Skip to content

feat: Warn when the registry server starts with authentication disabled #6512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AgentGymLeader wants to merge 1 commit into
base: master
Choose a base branch
from
+40 −0
Open

feat: Warn when the registry server starts with authentication disabled #6512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions sdk/python/feast/registry_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,25 @@ def _build_any_feature_view_proto(feature_view: BaseFeatureView):
)


def _warn_if_auth_disabled(auth_manager_type: AuthManagerType) -> None:
"""Emit a startup warning when the registry server runs without authentication.

The registry server accepts control-plane writes (e.g. applying feature
views), which materialize user-provided transformation code on this host.
When authentication is disabled it accepts those requests unauthenticated,
so it should only run inside a trusted network boundary.
"""
if auth_manager_type == AuthManagerType.NONE:
logger.warning(
"Registry server is starting with authentication disabled "
"(auth type 'no_auth'). It will accept unauthenticated requests, "
"including feature-view apply operations that load user-provided "
"transformation code on this host. Only run the registry server in "
"this mode inside a trusted network boundary, and enable "
"authentication before exposing it on an untrusted network."
)


class RegistryServer(RegistryServer_pb2_grpc.RegistryServerServicer):
def __init__(self, registry: BaseRegistry) -> None:
super().__init__()
Expand Down Expand Up @@ -1353,6 +1372,7 @@ def start_server(
tls_cert_path: str = "",
):
auth_manager_type = str_to_auth_manager_type(store.config.auth_config.type)
_warn_if_auth_disabled(auth_manager_type)
init_security_manager(auth_type=auth_manager_type, fs=store)
init_auth_manager(
auth_type=auth_manager_type,
Expand Down
20 changes: 20 additions & 0 deletions sdk/python/tests/unit/test_registry_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
import logging

import pytest

from feast.permissions.server.utils import AuthManagerType
from feast.registry_server import _warn_if_auth_disabled


def test_warn_if_auth_disabled_emits_warning_for_none(caplog):
with caplog.at_level(logging.WARNING, logger="feast.registry_server"):
_warn_if_auth_disabled(AuthManagerType.NONE)
assert len(caplog.records) == 1
assert caplog.records[0].levelno == logging.WARNING
assert "no_auth" in caplog.records[0].message


def test_warn_if_auth_disabled_no_warning_for_oidc(caplog):
with caplog.at_level(logging.WARNING, logger="feast.registry_server"):
_warn_if_auth_disabled(AuthManagerType.OIDC)
assert len(caplog.records) == 0