidc_authentication_client_manager import ( + OidcAuthClientManager, +) +from feast.repo_config import RepoConfig + +# --------------------------------------------------------------------------- +# Config validation +# --------------------------------------------------------------------------- + + +class TestOidcClientAuthConfigValidation: + def test_bare_oidc_valid(self): + cfg = OidcClientAuthConfig(type="oidc") + assert cfg.token_env_var is None + assert cfg.auth_discovery_url is None + assert cfg.client_id is None + + def test_token_alone_valid(self): + cfg = OidcClientAuthConfig(type="oidc", token="eyJhbGciOiJSUzI1NiJ9.test") + assert cfg.token == "eyJhbGciOiJSUzI1NiJ9.test" + + def test_token_env_var_alone_valid(self): + cfg = OidcClientAuthConfig(type="oidc", token_env_var="MY_VAR") + assert cfg.token_env_var == "MY_VAR" + + def test_token_plus_custom_env_var_invalid(self): + with pytest.raises(ValueError, match="Only one of"): + OidcClientAuthConfig( + type="oidc", + token="eyJtoken", + token_env_var="MY_VAR", + ) + + def test_client_secret_without_discovery_url_invalid(self): + with pytest.raises( + ValueError, match="Incomplete configuration for 'client_credentials'" + ): + OidcClientAuthConfig( + type="oidc", + client_secret="my-secret", # pragma: allowlist secret + ) + + def test_full_client_credentials_valid(self): + cfg = OidcClientAuthConfig( + type="oidc", + client_secret="my-secret", # pragma: allowlist secret + auth_discovery_url="https://idp.example.com/.well-known/openid-configuration", + client_id="feast-client", + ) + assert cfg.client_secret == "my-secret" # pragma: allowlist secret + + def test_full_ropg_valid(self): + cfg = OidcClientAuthConfig( + type="oidc", + username="user1", + password="pass1", # pragma: allowlist secret + client_secret="my-secret", # pragma: allowlist secret + auth_discovery_url="https://idp.example.com/.well-known/openid-configuration", + client_id="feast-client", + ) + assert cfg.username == "user1" + + def test_ropg_without_discovery_url_invalid(self): + with pytest.raises( + ValueError, match="Incomplete configuration for 'client_credentials'" + ): + OidcClientAuthConfig( + type="oidc", + username="user1", + password="pass1", # pragma: allowlist secret + client_secret="my-secret", # pragma: allowlist secret + ) + + def test_username_without_client_secret_invalid(self): + with pytest.raises( + ValueError, match="Incomplete configuration for 'client_credentials'" + ): + OidcClientAuthConfig( + type="oidc", + username="user1", + password="pass1", # pragma: allowlist secret + ) + + def test_token_plus_client_secret_invalid(self): + with pytest.raises(ValueError, match="Only one of"): + OidcClientAuthConfig( + type="oidc", + token="jwt", + client_secret="secret", # pragma: allowlist secret + auth_discovery_url="https://idp/.well-known/openid-configuration", + client_id="feast-client", + ) + + def test_token_env_var_with_discovery_url_invalid(self): + with pytest.raises( + ValueError, match="Incomplete configuration for 'client_credentials'" + ): + OidcClientAuthConfig( + type="oidc", + token_env_var="MY_VAR", + auth_discovery_url="https://idp/.well-known/openid-configuration", + client_id="feast-client", + ) + + def test_token_with_discovery_url_invalid(self): + with pytest.raises( + ValueError, match="Incomplete configuration for 'client_credentials'" + ): + OidcClientAuthConfig( + type="oidc", + token="eyJ.test", + auth_discovery_url="https://idp/.well-known/openid-configuration", + client_id="feast-client", + ) + + +# --------------------------------------------------------------------------- +# Token manager +# --------------------------------------------------------------------------- + + +class TestOidcAuthClientManagerGetToken: + def _make_manager(self, **kwargs) -> OidcAuthClientManager: + cfg = OidcClientAuthConfig(type="oidc", **kwargs) + return OidcAuthClientManager(cfg) + + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_token_returned_directly(self, mock_discovery_cls): + mgr = self._make_manager(token="my-static-jwt") + assert mgr.get_token() == "my-static-jwt" + mock_discovery_cls.assert_not_called() + + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OidcAuthClientManager._read_sa_token", + return_value=None, + ) + def test_no_token_source_raises(self, _mock_sa): + mgr = self._make_manager() + with pytest.raises(PermissionError, match="No OIDC token source configured"): + mgr.get_token() + + @patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "env-jwt-value"}) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_explicit_feast_env_var(self, mock_discovery_cls): + mgr = self._make_manager(token_env_var="FEAST_OIDC_TOKEN") + assert mgr.get_token() == "env-jwt-value" + mock_discovery_cls.assert_not_called() + + @patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "fallback-jwt"}) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_bare_config_falls_back_to_well_known_env(self, mock_discovery_cls): + mgr = self._make_manager() + assert mgr.get_token() == "fallback-jwt" + mock_discovery_cls.assert_not_called() + + @patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "should-not-win"}, clear=False) + @patch("feast.permissions.client.oidc_authentication_client_manager.requests") + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_network_config_not_overridden_by_well_known_env( + self, mock_discovery_cls, mock_requests + ): + mock_discovery_instance = MagicMock() + mock_discovery_instance.get_token_url.return_value = "https://idp/token" + mock_discovery_cls.return_value = mock_discovery_instance + + mock_response = MagicMock() + mock_response.status_code = 200 + mock_response.json.return_value = {"access_token": "idp-token"} + mock_requests.post.return_value = mock_response + + mgr = self._make_manager( + client_secret="secret", # pragma: allowlist secret + auth_discovery_url="https://idp/.well-known/openid-configuration", + client_id="feast-client", + ) + assert mgr.get_token() == "idp-token" + + @patch.dict(os.environ, {"CUSTOM_TOKEN_VAR": "custom-env-jwt"}) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_custom_env_var_read(self, mock_discovery_cls): + mgr = self._make_manager(token_env_var="CUSTOM_TOKEN_VAR") + assert mgr.get_token() == "custom-env-jwt" + mock_discovery_cls.assert_not_called() + + @patch.dict(os.environ, {}, clear=False) + @patch("feast.permissions.client.oidc_authentication_client_manager.requests") + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_fallthrough_to_client_credentials(self, mock_discovery_cls, mock_requests): + os.environ.pop("FEAST_OIDC_TOKEN", None) + + mock_discovery_instance = MagicMock() + mock_discovery_instance.get_token_url.return_value = "https://idp/token" + mock_discovery_cls.return_value = mock_discovery_instance + + mock_response = MagicMock() + mock_response.status_code = 200 + mock_response.json.return_value = {"access_token": "network-token"} + mock_requests.post.return_value = mock_response + + mgr = self._make_manager( + client_secret="secret", # pragma: allowlist secret + auth_discovery_url="https://idp/.well-known/openid-configuration", + client_id="feast-client", + ) + assert mgr.get_token() == "network-token" + mock_discovery_cls.assert_called_once() + + @patch.dict(os.environ, {}, clear=False) + @patch("feast.permissions.client.oidc_authentication_client_manager.requests") + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_ropg_flow(self, mock_discovery_cls, mock_requests): + os.environ.pop("FEAST_OIDC_TOKEN", None) + + mock_discovery_instance = MagicMock() + mock_discovery_instance.get_token_url.return_value = "https://idp/token" + mock_discovery_cls.return_value = mock_discovery_instance + + mock_response = MagicMock() + mock_response.status_code = 200 + mock_response.json.return_value = {"access_token": "ropg-token"} + mock_requests.post.return_value = mock_response + + mgr = self._make_manager( + username="user1", + password="pass1", # pragma: allowlist secret + client_secret="secret", # pragma: allowlist secret + auth_discovery_url="https://idp/.well-known/openid-configuration", + client_id="feast-client", + ) + assert mgr.get_token() == "ropg-token" + + call_args = mock_requests.post.call_args + assert call_args[1]["data"]["grant_type"] == "password" + assert call_args[1]["data"]["username"] == "user1" + + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_token_takes_priority_over_env_var(self, mock_discovery_cls): + with patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "env-token"}): + mgr = self._make_manager(token="config-token") + assert mgr.get_token() == "config-token" + mock_discovery_cls.assert_not_called() + + @patch.dict(os.environ, {}, clear=False) + def test_configured_env_var_missing_raises(self): + os.environ.pop("MY_CUSTOM_VAR", None) + mgr = self._make_manager(token_env_var="MY_CUSTOM_VAR") + with pytest.raises(PermissionError, match="token_env_var='MY_CUSTOM_VAR'"): + mgr.get_token() + + @patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "stale-token"}, clear=False) + def test_configured_env_var_missing_does_not_fall_through(self): + os.environ.pop("MY_CUSTOM_VAR", None) + mgr = self._make_manager(token_env_var="MY_CUSTOM_VAR") + with pytest.raises(PermissionError, match="token_env_var='MY_CUSTOM_VAR'"): + mgr.get_token() + + # --- SA token file fallback tests --- + + @patch.dict(os.environ, {}, clear=False) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OidcAuthClientManager._read_sa_token", + return_value="sa-jwt-from-file", + ) + def test_sa_token_file_read(self, _mock_sa): + os.environ.pop("FEAST_OIDC_TOKEN", None) + mgr = self._make_manager() + assert mgr.get_token() == "sa-jwt-from-file" + + @patch.dict(os.environ, {}, clear=False) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OidcAuthClientManager._read_sa_token", + return_value=None, + ) + def test_sa_token_file_missing_raises(self, _mock_sa): + os.environ.pop("FEAST_OIDC_TOKEN", None) + mgr = self._make_manager() + with pytest.raises(PermissionError, match="No OIDC token source configured"): + mgr.get_token() + + @patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "env-token"}, clear=False) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OidcAuthClientManager._read_sa_token", + return_value="sa-jwt-from-file", + ) + def test_feast_env_takes_priority_over_sa_token(self, _mock_sa): + mgr = self._make_manager() + assert mgr.get_token() == "env-token" + _mock_sa.assert_not_called() + + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OidcAuthClientManager._read_sa_token", + return_value="sa-jwt-from-file", + ) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_explicit_token_skips_sa_file(self, mock_discovery_cls, _mock_sa): + mgr = self._make_manager(token="my-explicit-token") + assert mgr.get_token() == "my-explicit-token" + _mock_sa.assert_not_called() + + @patch.dict(os.environ, {}, clear=False) + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OidcAuthClientManager._read_sa_token", + return_value="sa-jwt-from-file", + ) + @patch("feast.permissions.client.oidc_authentication_client_manager.requests") + @patch( + "feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService" + ) + def test_client_secret_skips_sa_file( + self, mock_discovery_cls, mock_requests, _mock_sa + ): + os.environ.pop("FEAST_OIDC_TOKEN", None) + + mock_discovery_instance = MagicMock() + mock_discovery_instance.get_token_url.return_value = "https://idp/token" + mock_discovery_cls.return_value = mock_discovery_instance + + mock_response = MagicMock() + mock_response.status_code = 200 + mock_response.json.return_value = {"access_token": "network-token"} + mock_requests.post.return_value = mock_response + + mgr = self._make_manager( + client_secret="secret", # pragma: allowlist secret + auth_discovery_url="https://idp/.well-known/openid-configuration", + client_id="feast-client", + ) + assert mgr.get_token() == "network-token" + _mock_sa.assert_not_called() + + +# --------------------------------------------------------------------------- +# Routing (RepoConfig.auth_config property) +# --------------------------------------------------------------------------- + + +class TestOidcClientRouting: + def _make_repo_config(self, auth_dict: dict) -> RepoConfig: + return RepoConfig( + project="test_project", + registry="data/registry.db", + provider="local", + auth=auth_dict, + ) + + def test_bare_oidc_routes_to_client(self): + rc = self._make_repo_config({"type": "oidc"}) + assert isinstance(rc.auth_config, OidcClientAuthConfig) + + def test_token_routes_to_client(self): + rc = self._make_repo_config({"type": "oidc", "token": "x"}) + assert isinstance(rc.auth_config, OidcClientAuthConfig) + assert rc.auth_config.token == "x" + + def test_token_env_var_routes_to_client(self): + rc = self._make_repo_config({"type": "oidc", "token_env_var": "MY_VAR"}) + assert isinstance(rc.auth_config, OidcClientAuthConfig) + assert rc.auth_config.token_env_var == "MY_VAR" + + def test_server_config_routes_to_oidc_auth_config(self): + from feast.permissions.auth_model import OidcAuthConfig + + rc = self._make_repo_config( + { + "type": "oidc", + "auth_discovery_url": "https://idp/.well-known/openid-configuration", + "client_id": "feast-server", + } + ) + assert isinstance(rc.auth_config, OidcAuthConfig) + assert type(rc.auth_config) is OidcAuthConfig + + def test_ropg_routes_to_client(self): + rc = self._make_repo_config( + { + "type": "oidc", + "auth_discovery_url": "https://idp/.well-known/openid-configuration", + "client_id": "feast-client", + "client_secret": "secret", # pragma: allowlist secret + "username": "user1", + "password": "pass1", # pragma: allowlist secret + } + ) + assert isinstance(rc.auth_config, OidcClientAuthConfig) + + def test_incomplete_ropg_routes_to_client_with_actionable_error(self): + with pytest.raises( + ValueError, match="Incomplete configuration for 'client_credentials'" + ): + self._make_repo_config( + { + "type": "oidc", + "auth_discovery_url": "https://idp/.well-known/openid-configuration", + "client_id": "feast-client", + "username": "user1", + "password": "pass1", # pragma: allowlist secret + } + ).auth_config