Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions mlflow_kubernetes_plugins/auth/authorizer.py
Original file line number Diff line number Diff line change
Expand Up @@ -242,8 +242,11 @@ def _build_api_client_with_token(self, token: str) -> client.ApiClient:
configuration.username = None
configuration.password = None
configuration.refresh_api_key_hook = None
configuration.api_key = {"authorization": token}
configuration.api_key_prefix = {"authorization": "Bearer"}
# Set both legacy ('authorization') and v36+ ('BearerToken') keys.
# kubernetes-client/python still has a compatibility gap across v35-v36
# for manually constructed Configuration objects; see issues #2592 and PR #2618.
configuration.api_key = {"BearerToken": token, "authorization": token}
configuration.api_key_prefix = {"BearerToken": "Bearer", "authorization": "Bearer"}
Comment on lines +245 to +249
return client.ApiClient(configuration)

def _submit_self_subject_access_review(
Expand Down
34 changes: 34 additions & 0 deletions tests/test_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -4216,6 +4216,40 @@ def test_subject_access_review_authorizer_close_is_idempotent(monkeypatch):
fake_client.close.assert_called_once()


def test_build_api_client_with_token_sets_both_bearer_keys():
"""Verify _build_api_client_with_token sets both 'BearerToken' and 'authorization'
api_key entries for compatibility across kubernetes client v35-v36+.

See https://github.com/kubernetes-client/python/issues/2592
"""
from kubernetes import client

base_conf = client.Configuration()
base_conf.host = "https://localhost:6443"
base_conf.ssl_ca_cert = None
base_conf.verify_ssl = False

authorizer = KubernetesAuthorizer(
KubernetesAuthConfig(authorization_mode=AuthorizationMode.SELF_SUBJECT_ACCESS_REVIEW)
)
authorizer._base_configuration = base_conf

token = "test-token-value"
api_client = authorizer._build_api_client_with_token(token)
conf = api_client.configuration

assert "BearerToken" in conf.api_key, "missing BearerToken api_key (needed for k8s client v36+)"
assert "authorization" in conf.api_key, "missing authorization api_key (needed for k8s client v35)"
assert conf.api_key["BearerToken"] == token
assert conf.api_key["authorization"] == token
assert conf.api_key_prefix["BearerToken"] == "Bearer"
assert conf.api_key_prefix["authorization"] == "Bearer"

auth = conf.auth_settings()
assert "BearerToken" in auth, "auth_settings() must resolve a BearerToken entry"
assert auth["BearerToken"]["value"] == f"Bearer {token}"


def test_normalize_rules_single_rule():
rule = AuthorizationRule("get", resource=RESOURCE_EXPERIMENTS)
assert _normalize_rules(rule) == [rule]
Expand Down
Loading