-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Feature/azure service principal - expedite #5926
base: develop
Are you sure you want to change the base?
Conversation
👷 Deploy request for label-studio-docs-new-theme pending review.Visit the deploys page to approve it
|
👷 Deploy request for heartex-docs pending review.Visit the deploys page to approve it
|
🔍 Existing Issues For ReviewYour pull request is modifying functions with the following pre-existing issues: 📄 File: label_studio/io_storages/base_models.py
Did you find this useful? React with a 👍 or 👎 |
Is it a copy of #5765 ? |
tests are now passing, do you guys want to add this PR to the tests @makseq ? |
Hi ! |
I was having issues with encryption/decryption at the time of testing credentials manually from the UI I also thought not necessary cause the other Azure storage (key auth option) is not encrypting keys and we are also popping secure fields out here |
let me know what you think @FrsECM , we can also add them back |
I understand that testing with the UI may be an issue. To give you some context, at the beggining i didn't implement this but i did a security review within my company and i've been asked to make sure that credentials are not stored "clear" in the database. A account key that is leaking is a risk that an attacker removes the data directly from the bucket what was not acceptable from our side. That's why i implemented this quick fix for SPI, but of course it should be relevant the same way for AzureBlob Account key. Because this credential have to be given to another provider, we can not only hash, we need to encrypt and decrypt, that's why i coded this this way, and in order to do this on the fly, i added this step in the "validation" function. What is your position concerning that ? Maybe it can be included in another PR but it should definitely be in your roadmap in order to improve security of your application. |
I try adding it back but Windows pytest fails for some reason https://github.com/machov/label-studio/actions/runs/9691945908/job/26745179790?pr=10 |
For the current PR, I am not able to successfully create the pre-signed urls, any suggestions?
this test above fails, the endpoint returns "azure-spi://<path/to/file>" instead of "/tasks/\d+/presign/\?fileuri=YX..." |
PR fulfills these requirements
[fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made
ex.fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
Change has impacts in these area(s)
Describe the reason for change
For the moment, there is only an authentication through account key to Azure. The problem is that account key give a lot of rights on the storage that may not be necessary in order to perform readonly operations.![](https://private-user-images.githubusercontent.com/26071804/324516511-626a1f83-8dc1-4fd8-a5f3-03d7464b88fe.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY4NzI2NzIsIm5iZiI6MTcxNjg3MjM3MiwicGF0aCI6Ii8yNjA3MTgwNC8zMjQ1MTY1MTEtNjI2YTFmODMtOGRjMS00ZmQ4LWE1ZjMtMDNkNzQ2NGI4OGZlLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MjglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTI4VDA0NTkzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWY3NzljNTQ5NDIzMDEyMzc4MTE4NjlkYzA3NWExYzJjMGUyM2MyZmYzMzAxYjVhMmRmOWMwMzRiNzk0ZjFiNzkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.GE7WsJajCX-MVUZPi_JQ6TVj5jiTbtICgPd8-Y-FlAM)
What does this fix?
Now it is possible to have an azure integration that is based on a service principal.
What is the new behavior?
We have to create an app registration in Azure :![](https://private-user-images.githubusercontent.com/26071804/324517405-3150f717-2fa6-4f95-8af8-c28db4537aeb.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY4NzI2NzIsIm5iZiI6MTcxNjg3MjM3MiwicGF0aCI6Ii8yNjA3MTgwNC8zMjQ1MTc0MDUtMzE1MGY3MTctMmZhNi00Zjk1LThhZjgtYzI4ZGI0NTM3YWViLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MjglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTI4VDA0NTkzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTcyNzg0ZTg0Y2JkMjJlYmY0ZmYwNTU0NzQyMDA0MDE3ZWMxMzQ1NzUyMjNjN2UxOGU2MGQ4NGZlYjRlY2ZjNGQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.oj1BSHXHoQBbWWvn8cBug6r-uL5xqYe8zcapdXdF5bw)
![](https://private-user-images.githubusercontent.com/26071804/324517744-a488663a-c44e-4b5c-b2d6-15e281c34a45.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY4NzI2NzIsIm5iZiI6MTcxNjg3MjM3MiwicGF0aCI6Ii8yNjA3MTgwNC8zMjQ1MTc3NDQtYTQ4ODY2M2EtYzQ0ZS00YjVjLWIyZDYtMTVlMjgxYzM0YTQ1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MjglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTI4VDA0NTkzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWY2N2I4NGQ4YjdlOTY0YjQyNDI0MzZmZGIzNWE4MDhiYmE5YzU3NmUyYmRiZTBiZmMyMjJkYmVkODYwOTM3MDYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.niR9rIojKEu81C61IhV0lLJaD1zQskoQlBABVlNEXEU)
![](https://private-user-images.githubusercontent.com/26071804/324518274-0da4c174-5623-4594-8118-3dff745eb8fa.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY4NzI2NzIsIm5iZiI6MTcxNjg3MjM3MiwicGF0aCI6Ii8yNjA3MTgwNC8zMjQ1MTgyNzQtMGRhNGMxNzQtNTYyMy00NTk0LTgxMTgtM2RmZjc0NWViOGZhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MjglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTI4VDA0NTkzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWNmZDE1MzdmYTVkMGRmODQxNmIzNTBiNzBjZGViOWFlNWMzOGIzNzU3ZjhhOGE1NGQ1YzhmY2VmOWRkMjFiNzgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.lzf2jH_jOnuSN7jyqAWg_Mnt3ECJNwtsr7Li-tG2Sbk)
We give this registration specific rights depending on what we want to do in labelstudio :
In the UI, we create a new storage integration :
What is the current behavior?
There is no impact on the previous behavior, it's just a new one.
What libraries were added/updated?
Azure Identity
Does this change affect performance?
Get a delegation key is quite slow, that's why there is :
There is a second minor change :
(Today there is a buggy behavior).
Does this change affect security?
It should improve the security for people who just need specific rights on the container. For the moment, the "write" behavior have not been tested / developped on the container.
What alternative approaches were there?
We can use an enterprise application and SSO in order to be linked to a user right and act on behalf of him.
What feature flags were used to cover this change?
None
Does this PR introduce a breaking change?
(check only one)
What level of testing was included in the change?
Which logical domain(s) does this change affect?