ClearML/clearml-server
1
0
Fork 0
mirror of https://github.com/clearml/clearml-server synced 2025-06-26 23:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Optimize endpoints that do not require authorization by not validating JWT token

Browse Source
This commit is contained in:
allegroai 2023-11-17 09:45:22 +02:00
parent a03b24d6b6
commit ec14f327c6
2 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apiserver/schema/services/login.conf
View File

@ -6,7 +6,7 @@ _default {
} }
supported_modes { supported_modes {
authorize: false authorize: null
"2.9" { "2.9" {
description: """ Return supported login modes.""" description: """ Return supported login modes."""
request { request {
@ -95,7 +95,7 @@ supported_modes {
} }
logout { logout {
authorize: false authorize: null
allow_roles = [ "*" ] allow_roles = [ "*" ]
"2.13" { "2.13" {
description: """ Logout (including SSO, if used)) """ description: """ Logout (including SSO, if used)) """

22
apiserver/service_repo/validators.py
View File

@ -17,7 +17,7 @@ log = config.logger(__file__)
def validate_data(call: APICall, endpoint: Endpoint): def validate_data(call: APICall, endpoint: Endpoint):
""" Perform all required call/endpoint validation, update call result appropriately """ """ Perform all required call/endpoint validation, update call result appropriately """
try: try:
# todo: remove vaildate_required_fields once all endpoints have json schema # todo: remove validate_required_fields once all endpoints have json schema
validate_required_fields(endpoint, call) validate_required_fields(endpoint, call)
# set models. models will be validated automatically # set models. models will be validated automatically
@ -50,10 +50,17 @@ def validate_role(endpoint, call):
pass pass
def validate_auth(endpoint, call): def validate_auth(endpoint: Endpoint, call: "APICall"):
""" Validate authorization for this endpoint and call.
If authentication has occurred, the call is updated with the authentication results.
""" """
Validate authorization for this endpoint and call.
If authentication has occurred, the call is updated with the authentication results.
For the endpoints with authorize==False the validation is not performed to improve performance
For the endpoints with authorize==True the validation should pass otherwise exception will be thrown
For the endpoints with authorize==None the validation will be tried, but it does not have to succeed
"""
if endpoint.authorize is not None and not endpoint.authorize:
return
if not call.authorization: if not call.authorization:
# No auth data. Invalid if we need to authorize and valid otherwise # No auth data. Invalid if we need to authorize and valid otherwise
if endpoint.authorize: if endpoint.authorize:
@ -63,10 +70,9 @@ def validate_auth(endpoint, call):
# prepare arguments for validation # prepare arguments for validation
service, _, action = endpoint.name.partition(".") service, _, action = endpoint.name.partition(".")
# If we have auth data, we'll try to validate anyway (just so we'll have auth-based permissions whenever possible, # noinspection PyBroadException
# even if endpoint did not require authorization)
try: try:
auth = call.authorization or "" auth = call.authorization
auth_type, _, auth_data = auth.partition(" ") auth_type, _, auth_data = auth.partition(" ")
authorize_func = get_auth_func(auth_type) authorize_func = get_auth_func(auth_type)
call.auth = authorize_func(auth_data, service, action, call) call.auth = authorize_func(auth_data, service, action, call)
@ -78,7 +84,7 @@ def validate_auth(endpoint, call):
def validate_impersonation(endpoint, call): def validate_impersonation(endpoint, call):
""" Validate impersonation headers and set impersonated identity and authorization data accordingly. """ Validate impersonation headers and set impersonated identity and authorization data accordingly.
:returns True if impersonating, False otherwise :return: True if impersonating, False otherwise
""" """
try: try:
act_as = call.act_as act_as = call.act_as