diff --git a/auth/src/main/java/feast/auth/config/SecurityConfig.java b/auth/src/main/java/feast/auth/config/SecurityConfig.java index 8229702b3e..f377c76a87 100644 --- a/auth/src/main/java/feast/auth/config/SecurityConfig.java +++ b/auth/src/main/java/feast/auth/config/SecurityConfig.java @@ -83,13 +83,13 @@ GrpcAuthenticationReader authenticationReader() { } /** - * Creates an AccessDecisionManager if authentication is enabled. This object determines the - * policy used to make authentication decisions. + * Creates an AccessDecisionManager if authorization is enabled. This object determines the policy + * used to make authorization decisions. * * @return AccessDecisionManager */ @Bean - @ConditionalOnProperty(prefix = "feast.security.authentication", name = "enabled") + @ConditionalOnProperty(prefix = "feast.security.authorization", name = "enabled") AccessDecisionManager accessDecisionManager() { final List> voters = new ArrayList<>(); voters.add(new AccessPredicateVoter()); diff --git a/core/src/main/java/feast/core/config/CoreSecurityConfig.java b/core/src/main/java/feast/core/config/CoreSecurityConfig.java index 3e4c2baa9e..ead6bcb18b 100644 --- a/core/src/main/java/feast/core/config/CoreSecurityConfig.java +++ b/core/src/main/java/feast/core/config/CoreSecurityConfig.java @@ -17,6 +17,7 @@ package feast.core.config; import feast.proto.core.CoreServiceGrpc; +import io.grpc.health.v1.HealthGrpc; import lombok.extern.slf4j.Slf4j; import net.devh.boot.grpc.server.security.check.AccessPredicate; import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource; @@ -48,6 +49,7 @@ GrpcSecurityMetadataSource grpcSecurityMetadataSource() { // The following endpoints allow unauthenticated access source.set(CoreServiceGrpc.getGetFeastCoreVersionMethod(), AccessPredicate.permitAll()); source.set(CoreServiceGrpc.getUpdateStoreMethod(), AccessPredicate.permitAll()); + source.set(HealthGrpc.getCheckMethod(), AccessPredicate.permitAll()); return source; } } diff --git a/serving/src/main/java/feast/serving/config/ServingSecurityConfig.java b/serving/src/main/java/feast/serving/config/ServingSecurityConfig.java index 2d0a46763a..839c133387 100644 --- a/serving/src/main/java/feast/serving/config/ServingSecurityConfig.java +++ b/serving/src/main/java/feast/serving/config/ServingSecurityConfig.java @@ -18,7 +18,9 @@ import feast.auth.credentials.GoogleAuthCredentials; import feast.auth.credentials.OAuthCredentials; +import feast.proto.serving.ServingServiceGrpc; import io.grpc.CallCredentials; +import io.grpc.health.v1.HealthGrpc; import java.io.IOException; import net.devh.boot.grpc.server.security.check.AccessPredicate; import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource; @@ -67,6 +69,10 @@ GrpcSecurityMetadataSource grpcSecurityMetadataSource() { // Authentication is enabled for all gRPC endpoints source.setDefault(AccessPredicate.authenticated()); + + // The following endpoints allow unauthenticated access + source.set(ServingServiceGrpc.getGetFeastServingInfoMethod(), AccessPredicate.permitAll()); + source.set(HealthGrpc.getCheckMethod(), AccessPredicate.permitAll()); return source; } diff --git a/serving/src/test/java/feast/serving/it/ServingServiceOauthAuthenticationIT.java b/serving/src/test/java/feast/serving/it/ServingServiceOauthAuthenticationIT.java index edd16c24a8..f1289adc73 100644 --- a/serving/src/test/java/feast/serving/it/ServingServiceOauthAuthenticationIT.java +++ b/serving/src/test/java/feast/serving/it/ServingServiceOauthAuthenticationIT.java @@ -17,7 +17,6 @@ package feast.serving.it; import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.testcontainers.containers.wait.strategy.Wait.forHttp; @@ -26,7 +25,6 @@ import feast.proto.serving.ServingServiceGrpc.ServingServiceBlockingStub; import feast.proto.types.ValueProto.Value; import io.grpc.ManagedChannel; -import io.grpc.StatusRuntimeException; import java.io.File; import java.io.IOException; import java.time.Duration; @@ -87,21 +85,21 @@ static void globalSetup() throws IOException, InitializationError, InterruptedEx } @Test - public void shouldNotAllowUnauthenticatedGetOnlineFeatures() { + public void shouldAllowUnauthenticatedGetOnlineFeatures() { + // apply feature set + CoreSimpleAPIClient coreClient = + AuthTestUtils.getSecureApiClientForCore(FEAST_CORE_PORT, options); + AuthTestUtils.applyFeatureSet(coreClient, PROJECT_NAME, ENTITY_ID, FEATURE_NAME); ServingServiceBlockingStub servingStub = AuthTestUtils.getServingServiceStub(false, FEAST_SERVING_PORT, null); GetOnlineFeaturesRequest onlineFeatureRequest = AuthTestUtils.createOnlineFeatureRequest(PROJECT_NAME, FEATURE_NAME, ENTITY_ID, 1); - Exception exception = - assertThrows( - StatusRuntimeException.class, - () -> { - servingStub.getOnlineFeatures(onlineFeatureRequest); - }); - - String expectedMessage = "UNAUTHENTICATED: Authentication failed"; - String actualMessage = exception.getMessage(); - assertEquals(actualMessage, expectedMessage); + GetOnlineFeaturesResponse featureResponse = servingStub.getOnlineFeatures(onlineFeatureRequest); + assertEquals(1, featureResponse.getFieldValuesCount()); + Map fieldsMap = featureResponse.getFieldValues(0).getFieldsMap(); + assertTrue(fieldsMap.containsKey(ENTITY_ID)); + assertTrue(fieldsMap.containsKey(FEATURE_NAME)); + ((ManagedChannel) servingStub.getChannel()).shutdown(); } @Test