FilesExpand file tree

 update-lineage

/

auth_model.py

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

71 lines (52 loc) · 2.14 KB

 update-lineage

/

auth_model.py

Top

File metadata and controls

• Code
• Blame

71 lines (52 loc) · 2.14 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

# --------------------------------------------------------------------

# Extends OIDC client auth model with an optional `token` field.

# Works on Pydantic v2-only.

#

# Accepted credential sets (exactly **one** of):

# 1 pre-issued `token`

# 2 `client_secret` (client-credentials flow)

# 3 `username` + `password` + `client_secret` (ROPG)

# --------------------------------------------------------------------

from __future__ import annotations

from typing import Literal, Optional

from pydantic import ConfigDict, model_validator

from feast.repo_config import FeastConfigBaseModel

class AuthConfig(FeastConfigBaseModel):

type: Literal["oidc", "kubernetes", "no_auth"] = "no_auth"

class OidcAuthConfig(AuthConfig):

auth_discovery_url: str

client_id: str

class OidcClientAuthConfig(OidcAuthConfig):

# any **one** of the four fields below is sufficient

username: Optional[str] = None

password: Optional[str] = None

client_secret: Optional[str] = None

token: Optional[str] = None # pre-issued `token`

@model_validator(mode="after")

def _validate_credentials(self):

"""Enforce exactly one valid credential set."""

has_user_pass = bool(self.username) and bool(self.password)

has_secret = bool(self.client_secret)

has_token = bool(self.token)

# 1 static token

if has_token and not (has_user_pass or has_secret):

return self

# 2 client_credentials

if has_secret and not has_user_pass and not has_token:

return self

# 3 ROPG

if has_user_pass and has_secret and not has_token:

return self

raise ValueError(

"Invalid OIDC client auth combination: "

"provide either\n"

" • token\n"

" • client_secret (without username/password)\n"

" • username + password + client_secret"

)

class NoAuthConfig(AuthConfig):

pass

class KubernetesAuthConfig(AuthConfig):

# Optional user token for users (not service accounts)

user_token: Optional[str] = None

model_config = ConfigDict(arbitrary_types_allowed=True, extra="allow")