https://flyte.org logo
#ask-the-community
Title
# ask-the-community
a

avesuni

01/05/2024, 8:25 PM
Hi all. Any advice where to add authorization policy? I can't find much information about internal authorization server. I have implemented Google as IdP and I was hoping to authorize based on email domain. I'm using flyte-core. Many thanks.
s

Samhita Alla

01/06/2024, 9:40 AM
@David Espejo (he/him)
a

avesuni

01/06/2024, 5:30 PM
Perhaps alternatively, is there any documentation about
proxyCommand
in
~/.flyte/config.yaml
? We also have an existing authentication/authorization setup made of Keycloak/oauth2-proxy and Istio. I can add authentication to flyte simply by adding the url to my Gateway's authorizationpolicy as follows
apiVersion: <http://security.istio.io/v1beta1|security.istio.io/v1beta1>
kind: AuthorizationPolicy
metadata:
name: jwt-authz
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: CUSTOM
provider:
name: oauth2-proxy
rules:
- to:
- operation:
hosts: ["<http://flyteadmin.foo.com|flyteadmin.foo.com>"]
Now I am automatically prompted for authentication when I navigate to
<http://flyteadmin.foo.com|flyteadmin.foo.com>
with my browser. However, flytectl/pyflyte don't work and give
Error: Connection Info: [Endpoint: dns:///flyteadmin.foo.com, InsecureConnection?: false, AuthMode: Pkce]: rpc error: code = Unknown desc ={"json":{},"level":"error","msg":"Connection Info: [Endpoint: dns:///flyteadmin.foo.com, InsecureConnection?: false, AuthMode: Pkce]: rpc error: code = Unknown desc = ","ts":"2024-01-06T19:18:13+02:00"}
Any chance that
proxyCommand
comes to my rescue?
d

David Espejo (he/him)

01/09/2024, 3:22 PM
I was hoping to authorize based on email domain
I don't think the internal auth server support this. In the alternative you mention, you should be able to follow the steps in the docs, depending on the Helm chart you used to install Flyte. By default, the
authType
in
config.yaml
is
Pkce
which should work for the CLI clients
a

avesuni

01/09/2024, 4:19 PM
Thanks @David Espejo (he/him). I kept getting the same error so I switched back to port-forwarding via a shell script that opens the two port-forwards at once. The good thing about this is that I don't need to update config.yaml when I switch between dev, staging and production clusters.
3 Views