Allow unauthenticated access when Authorization is disabled and to He…

…alth Probe (#927) * Config Core/Serving authentication to allow unauthenticated access to health probe. * Allow unauthenticated requests when only authentication but not authorization is enabled. * Fix ServingServiceOauthAuthenticationIT * Add missing applyFeatureSet call to ServingServiceOauthAuthenticationIT
feast-dev · Aug 5, 2020 · 7422618 · 7422618
1 parent f814dc1
commit 7422618
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 16 deletions.
diff --git a/auth/src/main/java/feast/auth/config/SecurityConfig.java b/auth/src/main/java/feast/auth/config/SecurityConfig.java
@@ -83,13 +83,13 @@ GrpcAuthenticationReader authenticationReader() {
   }
 
   /**
-   * Creates an AccessDecisionManager if authentication is enabled. This object determines the
-   * policy used to make authentication decisions.
+   * Creates an AccessDecisionManager if authorization is enabled. This object determines the policy
+   * used to make authorization decisions.
    *
    * @return AccessDecisionManager
    */
   @Bean
-  @ConditionalOnProperty(prefix = "feast.security.authentication", name = "enabled")
+  @ConditionalOnProperty(prefix = "feast.security.authorization", name = "enabled")
   AccessDecisionManager accessDecisionManager() {
     final List<AccessDecisionVoter<?>> voters = new ArrayList<>();
     voters.add(new AccessPredicateVoter());

diff --git a/core/src/main/java/feast/core/config/CoreSecurityConfig.java b/core/src/main/java/feast/core/config/CoreSecurityConfig.java
@@ -17,6 +17,7 @@
 package feast.core.config;
 
 import feast.proto.core.CoreServiceGrpc;
+import io.grpc.health.v1.HealthGrpc;
 import lombok.extern.slf4j.Slf4j;
 import net.devh.boot.grpc.server.security.check.AccessPredicate;
 import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource;
@@ -48,6 +49,7 @@ GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
     // The following endpoints allow unauthenticated access
     source.set(CoreServiceGrpc.getGetFeastCoreVersionMethod(), AccessPredicate.permitAll());
     source.set(CoreServiceGrpc.getUpdateStoreMethod(), AccessPredicate.permitAll());
+    source.set(HealthGrpc.getCheckMethod(), AccessPredicate.permitAll());
     return source;
   }
 }
diff --git a/serving/src/main/java/feast/serving/config/ServingSecurityConfig.java b/serving/src/main/java/feast/serving/config/ServingSecurityConfig.java
@@ -18,7 +18,9 @@
 
 import feast.auth.credentials.GoogleAuthCredentials;
 import feast.auth.credentials.OAuthCredentials;
+import feast.proto.serving.ServingServiceGrpc;
 import io.grpc.CallCredentials;
+import io.grpc.health.v1.HealthGrpc;
 import java.io.IOException;
 import net.devh.boot.grpc.server.security.check.AccessPredicate;
 import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource;
@@ -67,6 +69,10 @@ GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
 
     // Authentication is enabled for all gRPC endpoints
     source.setDefault(AccessPredicate.authenticated());
+
+    // The following endpoints allow unauthenticated access
+    source.set(ServingServiceGrpc.getGetFeastServingInfoMethod(), AccessPredicate.permitAll());
+    source.set(HealthGrpc.getCheckMethod(), AccessPredicate.permitAll());
     return source;
   }
 

diff --git a/serving/src/test/java/feast/serving/it/ServingServiceOauthAuthenticationIT.java b/serving/src/test/java/feast/serving/it/ServingServiceOauthAuthenticationIT.java
@@ -17,7 +17,6 @@
 package feast.serving.it;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.testcontainers.containers.wait.strategy.Wait.forHttp;
 
@@ -26,7 +25,6 @@
 import feast.proto.serving.ServingServiceGrpc.ServingServiceBlockingStub;
 import feast.proto.types.ValueProto.Value;
 import io.grpc.ManagedChannel;
-import io.grpc.StatusRuntimeException;
 import java.io.File;
 import java.io.IOException;
 import java.time.Duration;
@@ -87,21 +85,21 @@ static void globalSetup() throws IOException, InitializationError, InterruptedEx
   }
 
   @Test
-  public void shouldNotAllowUnauthenticatedGetOnlineFeatures() {
+  public void shouldAllowUnauthenticatedGetOnlineFeatures() {
+    // apply feature set
+    CoreSimpleAPIClient coreClient =
+        AuthTestUtils.getSecureApiClientForCore(FEAST_CORE_PORT, options);
+    AuthTestUtils.applyFeatureSet(coreClient, PROJECT_NAME, ENTITY_ID, FEATURE_NAME);
     ServingServiceBlockingStub servingStub =
         AuthTestUtils.getServingServiceStub(false, FEAST_SERVING_PORT, null);
     GetOnlineFeaturesRequest onlineFeatureRequest =
         AuthTestUtils.createOnlineFeatureRequest(PROJECT_NAME, FEATURE_NAME, ENTITY_ID, 1);
-    Exception exception =
-        assertThrows(
-            StatusRuntimeException.class,
-            () -> {
-              servingStub.getOnlineFeatures(onlineFeatureRequest);
-            });
-
-    String expectedMessage = "UNAUTHENTICATED: Authentication failed";
-    String actualMessage = exception.getMessage();
-    assertEquals(actualMessage, expectedMessage);
+    GetOnlineFeaturesResponse featureResponse = servingStub.getOnlineFeatures(onlineFeatureRequest);
+    assertEquals(1, featureResponse.getFieldValuesCount());
+    Map<String, Value> fieldsMap = featureResponse.getFieldValues(0).getFieldsMap();
+    assertTrue(fieldsMap.containsKey(ENTITY_ID));
+    assertTrue(fieldsMap.containsKey(FEATURE_NAME));
+    ((ManagedChannel) servingStub.getChannel()).shutdown();
   }
 
   @Test