Skip to content

[Client spec] Add authentication mode [feature/ig4-authentication] #8589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
moranbental merged 3 commits into from
Sep 9, 2025
Merged

[Client spec] Add authentication mode [feature/ig4-authentication] #8589

moranbental merged 3 commits into from
Sep 9, 2025

Conversation

@moranbental
Copy link
Member

@moranbental moranbental commented Sep 9, 2025
edited
Loading

📝 Description

The SDK needs to be aware when authentication is set to Iguazio v4 in order to enable certain SDK methods (e.g., storing secrets, listing secrets, revoking, and syncing).
To support this, we now pass the authentication mode value, configured on the server, to the client.

🛠️ Changes Made

Added httpdb_authentication_mode to the client spec schema.

✅ Checklist

  • I updated the documentation (if applicable)
  • I have tested the changes in this PR

🧪 Testing

Verified changes on an IG4 system

🔗 References

🚨 Breaking Changes?

  • Yes (explain below)
  • No

🔍️ Additional Notes

@moranbental moranbental requested review from a team and quaark as code owners September 9, 2025 09:22
TomerShor
TomerShor requested changes Sep 9, 2025
View reviewed changes
@moranbental moranbental merged commit f7f19ee into mlrun:feature/ig4-authentication Sep 9, 2025
13 checks passed
@moranbental moranbental deleted the client-spec branch September 9, 2025 11:29
moranbental added a commit to moranbental/mlrun that referenced this pull request Oct 15, 2025
@moranbental
[Client spec] Add authentication mode [feature/ig4-authentication] (m…
438361d 
…lrun#8589)

### 📝 Description
<!-- A short summary of what this PR does. -->
<!-- Include any relevant context or background information. -->
The SDK needs to be aware when authentication is set to Iguazio v4 in
order to enable certain SDK methods (e.g., storing secrets, listing
secrets, revoking, and syncing).
To support this, we now pass the authentication mode value, configured
on the server, to the client.

---

### 🛠️ Changes Made
<!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) -->
Added `httpdb_authentication_mode` to the client spec schema.

---

### ✅ Checklist
- [ ] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR

---

### 🧪 Testing
<!-- - How it was tested (unit tests, manual, integration) -->  
<!-- - Any special cases covered. -->  
Verified changes on an IG4 system

---

### 🔗 References
- Ticket link: https://iguazio.atlassian.net/browse/ML-10494
- Design docs links:
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD#2.1.9-Configurable-Authentication-Mode

---

### 🚨 Breaking Changes?

- [ ] Yes (explain below)
- [x] No

<!-- If yes, describe what needs to be changed downstream: -->

---

### 🔍️ Additional Notes
<!-- Anything else reviewers should know (follow-up tasks, known issues,
affected areas etc.). -->
<!-- ### 📸 Screenshots / Logs -->
@moranbental moranbental mentioned this pull request Oct 16, 2025
Merged
6 tasks
liranbg pushed a commit that referenced this pull request Nov 3, 2025
@moranbental @rokatyy @elbamit
[Authentication] Allow authentication against IG4 (#8724)
aca1350 
### 📝 Description
<!-- A short summary of what this PR does. -->
<!-- Include any relevant context or background information. -->
This PR introduces support for MLRun authentication with IG4.
It rebases the `feature/ig4-authentication` branch onto `development`

This PR includes the following PRs:

1. #8345
2. #8370
3.  #8366
4. #8388
5. #8440
6. #8408
7. #8466
8. #8471
9. #8443
10. #8484
11. #8498
12. #8574
13. #8529
14. #8584
15. #8588
16. #8589
17. #8567
18. #8623
19. #8612
20. #8514
21. #8626
22. #8632
23. #8633
24. #8667
25. #8668
26. #8674
27. #8780
28. #8754
29. #8796
30. #8811
---

### 🛠️ Changes Made
<!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) -->
To enable IG4 project authorization, set the following configs in mlrun
api:

```
MLRUN_HTTPDB__AUTHENTICATION__MODE: iguazio-v4
MLRUN_HTTPDB__AUTHENTICATION__IGUAZIO__SESSION_VERIFICATION_ENDPOINT: v1/identity/self
MLRUN_IGUAZIO_API_URL: http://igz-api:8000
```

Before importing MLRun, you must set:
```
MLRUN_AUTH_WITH_OAUTH_TOKEN__ENABLED=true
MLRUN_AUTH_TOKEN_ENDPOINT="https://igz-api.<namespace>.<system-domain>/api/v1/refresh-access-token"
```

---

### ✅ Checklist
- [x] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR
- [ ] If I introduced a deprecation:
  - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md)
  - [ ] I updated the relevant Jira ticket for documentation

---

### 🧪 Testing
<!-- - How it was tested (unit tests, manual, integration) -->  
<!-- - Any special cases covered. -->  
Tested on IG4 system + unit tests

---

### 🔗 References
- Ticket link: https://iguazio.atlassian.net/browse/ML-9683,
https://iguazio.atlassian.net/browse/ML-9870,
https://iguazio.atlassian.net/browse/ML-9998
- Design docs links:
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/399179866/Support+IG4+Authentication+in+MLRun+AuthVerifier+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/411960071/Support+sdk-side+IG4+authentication+-+token+usage+and+management+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD,
- External links:
https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4

---

### 🚨 Breaking Changes?

- [x] Yes (explain below)
- [] No

Removed unused API endpoints `- POST /api/v1/user-secrets` which was not
in used

---

### 🔍️ Additional Notes


How to enable IG4 authentication -
https://iguazio.atlassian.net/wiki/spaces/PLAT/pages/457671097/Enable+IG4+Authentication+in+MLRun

---------

Co-authored-by: Katerina Molchanova <[email protected]>
Co-authored-by: Amit Elbaz <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TomerShor TomerShor TomerShor approved these changes

@quaark quaark Awaiting requested review from quaark

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@moranbental @TomerShor