feat(sdk): Add credentials to authenticate with ServiceAccountTokens. Part of #5138

sdk/python/kfp/__init__.py

@@ -21,8 +21,8 @@
 from . import components
 from . import containers
 from . import dsl
+from . import auth
 from ._client import Client
 from ._config import *
 from ._local_client import LocalClient
 from ._runners import *
-from ._credentials import *

sdk/python/kfp/_client.py

@@ -23,6 +23,7 @@
 import yaml
 import zipfile
 import datetime
+import copy
 from typing import Mapping, Callable, Optional
 
 import kfp_server_api
@@ -219,7 +220,8 @@ def _load_config(self, host, client_id, namespace, other_client_id, other_client
       token = get_gcp_access_token()
       self._is_refresh_token = False
     elif credentials:
-      token = credentials.get_token()
+      config.api_key['authorization'] = 'placeholder'
+      config.api_key_prefix['authorization'] = 'Bearer'
       config.refresh_api_key_hook = credentials.refresh_api_key_hook
 
     if token:
@@ -241,6 +243,7 @@ def _load_config(self, host, client_id, namespace, other_client_id, other_client
 
     if in_cluster:
       config.host = Client.IN_CLUSTER_DNS_NAME.format(namespace)
+      config = self._get_config_with_default_credentials(config)
       return config
 
     try:
@@ -302,6 +305,33 @@ def _refresh_api_client_token(self):
     new_token = get_gcp_access_token()
     self._existing_config.api_key['authorization'] = new_token
 
+  def _get_config_with_default_credentials(self, config):
+    """Apply default credentials to the configuration object.
+
+    This method accepts a Configuration object and extends it with some default
+    credentials interface.
+    """
+    # XXX: The default credentials are audience-based service account tokens
+    # projected by the kubelet (ServiceAccountTokenVolumeCredentials). As we
+    # implement more and more credentials, we can have some heuristic and
+    # choose from a number of options.
+    # See https://github.com/kubeflow/pipelines/pull/5287#issuecomment-805654121
+    from kfp import auth
+    credentials = auth.ServiceAccountTokenVolumeCredentials()
+    config_copy = copy.deepcopy(config)
+
+    try:
+        credentials.refresh_api_key_hook(config_copy)
+    except Exception:
+        logging.warning("Failed to set up default credentials. Proceeding"
+                        " without credentials...")
+        return config
+
+    config.refresh_api_key_hook = credentials.refresh_api_key_hook
+    config.api_key_prefix['authorization'] = 'Bearer'
+    config.refresh_api_key_hook(config)
+    return config
+
   def set_user_namespace(self, namespace):
     """Set user namespace into local context setting file.
 

sdk/python/kfp/auth/__init__.py

@@ -0,0 +1,19 @@
+# Copyright 2021 Arrikto Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from ._tokencredentialsbase import TokenCredentialsBase, read_token_from_file
+from ._satvolumecredentials import ServiceAccountTokenVolumeCredentials
+
+KF_PIPELINES_SA_TOKEN_ENV = "KF_PIPELINES_SA_TOKEN_PATH"
+KF_PIPELINES_SA_TOKEN_PATH = "/var/run/secrets/kubeflow/pipelines/token"

sdk/python/kfp/auth/_satvolumecredentials.py

@@ -0,0 +1,69 @@
+# Copyright 2021 Arrikto Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import logging
+
+from kubernetes.client import configuration
+
+from kfp import auth
+
+
+class ServiceAccountTokenVolumeCredentials(auth.TokenCredentialsBase):
+    """Audience-bound ServiceAccountToken in the local filesystem.
+
+    This is a credentials interface for audience-bound ServiceAccountTokens
+    found in the local filesystem, that get refreshed by the kubelet.
+
+    The constructor of the class expects a filesystem path.
+    If not provided, it uses the path stored in the environment variable
+    defined in ``auth.KF_PIPELINES_SA_TOKEN_ENV``.
+    If the environment variable is also empty, it falls back to the path
+    specified in ``auth.KF_PIPELINES_SA_TOKEN_PATH``.
+
+    This method of authentication is meant for use inside a Kubernetes cluster.
+
+    Relevant documentation:
+    https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection
+    """
+
+    def __init__(self, path=None):
+        self._token_path = (path
+                            or os.getenv(auth.KF_PIPELINES_SA_TOKEN_ENV)
+                            or auth.KF_PIPELINES_SA_TOKEN_PATH)
+
+    def _get_token(self):
+        token = None
+        try:
+            token = auth.read_token_from_file(self._token_path)
+        except OSError as e:
+            logging.error("Failed to read a token from file '%s' (%s).",
+                          self._token_path, str(e))
+            raise
+        return token
+
+    def refresh_api_key_hook(self, config: configuration.Configuration):
+        """Refresh the api key.
+
+        This is a helper function for registering token refresh with swagger
+        generated clients.
+
+        Args:
+            config (kubernetes.client.configuration.Configuration):
+                The configuration object that the client uses.
+
+                The Configuration object of the kubernetes client's is the same
+                with kfp_server_api.configuration.Configuration.
+        """
+        config.api_key["authorization"] = self._get_token()

sdk/python/kfp/_credentials.py → sdk/python/kfp/auth/_tokencredentialsbase.py

@@ -14,31 +14,34 @@
 
 import abc
 
-from kubernetes.client.configuration import Configuration
-
-
-__all__ = [
-    "TokenCredentialsBase",
-]
+from kubernetes.client import configuration
 
 
 class TokenCredentialsBase(abc.ABC):
 
-    def refresh_api_key_hook(self, config: Configuration):
+    @abc.abstractmethod
+    def refresh_api_key_hook(self, config: configuration.Configuration):
         """Refresh the api key.
 
         This is a helper function for registering token refresh with swagger
         generated clients.
 
+        All classes that inherit from TokenCredentialsBase must implement this
+        method to refresh the credentials.
+
         Args:
             config (kubernetes.client.configuration.Configuration):
                 The configuration object that the client uses.
 
                 The Configuration object of the kubernetes client's is the same
                 with kfp_server_api.configuration.Configuration.
         """
-        config.api_key["authorization"] = self.get_token()
-
-    @abc.abstractmethod
-    def get_token(self):
         raise NotImplementedError()
+
+
+def read_token_from_file(path=None):
+    """Read a token found in some file."""
+    token = None
+    with open(path, "r") as f:
+        token = f.read().strip()
+    return token

sdk/python/setup.py

@@ -87,6 +87,7 @@ def find_version(*file_path_parts):
     tests_require=TESTS_REQUIRE,
     packages=[
         'kfp',
+        'kfp.auth',
         'kfp.cli',
         'kfp.cli.diagnose_me',
         'kfp.compiler',