Document the STS flow #7639
Document the STS flow #7639
Conversation
|
No linked issues found. Please add the corresponding issues in the pull request description. |
|
♻️ PR Preview c877af6 has been successfully destroyed since this PR has been closed.
🤖 By surge-preview |
E2E Test Results - DynamoDB Local - Local Block Adapter |
docs/reference/security/sts-login.md
Outdated
|
|
||
| # STS Login | ||
|
|
||
| Secure Token Service (STS) authentication in lakeFS allows users to authenticate via an Identity Provider (IdP), using a secure and efficient method. |
There was a problem hiding this comment.
| Secure Token Service (STS) authentication in lakeFS allows users to authenticate via an Identity Provider (IdP), using a secure and efficient method. | |
| Secure Token Service (STS) authentication in lakeFS allows users to authenticate via an Identity Provider (IdP), using OIDC Authentication workflow. |
docs/reference/security/sts-login.md
Outdated
| {: .note} | ||
| > The architecture does include the steps to generate the code using the remote authenticator. this should be done prior to the STS login flow. | ||
| > There is a sample implementation to generate the code, redirect_uri and state at the end of this document. |
There was a problem hiding this comment.
This is more relevant as a stand alone section "pre-requisite"
There was a problem hiding this comment.
What would you suggest?
There was a problem hiding this comment.
Adding a pre-requisite section or a title in that same section explaining you must have access to an OIDC provider and literally that text.
just making it more clear what is expected
guy-har
added
exclude-changelog
docs/reference/security/sts-login.md
Outdated
| Secure Token Service (STS) authentication in lakeFS allows users to authenticate via an Identity Provider (IdP), using OIDC Authentication workflow. | ||
| This document outlines the process, from setting up the STS authentication flow to integrating with lakeFS through the [high-level Python SDK](../../integrations/python.md). | ||
|
|
||
| ## Architecture |
There was a problem hiding this comment.
WDYT about moving the architecture section to the end of the page? this way we start with the "how to" and whoever is more interested in the details can continue reading
There was a problem hiding this comment.
How about before the Sample implementation?
docs/reference/security/sts-login.md
Outdated
| ## Architecture | ||
|
|
||
| {: .note} | ||
| > The architecture does include the steps to generate the code using the remote authenticator. this should be done prior to the STS login flow. |
There was a problem hiding this comment.
The architecture does include the steps to generate the code using the remote authenticator.
The context for this sentence is not clear, can you please explain what was the intent?
docs/reference/security/sts-login.md
Outdated
| - lakeFS Client: Initiates the authentication process by providing IdP credentials. | ||
| - lakeFS Server: Facilitates the authentication request between the client and the remote authenticator. | ||
| - Remote Authenticator: Acts as a bridge between lakeFS and the IdP, handling credential validation. | ||
| - IdP (Identity Provider): Validates the provided credentials and returns the authentication status. |
docs/reference/security/sts-login.md
Outdated
|
|
||
| ## Configuration | ||
|
|
||
| To enable STS authentication, configure your lakeFS instance with the appropriate endpoint to the external Authentication Service. |
There was a problem hiding this comment.
| To enable STS authentication, configure your lakeFS instance with the appropriate endpoint to the external Authentication Service. | |
| To enable STS authentication, configure your lakeFS instance with the endpoint of the external Authentication Service. |
|
|
||
|
|
||
| ## Sample implementation to generate the code, redirect_uri and state | ||
| The following code snippet demonstrates how to generate the code, redirect_uri and state values that are required to initiate a new client session using the STS login feature. |
docs/reference/security/sts-login.md
Outdated
| Ensure you replace <url-to-remote-authenticator-endpoint> with the actual URL of your Authentication Service. | ||
|
|
||
|
|
||
| ## STS Login with high level python client |
There was a problem hiding this comment.
IMO the order of actions a user needs to take is not 100% clear.
Can you create a numbered list of steps for configuration to a successful login?
There was a problem hiding this comment.
Sounds like a good idea, I'm not really sure how to do that, Add a previous section with steps and links?
One concern I do have with the steps is that (I'm assuming) the user configuring and the user using the log in with the high level python client are not the same user, also the configuration is a one time thing and the login is not, @talSofer WDYT? is it even a concern?
There was a problem hiding this comment.
One concern I do have with the steps is that (I'm assuming) the user configuring and the user using the log in with the high level python client are not the same user
that's a good point.
If we keep Configuration separate from Usage, how many steps there are before you can run the Python snippet?
There was a problem hiding this comment.
Only the steps for generating the code and state which is up to the client to configure in the way they want. so basically there are three separate independent (almost) steps
- configuration
- generating the
codeandstate- which is up to the client but we have provided a sample code of how to do that - generate client with the python wrapper (two lines of code)
docs/reference/security/sts-login.md
Outdated
|
|
||
| ```python | ||
| import lakefs | ||
| myclient = lakefs.client.from_web_identity(code = '', redirect_uri = '', state = '' , ttl_seconds = 7200) |
There was a problem hiding this comment.
empty strings are confusing here; I should use what I get from the remote authenticator, right?
There was a problem hiding this comment.
No, from the Identity provider. changing
docs/reference/security/sts-login.md
Outdated
| ``` | ||
|
|
||
|
|
||
| ## Sample implementation to generate the code, redirect_uri and state |
There was a problem hiding this comment.
Why do we need to include sample code?
There was a problem hiding this comment.
Because it makes it more obvious what exactly I need to provide and it gives the user something to play with
This example is provided for auth0 but with a slight change it will work for other providers as well (I verified it on entra as well)
Co-authored-by: talSofer <tal.sofer@treeverse.io>
|
@talSofer changed and commented PTAL 🙏 |
Co-authored-by: talSofer <tal.sofer@treeverse.io>
docs/reference/security/sts-login.md
Outdated
|
|
||
| ## STS Login with high level python client | ||
|
|
||
| The Python client simplifies initiating a client session with STS login. Use the following example to start a new session: |
There was a problem hiding this comment.
Maybe can change this sentence to highlight that the high-level Python client is THE way to do STS login ?
docs/reference/security/sts-login.md
Outdated
|
|
||
| {: .note} | ||
| > The architecture documentation begins at the stage following the generation of the code by the remote authenticator. | ||
| > Please be aware that the preliminary steps, including the code generation process that takes place between the user and their identity provider, are not included in this documentation. |
There was a problem hiding this comment.
I think that we should include this step in this guide. even if not with specific instructions. the goal is to understand when I need to take every step.
maybe this should be step 1 in sts login? WDYT?
docs/reference/security/sts-login.md
Outdated
| ## Architecture | ||
|
|
||
| {: .note} | ||
| > The architecture documentation begins at the stage following the generation of the code by the remote authenticator. |
There was a problem hiding this comment.
| > The architecture documentation begins at the stage following the generation of the code by the remote authenticator. | |
| > The architecture documentation begins at the stage after the generation of the code by the remote authenticator. |
| > STS Login is available in lakeFS Cloud and lakeFS Enterprise. currently only tested on lakeFS Enterprise. | ||
|
|
||
| Secure Token Service (STS) authentication in lakeFS enables users to authenticate to lakeFS using temporary credentials obtained from an Identity Provider (IdP) via the OpenID Connect (OIDC) Authentication workflow.. | ||
| This document outlines the process, from setting up the STS authentication flow to using temporary credentials to interact with lakeFS through the [high-level Python SDK](../../integrations/python.md). |
There was a problem hiding this comment.
| This document outlines the process, from setting up the STS authentication flow to using temporary credentials to interact with lakeFS through the [high-level Python SDK](../../integrations/python.md). | |
| This document outlines the process, from enabling STS authentication to using temporary credentials to interact with lakeFS through the [high-level Python SDK](../../integrations/python.md). |
Co-authored-by: talSofer <tal.sofer@treeverse.io>
No description provided.