Incorporating code review comments to parse the auth block from the f… (feast-dev#36)

lokeshrangineni · tmihalac · commit ca5fe9cb884d · 2024-08-06T12:17:13.000-04:00
* Incorporating code review comments to parse the auth block from the feature_store.yaml file.

Signed-off-by: Lokesh Rangineni &lt;lokeshforjava@gmail.com&gt;

* Incorporating code review comments - renaming type from k8 to kubernetes.

Signed-off-by: Lokesh Rangineni &lt;lokeshforjava@gmail.com&gt;

---------

Signed-off-by: Lokesh Rangineni &lt;lokeshforjava@gmail.com&gt;
Signed-off-by: Abdul Hameed &lt;ahameed@redhat.com&gt;
diff --git a/sdk/python/feast/errors.py b/sdk/python/feast/errors.py
@@ -223,6 +223,13 @@ def __init__(self, online_store_class_name: str):
         )
 
 
+class FeastInvalidAuthConfigClass(Exception):
+    def __init__(self, auth_config_class_name: str):
+        super().__init__(
+            f"Auth Config Class '{auth_config_class_name}' should end with the string `AuthConfig`.'"
+        )
+
+
 class FeastInvalidBaseClass(Exception):
     def __init__(self, class_name: str, class_type: str):
         super().__init__(
diff --git a/sdk/python/feast/permissions/auth_model.py b/sdk/python/feast/permissions/auth_model.py
@@ -0,0 +1,24 @@
+from typing import Literal
+
+from feast.repo_config import FeastConfigBaseModel
+
+
+class AuthConfig(FeastConfigBaseModel):
+    type: Literal["oidc", "kubernetes", "no_auth"] = "no_auth"
+
+
+class OidcAuthConfig(AuthConfig):
+    auth_server_url: str
+    client_id: str
+    client_secret: str
+    username: str
+    password: str
+    realm: str = "master"
+
+
+class NoAuthConfig(AuthConfig):
+    pass
+
+
+class K8AuthConfig(AuthConfig):
+    pass
diff --git a/sdk/python/feast/repo_config.py b/sdk/python/feast/repo_config.py
@@ -19,6 +19,7 @@
 
 from feast.errors import (
     FeastFeatureServerTypeInvalidError,
+    FeastInvalidAuthConfigClass,
     FeastOfflineStoreInvalidName,
     FeastOnlineStoreInvalidName,
     FeastRegistryNotSetError,
@@ -86,6 +87,12 @@
     "local": "feast.infra.feature_servers.local_process.config.LocalFeatureServerConfig",
 }
 
+AUTH_CONFIGS_CLASS_FOR_TYPE = {
+    "no_auth": "feast.permissions.auth_model.NoAuthConfig",
+    "kubernetes": "feast.permissions.auth_model.K8AuthConfig",
+    "oidc": "feast.permissions.auth_model.OidcAuthConfig",
+}
+
 
 class FeastBaseModel(BaseModel):
     """Feast Pydantic Configuration Class"""
@@ -167,6 +174,9 @@ class RepoConfig(FeastBaseModel):
     online_config: Any = Field(None, alias="online_store")
     """ OnlineStoreConfig: Online store configuration (optional depending on provider) """
 
+    auth: Any = Field(None, alias="auth")
+    """ auth: Optional if the services needs the authentication against IDPs (optional depending on provider) """
+
     offline_config: Any = Field(None, alias="offline_store")
     """ OfflineStoreConfig: Offline store configuration (optional depending on provider) """
 
@@ -211,6 +221,13 @@ def __init__(self, **data: Any):
         self._online_store = None
         self.online_config = data.get("online_store", "sqlite")
 
+        self._auth = None
+        if "auth" not in data:
+            self.auth = dict()
+            self.auth["type"] = "no_auth"
+        else:
+            self.auth = data.get("auth")
+
         self._batch_engine = None
         if "batch_engine" in data:
             self.batch_engine_config = data["batch_engine"]
@@ -270,6 +287,20 @@ def offline_store(self):
                 self._offline_store = self.offline_config
         return self._offline_store
 
+    @property
+    def auth_config(self):
+        if not self._auth:
+            if isinstance(self.auth, Dict):
+                self._auth = get_auth_config_from_type(self.auth.get("type"))(
+                    **self.auth
+                )
+            elif isinstance(self.auth, str):
+                self._auth = get_auth_config_from_type(self.auth.get("type"))()
+            elif self.auth:
+                self._auth = self.auth
+
+        return self._auth
+
     @property
     def online_store(self):
         if not self._online_store:
@@ -300,6 +331,21 @@ def batch_engine(self):
 
         return self._batch_engine
 
+    @model_validator(mode="before")
+    def _validate_auth_config(cls, values: Any) -> Any:
+        if "auth" in values:
+            allowed_auth_types = AUTH_CONFIGS_CLASS_FOR_TYPE.keys()
+            if values["auth"].get("type") is None:
+                raise ValueError(
+                    f"auth configuration is not having authentication type. Possible values={allowed_auth_types}"
+                )
+            elif values["auth"]["type"] not in allowed_auth_types:
+                raise ValueError(
+                    f'auth configuration is having invalid authentication type={values["auth"]["type"]}. Possible '
+                    f'values={allowed_auth_types}'
+                )
+        return values
+
     @model_validator(mode="before")
     def _validate_online_store_config(cls, values: Any) -> Any:
         # This method will validate whether the online store configurations are set correctly. This explicit validation
@@ -480,6 +526,17 @@ def get_online_config_from_type(online_store_type: str):
     return import_class(module_name, config_class_name, config_class_name)
 
 
+def get_auth_config_from_type(auth_config_type: str):
+    if auth_config_type in AUTH_CONFIGS_CLASS_FOR_TYPE:
+        auth_config_type = AUTH_CONFIGS_CLASS_FOR_TYPE[auth_config_type]
+    elif not auth_config_type.endswith("AuthConfig"):
+        raise FeastInvalidAuthConfigClass(auth_config_type)
+    module_name, online_store_class_type = auth_config_type.rsplit(".", 1)
+    config_class_name = f"{online_store_class_type}"
+
+    return import_class(module_name, config_class_name, config_class_name)
+
+
 def get_offline_config_from_type(offline_store_type: str):
     if offline_store_type in OFFLINE_STORE_CLASS_FOR_TYPE:
         offline_store_type = OFFLINE_STORE_CLASS_FOR_TYPE[offline_store_type]
diff --git a/sdk/python/tests/unit/infra/scaffolding/test_repo_config.py b/sdk/python/tests/unit/infra/scaffolding/test_repo_config.py
@@ -4,6 +4,7 @@
 from typing import Optional
 
 from feast.infra.online_stores.sqlite import SqliteOnlineStoreConfig
+from feast.permissions.auth_model import K8AuthConfig, NoAuthConfig, OidcAuthConfig
 from feast.repo_config import FeastConfigError, load_repo_config
 
 
@@ -195,3 +196,112 @@ def test_no_provider():
         ),
         expect_error=None,
     )
+
+
+def test_auth_config():
+    _test_config(
+        dedent(
+            """
+        project: foo
+        auth:
+            client_id: test_client_id
+            client_secret: test_client_secret
+            username: test_user_name
+            password: test_password
+            realm: master
+            auth_server_url: http://localhost:8712
+        registry: "registry.db"
+        provider: local
+        online_store:
+            path: foo
+        entity_key_serialization_version: 2
+        """
+        ),
+        expect_error="not having authentication type",
+    )
+
+    _test_config(
+        dedent(
+            """
+        project: foo
+        auth:
+            type: not_valid_auth_type
+            client_id: test_client_id
+            client_secret: test_client_secret
+            username: test_user_name
+            password: test_password
+            realm: master
+            auth_server_url: http://localhost:8712
+        registry: "registry.db"
+        provider: local
+        online_store:
+            path: foo
+        entity_key_serialization_version: 2
+        """
+        ),
+        expect_error="invalid authentication type=not_valid_auth_type",
+    )
+
+    oidc_repo_config = _test_config(
+        dedent(
+            """
+        project: foo
+        auth:
+            type: oidc
+            client_id: test_client_id
+            client_secret: test_client_secret
+            username: test_user_name
+            password: test_password
+            realm: master
+            auth_server_url: http://localhost:8712
+        registry: "registry.db"
+        provider: local
+        online_store:
+            path: foo
+        entity_key_serialization_version: 2
+        """
+        ),
+        expect_error=None,
+    )
+    assert oidc_repo_config.auth["type"] == "oidc"
+    assert isinstance(oidc_repo_config.auth_config, OidcAuthConfig)
+    assert oidc_repo_config.auth_config.client_id == "test_client_id"
+    assert oidc_repo_config.auth_config.client_secret == "test_client_secret"
+    assert oidc_repo_config.auth_config.username == "test_user_name"
+    assert oidc_repo_config.auth_config.password == "test_password"
+    assert oidc_repo_config.auth_config.realm == "master"
+    assert oidc_repo_config.auth_config.auth_server_url == "http://localhost:8712"
+
+    no_auth_repo_config = _test_config(
+        dedent(
+            """
+        project: foo
+        registry: "registry.db"
+        provider: local
+        online_store:
+            path: foo
+        entity_key_serialization_version: 2
+        """
+        ),
+        expect_error=None,
+    )
+    assert no_auth_repo_config.auth.get("type") == "no_auth"
+    assert isinstance(no_auth_repo_config.auth_config, NoAuthConfig)
+
+    k8_repo_config = _test_config(
+        dedent(
+            """
+        auth:
+            type: kubernetes
+        project: foo
+        registry: "registry.db"
+        provider: local
+        online_store:
+            path: foo
+        entity_key_serialization_version: 2
+        """
+        ),
+        expect_error=None,
+    )
+    assert k8_repo_config.auth.get("type") == "kubernetes"
+    assert isinstance(k8_repo_config.auth_config, K8AuthConfig)
