Gml 1660 support jwt token auth in py tiger graph #224
Conversation
|
Yes, just switch to getVer() to get the version dynamically. |
pyTigerGraph/pyTigerGraphBase.py
Outdated
| @@ -124,6 +126,14 @@ def __init__(self, host: str = "http://127.0.0.1", graphname: str = "MyGraph", | |||
| else: | |||
| self.authHeader = {"Authorization": "Basic {0}".format(self.base64_credential)} | |||
|
|
|||
| # If JWT token is provided, set authMode to "token", and overwrite authMode = "pwd" for GSQL authentication as well if version is newer than 4.1.0 | |||
| if jwtToken: | |||
| dbVersion = self.getVer() | |||
There was a problem hiding this comment.
This version check will fail since version relies on token auth, and the auth header has not yet been defined.
pyTigerGraph/pyTigerGraphBase.py
Outdated
| if jwtToken: | ||
| dbVersion = self.getVer() | ||
| if StrictVersion(dbVersion) >= StrictVersion("4.1.0"): | ||
| self.authMode = "token" |
There was a problem hiding this comment.
This self.authMode variable isn't used anywhere, why are we setting it?
|
Thanks Parker for the comments. I will modify the PR and test it today. |
|
tests/test_jwt.py
Outdated
There was a problem hiding this comment.
This needs to be disabled such that our other tests don't fail... @billshitg, do you have thoughts on how to support this test in the future?
| @@ -42,6 +43,7 @@ def make_connection(graphname: str = None): | |||
| certPath=server_config["certPath"], | |||
| sslPort=server_config["sslPort"], | |||
| gcp=server_config["gcp"], | |||
| jwtToken=server_config["jwtToken"] | |||
There was a problem hiding this comment.
Can we support this in our current testing pipeline?
There was a problem hiding this comment.
Yeah, we need to modify the config file to add the jwtToken field but set it to empty str to avoid actually using it now.
Meanwhile, we need to figure out with QE team how to config the DB to use jwtToken
There was a problem hiding this comment.
Just double check here: does server_config contains this key "jwtToken"? I don't see the config file modified.
There was a problem hiding this comment.
Sure. I just add the jwtToken to the config file and set it to empty.
Just double check here: does server_config contains this key "jwtToken"? I don't see the config file modified.
pyTigerGraph/pyTigerGraphBase.py
Outdated
|
|
||
| # TODO Remove apiToken parameter | ||
| # if apiToken: | ||
| # warnings.warn( |
There was a problem hiding this comment.
Why do we remove this deprecation warning but keep the apiToken parameter
There was a problem hiding this comment.
was trying to clean up the code. There are several deprecation warnings other than "apiToken" parameter. I can add the deprecation warning back.
There was a problem hiding this comment.
The apiToken parameter is used for CoPilot
pyTigerGraph/pyTigerGraphBase.py
Outdated
| try: | ||
| logger.debug(f"Attempting to get schema with URL: {self.gsUrl + '/gsqlserver/gsql/schema?graph=' + self.graphname}") | ||
| logger.debug(f"Using auth header: {self.authHeader}") | ||
| self._get(self.gsUrl + "/gsqlserver/gsql/schema?graph=" + self.graphname, authMode="token") |
There was a problem hiding this comment.
Do we have to use graphname here? Might cause issue when there is no graph in the database
There was a problem hiding this comment.
The graphname is a required field accoroding to https://docs.tigergraph.com/tigergraph-server/current/api/built-in-endpoints#_show_graph_schema_metadata. We don't have a package to test on the GSQL auth yet. So if there no graph in the database, it could cause issue. might need to change to another function for validation after testing on.
| self.authHeader = {'Authorization': 'Basic {0}'.format(self.base64_credential)} | ||
| _headers = self.authHeader | ||
| authMode = 'pwd' | ||
| # If JWT token is provided, always use jwtToken as token |
There was a problem hiding this comment.
Is jwtToken also used when authMode is pwd?
There was a problem hiding this comment.
currently no, still use pwd. in the init, if the db doesn't support jwt, it will raise an error asking users to use username and password.
tests/test_jwt.py
Outdated
There was a problem hiding this comment.
Not sure how we can test this file in our CICD pipeline. Will need to talk to our QE team to find out how we can configure the DB to use the JWT token auth.
|
We need to keep the apiToken parameter, I don’t know why we were deprecating it in the first place.
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: billshitg ***@***.***>
Sent: Friday, May 24, 2024 2:08:25 PM
To: tigergraph/pyTigerGraph ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [tigergraph/pyTigerGraph] Gml 1660 support jwt token auth in py tiger graph (PR #224)
@billshitg commented on this pull request.
________________________________
In pyTigerGraph/pyTigerGraphBase.py<#224 (comment)>:
self.apiToken = apiToken
+ self.base64_credential = base64.b64encode(
+ "{0}:{1}".format(self.username, self.password).encode("utf-8")).decode("utf-8")
+
+ self.authHeader = self._set_auth_header()
+
+ # TODO Remove apiToken parameter
+ # if apiToken:
+ # warnings.warn(
Why do we remove this deprecation warning but keep the apiToken parameter
________________________________
In pyTigerGraph/pyTigerGraphBase.py<#224 (comment)>:
+ if e.response.status_code == 403:
+ logger.error(f"Unauthorized error: {e}. The JWT token might be invalid or expired.")
+ else:
+ logger.error(f"HTTP error occurred: {e}")
+ # logger.error("The DB version using doesn't support JWT token for RestPP. Please switch to API token or username/password.")
+ raise
+ except Exception as e:
+ logger.error(f"Error occurred: {e}. The DB version using doesn't support JWT token for RestPP.")
+ logger.error("Please switch to API token or username/password.")
+ raise
+
+ # Check JWT support for GSQL server
+ try:
+ logger.debug(f"Attempting to get schema with URL: {self.gsUrl + '/gsqlserver/gsql/schema?graph=' + self.graphname}")
+ logger.debug(f"Using auth header: {self.authHeader}")
+ self._get(self.gsUrl + "/gsqlserver/gsql/schema?graph=" + self.graphname, authMode="token")
Do we have to use graphname here? Might cause issue when there is no graph in the database
________________________________
In pyTigerGraph/pyTigerGraphBase.py<#224 (comment)>:
@@ -257,20 +317,27 @@ def _req(self, method: str, url: str, authMode: str = "token", headers: dict = N
if logger.level == logging.DEBUG:
logger.debug("params: " + self._locals(locals()))
- if authMode == "token" and str(self.apiToken) != "":
- if isinstance(self.apiToken, tuple):
- self.apiToken = self.apiToken[0]
- self.authHeader = {'Authorization': "Bearer " + self.apiToken}
- _headers = self.authHeader
- else:
- self.authHeader = {'Authorization': 'Basic {0}'.format(self.base64_credential)}
- _headers = self.authHeader
- authMode = 'pwd'
+ # If JWT token is provided, always use jwtToken as token
Is jwtToken also used when authMode is pwd?
…________________________________
On tests/test_jwt.py<#224 (comment)>:
Not sure how we can test this file in our CICD pipeline. Will need to talk to our QE team to find out how we can configure the DB to use the JWT token auth.
—
Reply to this email directly, view it on GitHub<#224 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACJLWK7L2H24UZCF7CGVOPDZD6T4TAVCNFSM6AAAAABHRIYCC6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDANZXHE4TSNJUGM>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1062/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1063/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1066/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1067/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1068/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1070/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1072/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1075/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1076/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1077/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1078/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1079/
There was a problem hiding this comment.
Unit Test: FAILURE, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1080/
There was a problem hiding this comment.
Unit Test: SUCCESS, e2e Test: SKIPPED, Jenkins_job:http://192.168.99.101:30080/job/mlwb_build/1081/
|
|
||
| def _requestJWTToken(self): | ||
| # Define the URL | ||
| url = f"{self.conn.host}:{self.conn.gsPort}/gsqlserver/requestjwttoken" |
There was a problem hiding this comment.
Should we make the jwt request endpoint as a utility function?
There was a problem hiding this comment.
Good point. Maybe we should add it to the GSQL integration plan?
There was a problem hiding this comment.
That is a good idea. I will create another PR for this.
| @@ -42,6 +43,7 @@ def make_connection(graphname: str = None): | |||
| certPath=server_config["certPath"], | |||
| sslPort=server_config["sslPort"], | |||
| gcp=server_config["gcp"], | |||
| jwtToken=server_config["jwtToken"] | |||
There was a problem hiding this comment.
Just double check here: does server_config contains this key "jwtToken"? I don't see the config file modified.
No description provided.