kedro-kubeflow icon indicating copy to clipboard operation
kedro-kubeflow copied to clipboard

Published 20 hours ago verified publisher icon getindata

Kedro kubeflow kfp authentication

Open cpereir1 opened this issue 2 years ago • 7 comments

Hi!

I am wondering how does kedro authenticate to kfp internally. I am using the kedro sample iris project locally and the kedro kubeflow plugin to deploy the iris pipeline to a kubeflow pipelines deployed instance (cloud). All seems to go fine except that I don't see any instructions in the tutorials to authenticate the kfp client? I believe this is a necessary step from the kfp sdk docs, when using the client outside the cluster.

Is this already handled by the kedro kubeflow plugin somehow?

I am not able to kedro kubeflow upload-pipeline. Could the lack of auth be the reason?

Thank you so much!

cpereir1 avatar Feb 08 '23 10:02 cpereir1

Hi, kfp library uses Google's ADC under the hood. If you're running Kubeflow on GCP you, could install google cloud SDK and run gcloud auth application-default login to populate credentials on your local machine.

em-pe avatar Feb 08 '23 10:02 em-pe

If you have custom authorization, one option is to generate context.json file in the KFPs config directory, e.g.

#!/bin/bash
set -e -x
KFP_AUTH_FILE=${2:-"/home/kedro/.config/kfp/context.json"}
mkdir -p $(dirname $KFP_AUTH_FILE)
cat << EOF > $KFP_AUTH_FILE
{
    "namespace": "",
    "client_authentication_header_name": "Authorization",
    "client_authentication_header_value": "Bearer $TOKEN"
}
EOF
kedro $1

marrrcin avatar Feb 08 '23 10:02 marrrcin

Hi, kfp library uses Google's ADC under the hood. If you're running Kubeflow on GCP you, could install google cloud SDK and run gcloud auth application-default login to populate credentials on your local machine.

Hi @em-pe , my Kubeflow instance is running in Azure, with dex configured for authentication

cpereir1 avatar Feb 08 '23 11:02 cpereir1

Hi @marrrcin , what would the token then be? Is it the cookie generated from browser?

cpereir1 avatar Feb 08 '23 11:02 cpereir1

If you're using DEX, then maybe just setting appropriate username and password in environment variables will be sufficient as it's used here https://github.com/getindata/kedro-kubeflow/blob/ab709867507bbe61ee6ae52a9a95986173a344dd/kedro_kubeflow/kfpclient.py#L31 Unfortunately, that piece of code was tested long time ago and it's error prone, so you might as well use the flow with context.json, obtain cookie and set client_authentication_cookie in the JSON instead of client_authentication_header_(...).

marrrcin avatar Feb 08 '23 11:02 marrrcin

@cpereir1 If you're using Dex, then please follow this steps: https://kedro-kubeflow.readthedocs.io/en/0.7.3/source/03_getting_started/05_authentication.html#kfp-behind-dex-with-authservice - they work well, tested in Kubeflow 1.4 and Kubeflow 1.6.

szczeles avatar Feb 08 '23 12:02 szczeles

@cpereir1 - can you confirm the solution suggested by @szczeles works for you?

marrrcin avatar Feb 20 '23 12:02 marrrcin