Release 1.28.13 (#1191)

* Stable/1.28.x - Allianz - Celery DB authentication with Azure Service Principal (#1190)

* Stable/1.28.x - Allianz - Celery DB authentication with Azure Service Principal   (#1186)

* Update postgres.docker-compose.yml

spa env vars updated for celery and worker

* Update requirements-worker.in

azure identity packaged added to worker requirement

* Update requirements-worker.txt

* Update celeryconf.py

Service Principal Logic added

* Create celery_db_backend.py

custom backend for celery

* Create test.md

* Add files via upload

workflow file uploaded

* Update test.md

* Create celery_readme.md

* Update celery_readme.md

* Update celery_readme.md

* Update celeryconf.py

removed password/token masking

* Update celeryconf.py

* Update celeryconf.py

* Update celery_readme.md

* Update celery_db_backend.py

* Update celery_readme.md

* Update celery_db_backend.py

removed unwanted - methods   get_connection  + get_db_engine

* Update celery_readme.md

* Update and rename celery_db_backend.py to utils.py

utils.py introduced instead of celery_db_backend.py

* Update and rename celery_readme.md to readme.md

* Update readme.md

readme.md updated

* Adjust PR

* update

---------

Co-authored-by: Saseem75 <[email protected]>

* Set version 1.28.13

Set version 1.28.13

* Update changelog

---------

Co-authored-by: Saseem75 <[email protected]>
Co-authored-by: awsbuild <[email protected]>

Author: 3 people

CHANGELOG.rst

@@ -1,6 +1,9 @@
 OasisPlatform Changelog
 =======================
 
+* [#1190](https://github.com/OasisLMF/OasisPlatform/pull/1190) - Stable/1.28.x - Allianz - Celery DB authentication with Azure Service Principal
+.. _`1.28.13`:  https://github.com/OasisLMF/OasisPlatform/compare/1.28.12...1.28.13
+
 .. _`1.28.12`:  https://github.com/OasisLMF/OasisPlatform/compare/1.28.11...1.28.12
 
 `1.28.11`_

VERSION

@@ -1 +1 @@
-1.28.12
+1.28.13

compose/postgres.docker-compose.yml

@@ -65,6 +65,10 @@ services:
      - OASIS_CELERY_DB_USER=celery
      - OASIS_CELERY_DB_NAME=celery
      - OASIS_CELERY_DB_PORT=5432
+     - OASIS_AZURE_CLIENT_ID=spa-client
+     - OASIS_AZURE_TENANT_ID=spa-tenant
+     - OASIS_AZURE_CLIENT_SECRET=spa-client-secret
+     - OASIS_AZURE_SERVICE_PRINCIPAL_USER=spa-name
    volumes:
      - ${OASIS_MEDIA_ROOT:-./docker-shared-fs}:/shared-fs:rw
   worker:
@@ -91,6 +95,10 @@ services:
      - OASIS_CELERY_DB_NAME=celery
      - OASIS_CELERY_DB_PORT=5432
      - OASIS_MODEL_DATA_DIRECTORY=/home/worker/model
+     - OASIS_AZURE_CLIENT_ID=spa-client
+     - OASIS_AZURE_TENANT_ID=spa-tenant
+     - OASIS_AZURE_CLIENT_SECRET=spa-client-secret
+     - OASIS_AZURE_SERVICE_PRINCIPAL_USER=spa-name
     volumes:
      - ${OASIS_MODEL_DATA_DIR:-./data/static}:/home/worker/model:rw
      - ${OASIS_MEDIA_ROOT:-./docker-shared-fs}:/shared-fs:rw

requirements-worker.in

@@ -11,3 +11,4 @@ psycopg2-binary
 sqlalchemy
 pytest
 numba
+azure-identity

requirements-worker.txt

@@ -17,7 +17,10 @@ attrs==22.2.0
 azure-core==1.26.3
     # via
     #   -r requirements-worker.in
+    #   azure-identity
     #   azure-storage-blob
+azure-identity==1.17.1
+    # via -r requirements-worker.in
 azure-storage-blob==12.15.0
     # via -r requirements-worker.in
 billiard==3.6.4.0
@@ -62,7 +65,11 @@ configparser==5.3.0
 cramjam==2.6.2
     # via fastparquet
 cryptography==42.0.4
-    # via azure-storage-blob
+    # via
+    #   azure-identity
+    #   azure-storage-blob
+    #   msal
+    #   pyjwt
 exceptiongroup==1.1.1
     # via pytest
 fasteners==0.18
@@ -97,6 +104,12 @@ kombu==5.2.4
     # via celery
 llvmlite==0.39.1
     # via numba
+msal==1.32.0
+    # via
+    #   azure-identity
+    #   msal-extensions
+msal-extensions==1.3.1
+    # via azure-identity
 msgpack==1.0.5
     # via oasislmf
 numba==0.56.4
@@ -119,7 +132,7 @@ numpy==1.22.4
     #   scikit-learn
     #   scipy
     #   shapely
-oasislmf[extra]==1.28.12
+oasislmf[extra]==1.28.13
     # via -r requirements-worker.in
 ods-tools==3.1.5
     # via oasislmf
@@ -148,6 +161,10 @@ pyarrow==14.0.1
     # via oasislmf
 pycparser==2.21
     # via cffi
+pyjwt[crypto]==2.10.1
+    # via
+    #   msal
+    #   pyjwt
 pymysql==1.1.1
     # via -r requirements-worker.in
 pyogrio==0.10.0
@@ -171,6 +188,7 @@ requests==2.31.0
     # via
     #   azure-core
     #   forex-python
+    #   msal
     #   oasislmf
     #   requests-toolbelt
 requests-toolbelt==0.10.1
@@ -216,6 +234,7 @@ tqdm==4.65.0
 typing-extensions==4.5.0
     # via
     #   azure-core
+    #   azure-identity
     #   azure-storage-blob
     #   sqlalchemy
 urllib3==1.26.18

requirements.txt

@@ -33,7 +33,9 @@ azure-core==1.26.3
     #   azure-identity
     #   azure-storage-blob
 azure-identity==1.17.1
-    # via -r /home/runner/work/OasisPlatform/OasisPlatform/requirements-server.in
+    # via
+    #   -r /home/runner/work/OasisPlatform/OasisPlatform/requirements-server.in
+    #   -r /home/runner/work/OasisPlatform/OasisPlatform/requirements-worker.in
 azure-storage-blob==12.15.0
     # via
     #   -r /home/runner/work/OasisPlatform/OasisPlatform/requirements-worker.in
@@ -279,7 +281,7 @@ numpy==1.22.4
     #   scikit-learn
     #   scipy
     #   shapely
-oasislmf[extra]==1.28.12
+oasislmf[extra]==1.28.13
     # via -r /home/runner/work/OasisPlatform/OasisPlatform/requirements-worker.in
 ods-tools==3.1.5
     # via

src/conf/azure_auth_SP_readme.md

@@ -0,0 +1,48 @@
+# Celery Configuration with Azure Service Principal for PostgreSQL Backend
+
+## Overview
+This setup enables Celery to store task results in Azure PostgreSQL while authenticating securely using Azure Active Directory Service Principal (SP). This eliminates the need for database passwords, enhances security, and ensures seamless authentication with Azure PostgreSQL using Service Principal tokens
+
+- Instead of a static username/password, it retrieves an Azure AD access token dynamically.
+
+### Configuration Breakdown
+
+
+```/var/www/oasis/
+│── src/
+│   ├── conf/
+│   │   ├── celeryconf.py
+│   │   ├── utils.py  # Configures celery backend logic for Service Principal authentication
+│   ├── server
+│   │   ├── oasisapi
+│   │   │   ├── settings.py  # where we Configures server database backend
+```
+
+
+##### utils.py - Handling Azure AD Token Authentication
+This module is responsible for fetching Azure Active Directory access tokens and managing the PostgreSQL connection for Celery.
+
+<details>
+  <summary>Environment Variables Required (Click to expand)</summary>
+
+| Variable Name                       | Description                                    |
+|--------------------------------------|------------------------------------------------|
+| `AZURE_TENANT_ID`                    | Azure AD Tenant ID                             |
+| `AZURE_CLIENT_ID`                    | Azure Service Principal Client ID             |
+| `AZURE_CLIENT_SECRET`                | Azure Service Principal Client Secret         |
+| `AZURE_SERVICE_PRINCIPAL_USER`        | Username for PostgreSQL (e.g., `sp_user@db`)  |
+| `CELERY_RESULTS_DB_BACKEND`           | Database backend (e.g., `db+postgresql`)      |
+| `DB_HOST`                             | PostgreSQL database host                      |
+| `DB_PORT`                             | PostgreSQL database port                      |
+| `DB_NAME`                             | Celery result backend database name           |
+
+</details>
+
+
+#### Troubleshooting
+- Error: Azure AD credentials are missing for Celery DB
+- Ensure AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are set correctly.
+- Celery fails to connect to PostgreSQL
+- Verify that the Service Principal is assigned the correct roles (db_owner or db_reader).
+- Expired Token Error
+- Restart the worker to refresh the token.

src/conf/celeryconf.py

@@ -20,14 +20,34 @@
         DB_NAME=settings.get('celery', 'db_name', fallback='celery.db.sqlite'),
     )
 else:
-    CELERY_RESULT_BACKEND = '{DB_ENGINE}://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}'.format(
-        DB_ENGINE=settings.get('celery', 'db_engine'),
-        DB_USER=urllib.parse.quote(settings.get('celery', 'db_user')),
-        DB_PASS=urllib.parse.quote(settings.get('celery', 'db_pass')),
-        DB_HOST=settings.get('celery', 'db_host'),
-        DB_PORT=settings.get('celery', 'db_port'),
-        DB_NAME=settings.get('celery', 'db_name', fallback='celery'),
-    )
+    #: Attempt to retrieve Service Principal credentials
+    service_principal_user = settings.get("celery", "AZURE_SERVICE_PRINCIPAL_USER", fallback=None)
+    if service_principal_user:
+        #: Initialize Celery Database Backend
+        from src.conf.utils import CeleryAzureServicePrincipal
+        azure_token_client = CeleryAzureServicePrincipal(settings)
+
+        #: Use Service Principal Authentication
+        azure_token = azure_token_client.get_access_token()
+        CELERY_RESULT_BACKEND = "{DB_ENGINE}://{SP_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}".format(
+            DB_ENGINE=settings.get('celery', 'db_engine'),
+            SP_USER=urllib.parse.quote(service_principal_user),
+            DB_PASS=urllib.parse.quote(azure_token),
+            DB_HOST=settings.get('celery', 'db_host'),
+            DB_PORT=settings.get("celery", "db_port", fallback="5432"),
+            DB_NAME=settings.get("celery", "db_name", fallback="celery"),
+        )
+    else:
+        #: Fallback to Username/Password Authentication
+        CELERY_RESULT_BACKEND = "{DB_ENGINE}://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}".format(
+            DB_ENGINE=settings.get('celery', 'db_engine'),
+            DB_USER=urllib.parse.quote(settings.get('celery', 'db_user')),
+            DB_PASS=urllib.parse.quote(settings.get('celery', 'db_pass')),
+            DB_HOST=settings.get('celery', 'db_host'),
+            DB_PORT=settings.get('celery', 'db_port'),
+            DB_NAME=settings.get('celery', 'db_name', fallback='celery'),
+        )
+
 
 #: Celery config - AMQP task result expiration time
 CELERY_AMQP_TASK_RESULT_EXPIRES = 1000

src/conf/utils.py

@@ -0,0 +1,33 @@
+from azure.identity import ClientSecretCredential
+import time  # To track token expiration
+
+
+class CeleryAzureServicePrincipal:
+    def __init__(self, settings):
+        self.settings = settings
+        self.credential = None
+        self.token = None
+        self.token_expiry = 0  # Stores expiry timestamp
+
+    def get_access_token(self):
+        """
+        Fetches and caches a fresh access token using Azure Service Principal credentials.
+        """
+        tenant_id = self.settings.get('celery', 'AZURE_TENANT_ID')
+        client_id = self.settings.get('celery', 'AZURE_CLIENT_ID')
+        client_secret = self.settings.get('celery', 'AZURE_CLIENT_SECRET')
+
+        if not all([tenant_id, client_id, client_secret]):
+            raise ValueError("Azure AD credentials are missing for Celery DB.")
+
+        if self.credential is None:
+            self.credential = ClientSecretCredential(tenant_id, client_id, client_secret)
+
+        # Refresh token if expired or close to expiration
+        current_time = time.time()
+        if self.token is None or current_time >= self.token_expiry - 300:  # Refresh 5 min before expiry
+            token_response = self.credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
+            self.token = token_response.token
+            self.token_expiry = current_time + 3600  # Azure tokens last ~60 min
+
+        return self.token