[User secrets] Implement revoke user token secret [feature/ig4-authentication] #8514
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Conflicts: # server/py/services/api/tests/unit/utils/singletons/test_k8s_utils.py
# Conflicts: # server/py/services/api/tests/unit/crud/test_secrets.py
# Conflicts: # server/py/framework/utils/clients/iguazio/v4.py
moranbental
changed the title
quaark
requested changes
Sep 2, 2025
Member
quaark
left a comment
quaark
left a comment
There was a problem hiding this comment.
LGTM!
one minor thing - with how we're supposed to use iguazio sdk
rokatyy
requested changes
Sep 3, 2025
Member
rokatyy
left a comment
rokatyy
left a comment
There was a problem hiding this comment.
Initial review, have a general question regarding the abstractions
| # TODO: Implement this method once it is available in the Iguazio package | ||
| pass | ||
|
|
||
| def revoke_offline_token(self, token: str) -> None: |
Member
Author
There was a problem hiding this comment.
Why options? The only input we get from the user is the token to delete, and then we build the options
Member
There was a problem hiding this comment.
@moranbental I agree that for user-side it might be just token. But if we pass options here we 1. align with approach in orca, 2. if we have some additional options in the future, we won't need to modify this function
Member
Author
There was a problem hiding this comment.
I spoke with @rokatyy offline, and we decided to leave it as is.
# Conflicts: # mlrun/common/secrets.py # mlrun/db/base.py # mlrun/db/httpdb.py # mlrun/db/nopdb.py # server/py/framework/rundb/sqldb.py # server/py/framework/utils/singletons/k8s.py # server/py/services/api/api/endpoints/user_secrets.py # server/py/services/api/crud/secrets.py # server/py/services/api/tests/unit/crud/test_secrets.py # server/py/services/api/tests/unit/utils/singletons/test_k8s_utils.py # tests/rundb/test_unit_httpdb.py
# Conflicts: # mlrun/db/httpdb.py
moranbental
merged commit 59a17d7
into
mlrun:feature/ig4-authentication
13 checks passed
moranbental
added a commit
to moranbental/mlrun
that referenced
this pull request
Oct 15, 2025
…tication] (mlrun#8514) ### 📝 Description <!-- A short summary of what this PR does. --> <!-- Include any relevant context or background information. --> This PR introduces support for revoking user offline tokens in the Iguazio client. Revoked tokens can no longer be used to obtain access tokens. The feature includes both SDK and API support for deleting tokens and automatically deleting the associated Kubernetes secret. --- ### 🛠️ Changes Made <!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) --> 1. Added SDK method: `revoke_secret_token` to revoke a user token. 2. Added API endpoint: `DELETE /user-secrets/tokens/{name}` for token revocation. 3. Integrated token revocation with Iguazio backend. 4. Retrieves and deletes the corresponding Kubernetes secret after revocation. 5. Updated `create_secret` and `update_secret` methods to accept encoded values. --- ### ✅ Checklist - [x] I updated the documentation (if applicable) - [x] I have tested the changes in this PR --- ### 🧪 Testing <!-- - How it was tested (unit tests, manual, integration) --> <!-- - Any special cases covered. --> --- ### 🔗 References - Ticket link: https://iguazio.atlassian.net/browse/ML-10499, https://iguazio.atlassian.net/browse/ML-10498 - Design docs links: https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD#2.2.6-Token-Revocation-Flow - External links: https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4 --- ### 🚨 Breaking Changes? - [ ] Yes (explain below) - [x] No <!-- If yes, describe what needs to be changed downstream: --> ---
6 tasks
liranbg
pushed a commit
that referenced
this pull request
Nov 3, 2025
### 📝 Description <!-- A short summary of what this PR does. --> <!-- Include any relevant context or background information. --> This PR introduces support for MLRun authentication with IG4. It rebases the `feature/ig4-authentication` branch onto `development` This PR includes the following PRs: 1. #8345 2. #8370 3. #8366 4. #8388 5. #8440 6. #8408 7. #8466 8. #8471 9. #8443 10. #8484 11. #8498 12. #8574 13. #8529 14. #8584 15. #8588 16. #8589 17. #8567 18. #8623 19. #8612 20. #8514 21. #8626 22. #8632 23. #8633 24. #8667 25. #8668 26. #8674 27. #8780 28. #8754 29. #8796 30. #8811 --- ### 🛠️ Changes Made <!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) --> To enable IG4 project authorization, set the following configs in mlrun api: ``` MLRUN_HTTPDB__AUTHENTICATION__MODE: iguazio-v4 MLRUN_HTTPDB__AUTHENTICATION__IGUAZIO__SESSION_VERIFICATION_ENDPOINT: v1/identity/self MLRUN_IGUAZIO_API_URL: http://igz-api:8000 ``` Before importing MLRun, you must set: ``` MLRUN_AUTH_WITH_OAUTH_TOKEN__ENABLED=true MLRUN_AUTH_TOKEN_ENDPOINT="https://igz-api.<namespace>.<system-domain>/api/v1/refresh-access-token" ``` --- ### ✅ Checklist - [x] I updated the documentation (if applicable) - [x] I have tested the changes in this PR - [ ] If I introduced a deprecation: - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md) - [ ] I updated the relevant Jira ticket for documentation --- ### 🧪 Testing <!-- - How it was tested (unit tests, manual, integration) --> <!-- - Any special cases covered. --> Tested on IG4 system + unit tests --- ### 🔗 References - Ticket link: https://iguazio.atlassian.net/browse/ML-9683, https://iguazio.atlassian.net/browse/ML-9870, https://iguazio.atlassian.net/browse/ML-9998 - Design docs links: https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/399179866/Support+IG4+Authentication+in+MLRun+AuthVerifier+HLD, https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/411960071/Support+sdk-side+IG4+authentication+-+token+usage+and+management+HLD, https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD, - External links: https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4 --- ### 🚨 Breaking Changes? - [x] Yes (explain below) - [] No Removed unused API endpoints `- POST /api/v1/user-secrets` which was not in used --- ### 🔍️ Additional Notes How to enable IG4 authentication - https://iguazio.atlassian.net/wiki/spaces/PLAT/pages/457671097/Enable+IG4+Authentication+in+MLRun --------- Co-authored-by: Katerina Molchanova <[email protected]> Co-authored-by: Amit Elbaz <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📝 Description
This PR introduces support for revoking user offline tokens in the Iguazio client. Revoked tokens can no longer be used to obtain access tokens. The feature includes both SDK and API support for deleting tokens and automatically deleting the associated Kubernetes secret.
🛠️ Changes Made
revoke_secret_tokento revoke a user token.DELETE /user-secrets/tokens/{name}for token revocation.create_secretandupdate_secretmethods to accept encoded values.✅ Checklist
🧪 Testing
🔗 References
🚨 Breaking Changes?