Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(EN-115): Deprecate X-BackendAI-SSO header for pipeline service authentication #3353

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(EN-115): Deprecate X-BackendAI-SSO header for pipeline service authentication #3353

wants to merge 5 commits into from
+9 −30

Conversation

rapsealk
Copy link
Member

@rapsealk rapsealk commented Jan 2, 2025

Follow-up of #1350.

This pull request deprecates the JWT-based X-BackendAI-SSO header to reduce complexity in authentication process for the pipeline service.

Checklist: (if applicable)

  • Milestone metadata specifying the target backport version
  • Mention to the original issue

@rapsealk rapsealk added this to the 24.12 milestone Jan 2, 2025
@github-actions github-actions bot added comp:webserver Related to Web Server component size:M 30~100 LoC labels Jan 2, 2025
@rapsealk @lablup-octodog
docs: Rename the news fragment with the PR number\n\n.feature.md -> 3…
0ef6f44 
…353.feature.md

Co-authored-by: octodog <mu001@lablup.com>
HyeockJinKim
HyeockJinKim reviewed Jan 8, 2025
View reviewed changes
src/ai/backend/web/proxy.py
Comment on lines +211 to +214
if proxy_path == "pipeline" and real_path.rstrip("/") == "login":
api_rqst.headers["X-BackendAI-SessionID"] = request.headers.get(
"X-BackendAI-SessionID", ""
)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont' think rqst is a commonly used abbreviation. Would it be possible to rename it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renaming the api_rqst will be a over-scoped task, as the name is used in various modules in this project.
Would you mind if I issue a new ticket for it and proceed in next work?
Thank you.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please create the rename task with priority: low and handle it when you have time. :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The task will be tracked by BA-469

HyeockJinKim
HyeockJinKim reviewed Jan 8, 2025
View reviewed changes
src/ai/backend/web/proxy.py
Comment on lines -210 to -226
if proxy_path == "pipeline":
session_id = request.headers.get("X-BackendAI-SessionID", "")
if not (sso_token := request.headers.get("X-BackendAI-SSO")):
jwt_secret = config["pipeline"]["jwt"]["secret"]
now = datetime.now().astimezone()
payload = {
# Registered claims
"exp": now + timedelta(seconds=config["session"]["max_age"]),
"iss": "Backend.AI Webserver",
"iat": now,
# Private claims
"aiohttp_session": session_id,
"access_key": api_session.config.access_key, # since 23.03.10
}
sso_token = jwt.encode(payload, key=jwt_secret, algorithm="HS256")
api_rqst.headers["X-BackendAI-SSO"] = sso_token
api_rqst.headers["X-BackendAI-SessionID"] = session_id
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does Fasttrack handle version compatibility?
When making changes this time, is there any risk of breaking functionality for clients using previous versions?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is recommended to use the same version as Backend.AI Core.
To enhance version compatibility, we may adopt a dedicated header (e.g., X-BackendAI-FastTrack-Version).

@rapsealk rapsealk mentioned this pull request Jan 8, 2025
Open
1 task
@rapsealk rapsealk requested a review from HyeockJinKim January 9, 2025 03:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@achimnol achimnol Awaiting requested review from achimnol

@kyujin-cho kyujin-cho Awaiting requested review from kyujin-cho

@HyeockJinKim HyeockJinKim Awaiting requested review from HyeockJinKim

Assignees

@rapsealk rapsealk

Labels
comp:webserver Related to Web Server component size:M 30~100 LoC
Projects
None yet
Milestone
24.12
Development

Successfully merging this pull request may close these issues.
2 participants
@rapsealk @HyeockJinKim