buildgrid.server.auth.manager module
- class buildgrid.server.auth.manager.JwtParser(secret: str | None = None, algorithm: AuthMetadataAlgorithm = AuthMetadataAlgorithm.UNSPECIFIED, jwks_urls: list[str] | None = None, audiences: list[str] | None = None, jwks_fetch_minutes: int = 60)
Bases:
object
- parse(token: str) dict[str, Any]
- identity_from_jwt_payload(payload: dict[str, Any]) ClientIdentity
- Extract the relevant claims from the JWT
“aud” -> workflow “sub” -> subject “act” -> actor
If the “act” field is not set then the subject is considered the actor The audience for the identity is taken from the config if set If “aud” field is an array of strings then the first element is set as the audience’ :param payload: the decoded payload from the jwt
- Returns:
A dictionary containing workflow, actor, subject
- identity_from_token(token: str) ClientIdentity
- class buildgrid.server.auth.manager.AuthManager
Bases:
ABC
- abstract authorize(context: ServicerContext, instance_name: str, request_name: str) bool
Determine whether or not a request is authorized.
This method takes a
ServicerContext
for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.
- Parameters:
context (ServicerContext) – The context for the gRPC request to check the authz status of.
instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.
request_name (str) – The name of the request being authorized, for example Execute.
- Returns:
Whether the request is authorized.
- Return type:
bool
- class buildgrid.server.auth.manager.JWTAuthManager(secret: str | None = None, algorithm: AuthMetadataAlgorithm = AuthMetadataAlgorithm.UNSPECIFIED, jwks_urls: list[str] | None = None, audiences: list[str] | None = None, jwks_fetch_minutes: int = 60, acls: Mapping[str, InstanceAuthorizationConfig] | None = None, allow_unauthorized_instances: set[str] | None = None)
Bases:
AuthManager
- authorize(context: ServicerContext, instance_name: str, request_name: str) bool
Determine whether or not a request is authorized.
This method takes a
ServicerContext
for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.
- Parameters:
context (ServicerContext) – The context for the gRPC request to check the authz status of.
instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.
request_name (str) – The name of the request being authorized, for example Execute.
- Returns:
Whether the request is authorized.
- Return type:
bool
- class buildgrid.server.auth.manager.HeadersAuthManager(acls: Mapping[str, InstanceAuthorizationConfig] | None = None, allow_unauthorized_instances: set[str] | None = None)
Bases:
AuthManager
- authorize(context: ServicerContext, instance_name: str, request_name: str) bool
Determine whether or not a request is authorized.
This method takes a
ServicerContext
for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.
- Parameters:
context (ServicerContext) – The context for the gRPC request to check the authz status of.
instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.
request_name (str) – The name of the request being authorized, for example Execute.
- Returns:
Whether the request is authorized.
- Return type:
bool
- buildgrid.server.auth.manager.set_auth_manager(manager: AuthManager | None) None
- buildgrid.server.auth.manager.get_auth_manager() AuthManager | None
- buildgrid.server.auth.manager.authorize_request(request_context: ServicerContext, instance_name: str, request_name: str) None
- buildgrid.server.auth.manager.set_context_client_identity(clientIdentity: ClientIdentity) None
- buildgrid.server.auth.manager.get_context_client_identity() ClientIdentity | None