Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add authentication headers when proxying pipeline websocket requests #1457

Closed
wants to merge 10 commits into from
Closed

feat: add authentication headers when proxying pipeline websocket requests #1457

wants to merge 10 commits into from

Conversation

rapsealk
Copy link
Member

@rapsealk rapsealk commented Aug 7, 2023

This PR updates the websocket proxy handler for the pipeline service, in the same fashion as #1350, to support WebSocket-based GraphQL subscription.

@rapsealk rapsealk added type:feature Add new features area:security Security issue. platform:enterprise Backend.AI Enterprise support. comp:webserver Related to Web Server component effort:normal Need to understand a few modules / some extent of contextual or historical information. impact:invisible This change is invisible to users (internal changes). size:S 10~30 LoC status:open Waiting for volunteer / assignnee. urgency:3 Must be finished within a certain time frame. labels Aug 7, 2023
@rapsealk rapsealk added this to the 23.03 milestone Aug 7, 2023
@rapsealk rapsealk requested a review from achimnol August 7, 2023 08:20
@rapsealk rapsealk self-assigned this Aug 7, 2023
@rapsealk rapsealk changed the title feat: Issue a signed token for authorizing the pipeline service websocket feat: Attach X-BackendAI-SessionID and X-BackendAI-SSO headers to the pipeline websocket proxy handler Aug 7, 2023
@rapsealk rapsealk changed the title feat: Attach X-BackendAI-SessionID and X-BackendAI-SSO headers to the pipeline websocket proxy handler feat: Add X-BackendAI-SessionID and X-BackendAI-SSO headers to the pipeline websocket proxy handler Aug 7, 2023
fregataa
fregataa reviewed Aug 10, 2023
View reviewed changes
Copy link
Member

@fregataa fregataa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some comments here

src/ai/backend/web/proxy.py Show resolved Hide resolved
src/ai/backend/web/proxy.py Outdated
aiohttp_session = request.cookies.get("AIOHTTP_SESSION")
if not (sso_token := request.headers.get("X-BackendAI-SSO")):
jwt_secret = request.app["config"]["pipeline"]["jwt"]["secret"]
now = datetime.now(tz=timezone(timedelta(hours=9)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does that timedelta(hours=9) mean??
Does it mean that this will be expired in 9 hours or something else?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to set the timezone to KST(UTC+09:00).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is the counterpart of this? which component uses this jwt token?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token is for external services, such as the pipeline service. (https://github.com/lablup/backend.ai-fasttrack/blob/7b3832163a7fe0debd2c5c0c88614aa6b1c3cf28/config/asgi.py#L61-L86)

@rapsealk rapsealk requested a review from fregataa August 10, 2023 23:35
kyujin-cho
kyujin-cho requested changes Aug 16, 2023
View reviewed changes
src/ai/backend/web/proxy.py Show resolved Hide resolved
src/ai/backend/web/proxy.py Outdated
aiohttp_session = request.cookies.get("AIOHTTP_SESSION")
if not (sso_token := request.headers.get("X-BackendAI-SSO")):
jwt_secret = request.app["config"]["pipeline"]["jwt"]["secret"]
now = datetime.now(tz=timezone(timedelta(hours=9)))
Copy link
Member

@kyujin-cho kyujin-cho Aug 16, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As Backend.AI is not only served on countries with KST (yes, we are international!) it is a bad idea to hardcode the timezone like this. When adding .astimezone() to the end of now() call automatically detects time timezone set on host machine and updates the datetime object (ref), let's update this code to adapt these behavior.

@github-actions github-actions bot added comp:manager Related to Manager component size:M 30~100 LoC and removed size:S 10~30 LoC labels Aug 17, 2023
@rapsealk rapsealk requested a review from kyujin-cho August 17, 2023 00:40
kyujin-cho
kyujin-cho requested changes Aug 30, 2023
View reviewed changes
src/ai/backend/web/config.py Outdated
Comment on lines 89 to 94
t.Key("jwt"): t.Dict(
{
t.Key("secret"): t.String,
},
),
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I am guessing correctly, this jwt directive is for the traffics from FastTrack. FastTrack is a private project and thus only limited number of users who operate Backend.AI webserver will be required to fill out this field. When taking account into this situation I don't think this whole pipeline configuration body should be a required config values. Please refactor the validator to either mark the pipeline configuration as an Optional value or at lease leave jwt as nullable and dynamically check its existence when the request actually comes from the FastTrack side.

@kyujin-cho kyujin-cho modified the milestones: 23.03, 23.09 Aug 30, 2023
@github-actions github-actions bot added size:S 10~30 LoC and removed size:M 30~100 LoC labels Sep 27, 2023
@kyujin-cho kyujin-cho changed the title feat: Add X-BackendAI-SessionID and X-BackendAI-SSO headers to the pipeline websocket proxy handler feat: add authentication headers when proxying pipeline websocket requests Sep 27, 2023
@rapsealk
Copy link
Member Author

Closing as support for WebSocket is not needed yet.

@rapsealk rapsealk closed this Sep 27, 2023
@achimnol achimnol deleted the feature/pipeline-auth-token-ws branch February 4, 2024 06:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kyujin-cho kyujin-cho kyujin-cho requested changes

@achimnol achimnol Awaiting requested review from achimnol

@fregataa fregataa Awaiting requested review from fregataa

Assignees

@rapsealk rapsealk

Labels
area:security Security issue. comp:manager Related to Manager component comp:webserver Related to Web Server component effort:normal Need to understand a few modules / some extent of contextual or historical information. impact:invisible This change is invisible to users (internal changes). platform:enterprise Backend.AI Enterprise support. size:S 10~30 LoC status:open Waiting for volunteer / assignnee. type:feature Add new features urgency:3 Must be finished within a certain time frame.
Projects
None yet
Milestone
23.09
Development

Successfully merging this pull request may close these issues.
3 participants
@rapsealk @kyujin-cho @fregataa