https://flyte.org logo
Join SlackCommunities
Powered by
Hi all. Any advice where to add authorization pol...
# flyte-support
s
Hi all. Any advice where to add authorization policy? I can't find much information about internal authorization server. I have implemented Google as IdP and I was hoping to authorize based on email domain. I'm using flyte-core. Many thanks.
t
@average-finland-92144
s
Perhaps alternatively, is there any documentation about 
proxyCommand
in 
~/.flyte/config.yaml
? We also have an existing authentication/authorization setup made of Keycloak/oauth2-proxy and Istio. I can add authentication to flyte simply by adding the url to my Gateway's authorizationpolicy as follows 
apiVersion: <http://security.istio.io/v1beta1|security.istio.io/v1beta1>
kind: AuthorizationPolicy
metadata:
name: jwt-authz
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: CUSTOM
provider:
name: oauth2-proxy
rules:
- to:
- operation:
hosts: ["<http://flyteadmin.foo.com|flyteadmin.foo.com>"]
Now I am automatically prompted for authentication when I navigate to 
<http://flyteadmin.foo.com|flyteadmin.foo.com>
with my browser. However, flytectl/pyflyte don't work and give 
Error: Connection Info: [Endpoint: dns:///flyteadmin.foo.com, InsecureConnection?: false, AuthMode: Pkce]: rpc error: code = Unknown desc ={"json":{},"level":"error","msg":"Connection Info: [Endpoint: dns:///flyteadmin.foo.com, InsecureConnection?: false, AuthMode: Pkce]: rpc error: code = Unknown desc = ","ts":"2024-01-06T19:18:13+02:00"}
Any chance that 
proxyCommand
comes to my rescue?
a
I was hoping to authorize based on email domain
I don't think the internal auth server support this. In the alternative you mention, you should be able to follow the steps in the docs, depending on the Helm chart you used to install Flyte. By default, the 
authType
in 
config.yaml
is 
Pkce
which should work for the CLI clients
s
Thanks @average-finland-92144. I kept getting the same error so I switched back to port-forwarding via a shell script that opens the two port-forwards at once. The good thing about this is that I don't need to update config.yaml when I switch between dev, staging and production clusters.
3 Views
Open in Slack
PreviousNext
Powered by