[User secrets] Create API Endpoint to Store or Update Secret Tokens [feature/ig4-authentication] #8408
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Conflicts: # server/py/services/api/tests/unit/conftest.py
# Conflicts: # mlrun/common/schemas/constants.py # server/py/framework/utils/clients/iguazio/v3.py # server/py/framework/utils/clients/iguazio/v4.py # server/py/services/api/tests/unit/conftest.py # server/py/services/api/tests/unit/utils/clients/iguazio/test_iguazio_v3.py # tests/system/feature_store/test_feature_store.py
quaark
reviewed
Aug 6, 2025
Member
quaark
left a comment
quaark
left a comment
There was a problem hiding this comment.
Looks good!
Just a minor comment
| # iguazio_client = framework.utils.clients.iguazio.v4.Client() | ||
|
|
||
| # TODO: Enable this once it is implemented in the Iguazio client. | ||
| # iguazio_client.refresh_access_tokens(secret_tokens) |
Member
There was a problem hiding this comment.
this should be before _validate_and_decode_offline_tokens since you use verify_signature=False there, so first try to use it and only if it works - then decode it.
Member
Author
There was a problem hiding this comment.
@quaark The whole point was to perform the check on the mlrun side first and fail fast before sending the request to orca. Then, when decoding, we use verify_signature=False because the signature will be verified on the orca side later.
TomerShor
requested changes
Aug 7, 2025
4 tasks
moranbental
added a commit
that referenced
this pull request
Aug 13, 2025
…-authentication] (#8440) ### 📝 Description <!-- A short summary of what this PR does. --> <!-- Include any relevant context or background information. --> This PR adds new HTTPDB SDK methods to store or update one or more token secrets in MLRun. The new methods allow sending offline token JWTs to the MLRun API, which stores each token as a user secret and returns a structured response indicating whether each token was created, updated, or skipped. --- ### 🛠️ Changes Made <!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) --> Added store_secret_token method to store or update a single token: `db.store_secret_token(secret_token: mlrun.common.schemas.SecretToken, log_warning: bool = True)` Added store_secret_tokens method to store or update multiple tokens: `db.store_secret_tokens(secret_tokens: list[mlrun.common.schemas.SecretToken], log_warning: bool = True)` --- ### ✅ Checklist - [x] I updated the documentation (if applicable) - [x] I have tested the changes in this PR --- ### 🧪 Testing <!-- - How it was tested (unit tests, manual, integration) --> <!-- - Any special cases covered. --> --- ### 🔗 References - Ticket link: https://iguazio.atlassian.net/browse/ML-10501 - Design docs links: https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD - External links: https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4 --- ### 🚨 Breaking Changes? - [ ] Yes (explain below) - [x] No <!-- If yes, describe what needs to be changed downstream: --> --- ### 🔍️ Additional Notes <!-- Anything else reviewers should know (follow-up tasks, known issues, affected areas etc.). --> <!-- ### 📸 Screenshots / Logs --> API side PR - #8408
quaark
requested changes
Aug 13, 2025
Member
quaark
left a comment
quaark
left a comment
There was a problem hiding this comment.
Awesome!
I think you may now add the usage of the iguazio sdk - as the relevant methods are implemented.
Comment on lines
+40
to
+41
| # TODO: Implement this method once it is available in the Iguazio package | ||
| pass |
Member
Author
There was a problem hiding this comment.
I didn’t add it because no release rc has been published yet, so it will be handled in a different story/pr — #8443.
Also, there is an issue in the CI with importing Iguazio, which is why I added it in a separate pr.
Comment on lines
+52
to
+53
| # TODO: Implement this method once it is available in the Iguazio package | ||
| pass |
Member
Author
There was a problem hiding this comment.
no, refresh_access_tokens (for many tokens) was not implemented yet, only the refresh_access_token
| # iguazio_client = framework.utils.clients.iguazio.v4.Client() | ||
|
|
||
| # TODO: Enable this once it is implemented in the Iguazio client. | ||
| # iguazio_client.refresh_access_tokens(secret_tokens) |
quaark
approved these changes
Aug 13, 2025
moranbental
merged commit 1a5a3d4
into
mlrun:feature/ig4-authentication
13 checks passed
moranbental
added a commit
to moranbental/mlrun
that referenced
this pull request
Oct 15, 2025
…-authentication] (mlrun#8440) <!-- A short summary of what this PR does. --> <!-- Include any relevant context or background information. --> This PR adds new HTTPDB SDK methods to store or update one or more token secrets in MLRun. The new methods allow sending offline token JWTs to the MLRun API, which stores each token as a user secret and returns a structured response indicating whether each token was created, updated, or skipped. --- <!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) --> Added store_secret_token method to store or update a single token: `db.store_secret_token(secret_token: mlrun.common.schemas.SecretToken, log_warning: bool = True)` Added store_secret_tokens method to store or update multiple tokens: `db.store_secret_tokens(secret_tokens: list[mlrun.common.schemas.SecretToken], log_warning: bool = True)` --- - [x] I updated the documentation (if applicable) - [x] I have tested the changes in this PR --- <!-- - How it was tested (unit tests, manual, integration) --> <!-- - Any special cases covered. --> --- - Ticket link: https://iguazio.atlassian.net/browse/ML-10501 - Design docs links: https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD - External links: https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4 --- - [ ] Yes (explain below) - [x] No <!-- If yes, describe what needs to be changed downstream: --> --- <!-- Anything else reviewers should know (follow-up tasks, known issues, affected areas etc.). --> <!-- ### 📸 Screenshots / Logs --> API side PR - mlrun#8408
moranbental
added a commit
to moranbental/mlrun
that referenced
this pull request
Oct 15, 2025
…feature/ig4-authentication] (mlrun#8408) This PR introduces a new API endpoint to store or update multiple offline tokens: `PUT /api/v1/user-secrets/tokens` For each token in the request, the following validations and operations are performed: 1. Token Name Validation – Ensure each token has a non-empty and unique name within the request. 2. JWT Decoding – Decode the offline token and verify it contains the required claims: sub (user ID) and exp (expiration). 3. User Ownership Validation – Confirm that the sub in the offline token matches the authenticated user ID 4. Token Verification – Use the Iguazio SDK to validate all tokens via the `refresh_access_tokens` call. This will be enabled in a separate PR (mlrun#8443). 5. Secret Storage – (Not implemented in this PR) Creation and updating of Kubernetes secrets will be handled in a separate PR. Response Structure – Return lists of token names categorized by action: created_tokens, updated_tokens, and skipped_tokens. This functionality has been verified only via unit tests for now Additional Changes 1. Renamed `api/endpoints/secrets.py` → `api/endpoints/project_secrets.py`. 2. Extracting the user_id from Orca’s session verification endpoint and saving it in the AuthInfo https://iguazio.atlassian.net/browse/ML-10487
6 tasks
liranbg
pushed a commit
that referenced
this pull request
Nov 3, 2025
### 📝 Description <!-- A short summary of what this PR does. --> <!-- Include any relevant context or background information. --> This PR introduces support for MLRun authentication with IG4. It rebases the `feature/ig4-authentication` branch onto `development` This PR includes the following PRs: 1. #8345 2. #8370 3. #8366 4. #8388 5. #8440 6. #8408 7. #8466 8. #8471 9. #8443 10. #8484 11. #8498 12. #8574 13. #8529 14. #8584 15. #8588 16. #8589 17. #8567 18. #8623 19. #8612 20. #8514 21. #8626 22. #8632 23. #8633 24. #8667 25. #8668 26. #8674 27. #8780 28. #8754 29. #8796 30. #8811 --- ### 🛠️ Changes Made <!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) --> To enable IG4 project authorization, set the following configs in mlrun api: ``` MLRUN_HTTPDB__AUTHENTICATION__MODE: iguazio-v4 MLRUN_HTTPDB__AUTHENTICATION__IGUAZIO__SESSION_VERIFICATION_ENDPOINT: v1/identity/self MLRUN_IGUAZIO_API_URL: http://igz-api:8000 ``` Before importing MLRun, you must set: ``` MLRUN_AUTH_WITH_OAUTH_TOKEN__ENABLED=true MLRUN_AUTH_TOKEN_ENDPOINT="https://igz-api.<namespace>.<system-domain>/api/v1/refresh-access-token" ``` --- ### ✅ Checklist - [x] I updated the documentation (if applicable) - [x] I have tested the changes in this PR - [ ] If I introduced a deprecation: - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md) - [ ] I updated the relevant Jira ticket for documentation --- ### 🧪 Testing <!-- - How it was tested (unit tests, manual, integration) --> <!-- - Any special cases covered. --> Tested on IG4 system + unit tests --- ### 🔗 References - Ticket link: https://iguazio.atlassian.net/browse/ML-9683, https://iguazio.atlassian.net/browse/ML-9870, https://iguazio.atlassian.net/browse/ML-9998 - Design docs links: https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/399179866/Support+IG4+Authentication+in+MLRun+AuthVerifier+HLD, https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/411960071/Support+sdk-side+IG4+authentication+-+token+usage+and+management+HLD, https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD, - External links: https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4 --- ### 🚨 Breaking Changes? - [x] Yes (explain below) - [] No Removed unused API endpoints `- POST /api/v1/user-secrets` which was not in used --- ### 🔍️ Additional Notes How to enable IG4 authentication - https://iguazio.atlassian.net/wiki/spaces/PLAT/pages/457671097/Enable+IG4+Authentication+in+MLRun --------- Co-authored-by: Katerina Molchanova <[email protected]> Co-authored-by: Amit Elbaz <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a new API endpoint to store or update multiple offline tokens:
PUT /api/v1/user-secrets/tokensFor each token in the request, the following validations and operations are performed:
refresh_access_tokenscall. This will be enabled in a separate PR ([Client v4] Implementing refresh_access_token [feature/ig4-authentication] #8443).Response Structure – Return lists of token names categorized by action: created_tokens, updated_tokens, and skipped_tokens.
This functionality has been verified only via unit tests for now
Additional Changes
api/endpoints/secrets.py→api/endpoints/project_secrets.py.https://iguazio.atlassian.net/browse/ML-10487