-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On-prem Pro tenants: secure enrollment, CSRF tokens and cross-domain authorization flow #3264
base: develop
Are you sure you want to change the base?
Conversation
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
|
2d20c2e
to
33af3ce
Compare
E2E template updates in |
81af11a
to
accbe6f
Compare
E2E template updates in |
…in to allow on-prem deployments
…o/zenml into feature/grow-171-cross-site-auth
external_access_token = request.cookies.get( | ||
config.external_cookie_name | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: the dependency on the external cookie can be completely removed here ONLY if the dashboard always uses the tenant authorization flow, even for same-site tenants.
@@ -23,25 +23,31 @@ def upgrade() -> None: | |||
batch_op.add_column(sa.Column("save_type", sa.TEXT(), nullable=True)) | |||
|
|||
# Step 2: Move data from step_run_output_artifact.type to artifact_version.save_type | |||
op.execute(""" | |||
op.execute( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a new ruff version or what caused all these formatting changes?
expected_type=list, | ||
default=["pipeline", "pipeline_run", "model"], | ||
) | ||
DEFAULT_REPORTABLE_RESOURCES = ["pipeline", "pipeline_run", "model"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why was this change necessary? I'm assuming because we don't have any control over this environment variable for enrolled tenants?
) | ||
server_config.external_server_id = server_pro_config.tenant_id | ||
server_config.rbac_implementation_source = ( | ||
"zenml.zen_server.rbac.zenml_cloud_rbac.ZenMLCloudRBAC" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These files are not available for servers deployed with the OSS Docker image, which might lead to errors if the environment variables are configured.
) | ||
|
||
|
||
class ServerProConfiguration(BaseModel): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe i'm still missing some details, but all these environment variables need to be set by users when they decide they want to enroll a server? Or how is the actual user flow for enrollment supposed to look like?
Describe changes
This PR packs together several improvements that allow self-hosted zenml servers to be enrolled as ZenML Pro tenants and makes it easier to connect the client to a self-hosted ZenML Pro tenant server and control plane.
Some highlights:
zenml login
,zenml logout
andzenml server list
via a--pro-api-url
argument (e.g.zenml login --pro-api-url https://staging.cloudapi.zenml.io
).Pre-requisites
Please ensure you have done the following:
develop
and the open PR is targetingdevelop
. If your branch wasn't based on develop read Contribution guide on rebasing branch to develop.Types of changes