feat: add agent authorization in agent callback #303
Conversation
fix: merge branch 'main' into feat/authz_agent
| f"Checking permission for principal {principal_id} on resource {resource_id} for operation {operation}..." | ||
| ) | ||
|
|
||
| request = volcenginesdkid.CheckPermissionRequest( |
There was a problem hiding this comment.
这里request的字段不太对
class CheckPermissionRequest(
namespace_name: Any | None = None,
operation: Any | None = None,
original_callers: Any | None = None,
principal: Any | None = None,
references: Any | None = None,
resource: Any | None = None,
_configuration: Any | None = None
)
| agent_name = callback_context.agent_name | ||
| user_id = callback_context._invocation_context.user_id | ||
|
|
||
| namespace = "default" |
| workload_id = role_id if role_id else agent_name | ||
|
|
||
| allowed = identity_client.check_permission( | ||
| principal_id=user_id, |
There was a problem hiding this comment.
这里 principal, operation, resource 都是 包含 Type和Id的结构体,可能适合先定义一个数据类直接传递,operation可以固定成type: action, id: invoke
| callback_context: CallbackContext, | ||
| ) -> Optional[types.Content]: | ||
| """Check if the agent is authorized to run using VeIdentity.""" | ||
| workload_token = await get_workload_token( |
There was a problem hiding this comment.
这里目前 在workload_name为空的情况下 会取agent_name 调用到identity_client的get_workload_access_token,需要先改一下 get_workload_access_token 方法签名的 workload_name 参数改为 optional 然后token_manager不传递agent_name
| # Parse role_id from workload_token | ||
| # Format: trn:id:${Region}:${Account}:workloadpool/default/workload/${RoleId} | ||
| role_id = None | ||
| if workload_token: |
There was a problem hiding this comment.
workload_token返回是JWT格式 需要参考 https://github.com/volcengine/veadk-python/pull/304/files#diff-3a2ff321505acec9407a08fd5d439d7be6925f1874f8683ba15986068108aa4eR63 解析获取sub
| KeyError: If required environment variables are not set. | ||
| """ | ||
| self.region = region | ||
| self._identity_config = identity_config or VeIdentityConfig() |
There was a problem hiding this comment.
这里直接类似 https://github.com/volcengine/veadk-python/blob/main/veadk/integrations/ve_identity/auth_config.py#L30 用settings里全局的配置 可能就行 不太需要放到实例里 包括下面 self._identity_config的使用 都可以直接用 settings.veidentity
| logger.info( | ||
| f"No session token found, attempting AssumeRole with role: {self._identity_config.role_trn}" | ||
| ) | ||
| sts_credentials = self._assume_role(ak, sk) |
There was a problem hiding this comment.
感觉后面得给这个 sts_credentials 做个缓存每次调用identity接口都需要请求assume role开销有点大
2 participants
No description provided.