Authentication and Authorization

[dr3s]

What this PR does / why we need it:

First implementation of auth for Feast (related to #504 minimal implementation).

1. Adds authentication to Feast Core (with support for different implementations). Currently any JWT bearer token through gRPC metadata.
2. Adds authorization to Feast Core (with support for different implementations). Currently only supports Ory Keto. A follow up PR will add an HTTP authorization adapter.
3. Adds authentication to Python SDK/CLI. Two implementations included: users can enable authentication client side and Feast will send their Google Open ID credentials as gRPC metadata to Core, or they can provide client credentials and OAuth2 provider and the JWT will be fetched for them.
4. Refactored the Python SDK/CLI SSL/TLS handling.
5. Prevents unauthorized creation or modification of feature sets in projects that a user does not have membership in.

Limitations

Does not handle user or role management in authorization provider (creating projects, adding members, removing members, listing members).

Which issue(s) this PR fixes:

Related to #504, but doesn't close the card. This is a minimal implementation. Replaces #554

Does this PR introduce a user-facing change?:

Yes, documentation will be needed:

• The Python Client SDK has a constructor now to pass authentication configuration.
• The Core Service API requires GRPC metadata when authentication is enabled.
• Configuration for Core has been extended to enable authentication and authorization.

[dr3s]

/retest

[woop]

/test test-end-to-end-auth

[woop]

/test test-end-to-end-auth

[pyalex]

/lgtm

[feast-ci-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dr3s, pyalex

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pyalex]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[feast-ci-bot]

@dr3s: Updated the config configmap in namespace default at cluster default using the following files:

• key config.yaml using file .prow/config.yaml

In response to this:

What this PR does / why we need it:

First implementation of auth for Feast (related to #504 minimal implementation).

1. Adds authentication to Feast Core (with support for different implementations). Currently any JWT bearer token through gRPC metadata.
2. Adds authorization to Feast Core (with support for different implementations). Currently only supports Ory Keto. A follow up PR will add an HTTP authorization adapter.
3. Adds authentication to Python SDK/CLI. Two implementations included: users can enable authentication client side and Feast will send their Google Open ID credentials as gRPC metadata to Core, or they can provide client credentials and OAuth2 provider and the JWT will be fetched for them.
4. Refactored the Python SDK/CLI SSL/TLS handling.
5. Prevents unauthorized creation or modification of feature sets in projects that a user does not have membership in.

Limitations

Does not handle user or role management in authorization provider (creating projects, adding members, removing members, listing members).

Which issue(s) this PR fixes:

Related to #504, but doesn't close the card. This is a minimal implementation. Replaces #554

Does this PR introduce a user-facing change?:

Yes, documentation will be needed:

• The Python Client SDK has a constructor now to pass authentication configuration.
• The Core Service API requires GRPC metadata when authentication is enabled.
• Configuration for Core has been extended to enable authentication and authorization.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.