Api change #2888
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # TorchServe token authorization API | ||
|
|
||
| ## Configuration | ||
| 1. Enable token authorization by adding the provided plugin at start using the `--plugin-path` command. | ||
| 2. Torchserve will enable token authorization if the plugin is provided. In the current working directory a file `key_file.json` will be generated. | ||
| 1. Example key file: | ||
|
|
||
| `Management Key: aadJv_R6 --- Expiration time: 2024-01-16T22:23:32.952499Z` | ||
|
|
||
| `Inference Key: poZXAlqe --- Expiration time: 2024-01-16T22:23:50.621298Z` | ||
|
|
||
| `API Key: xryL_Vzs` | ||
| 3. There are 3 keys and each have a different use. | ||
| 1. Management key: Used for management APIs. Example: | ||
| `curl http://localhost:8081/models/densenet161 -H "Authorization: Bearer aadJv_R6"` | ||
| 2. Inference key: Used for inference APIs. Example: | ||
| `curl http://127.0.0.1:8080/predictions/densenet161 -T examples/image_classifier/kitten.jpg -H "Authorization: Bearer poZXAlqe"` | ||
| 3. API key: Used for the token authorization API. Check section 4 for API use. | ||
| 4. 3 tokens allow the owner with the most flexibility in use and enables them to adapt the tokens to their use. Owners of the server can provide users with the inference token if users should not mess with models. The owner can also provide owners with the management key if owners want users to add and remove models. | ||
|
There was a problem hiding this comment. We don't need to sell it here. Its also pretty self-explanatory in my opinion. There was a problem hiding this comment. I think it is better to have the full explanation, does not change anything. There was a problem hiding this comment. In that case it should be part of the leading description as it does not fit into the list of keys. |
||
| 4. The plugin also includes an API in order to generate a new key to replace either the management or inference key. | ||
| 1. Management Example: | ||
| `curl localhost:8081/token?type=management -H "Authorization: Bearer xryL_Vzs"` will replace the current management key in the key_file with a new one and will update the expiration time. | ||
| 2. Inference example: | ||
| `curl localhost:8081/token?type=inference -H "Authorization: Bearer xryL_Vzs"` | ||
|
|
||
| Users will have to use either one of the APIs above. | ||
|
|
||
| 5. When users shut down the server the key_file will be deleted. | ||
|
|
||
|
|
||
| ## Customization | ||
| Torchserve offers various ways to customize the token authorization to allow owners to reach the desired result. | ||
| 1. Time to expiration is set to default at 60 minutes but can be changed in the config.properties by adding `token_expiration_min`. Ex:`token_expiration_min=30` | ||
| 2. The token authorization code is consolidated in the plugin and thus can be changed without impacting the frontend or end result. The only thing the user cannot change is: | ||
| 1. The urlPattern for the plugin must be 'token' and the class name must not change | ||
| 2. The `generateKeyFile`, `checkTokenAuthorization`, and `setTime` functions return type and signature must not change. However, the code in the functions can be modified depending on user necessity. | ||
|
|
||
| ## Notes | ||
| 1. DO NOT MODIFY THE KEY FILE. Modifying the key file might impact reading and writing to the file thus preventing new keys from properly being displayed in the file. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| package org.pytorch.serve.archive.model; | ||
|
|
||
| public class InvalidKeyException extends ModelException { | ||
|
|
||
| private static final long serialVersionUID = 1L; | ||
|
|
||
| /** | ||
| * Constructs an {@code InvalidKeyException} with the specified detail message. | ||
| * | ||
| * @param message The detail message (which is saved for later retrieval by the {@link | ||
| * #getMessage()} method) | ||
| */ | ||
| public InvalidKeyException(String message) { | ||
| super(message); | ||
| } | ||
|
|
||
| /** | ||
| * Constructs an {@code InvalidKeyException} with the specified detail message and cause. | ||
| * | ||
| * <p>Note that the detail message associated with {@code cause} is <i>not</i> automatically | ||
| * incorporated into this exception's detail message. | ||
| * | ||
| * @param message The detail message (which is saved for later retrieval by the {@link | ||
| * #getMessage()} method) | ||
| * @param cause The cause (which is saved for later retrieval by the {@link #getCause()} | ||
| * method). (A null value is permitted, and indicates that the cause is nonexistent or | ||
| * unknown.) | ||
| */ | ||
| public InvalidKeyException(String message, Throwable cause) { | ||
| super(message, cause); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| package org.pytorch.serve.http; | ||
|
|
||
| import io.netty.channel.ChannelHandlerContext; | ||
| import io.netty.handler.codec.http.FullHttpRequest; | ||
| import io.netty.handler.codec.http.QueryStringDecoder; | ||
| import java.lang.reflect.*; | ||
| import org.pytorch.serve.archive.DownloadArchiveException; | ||
| import org.pytorch.serve.archive.model.InvalidKeyException; | ||
| import org.pytorch.serve.archive.model.ModelException; | ||
| import org.pytorch.serve.archive.workflow.WorkflowException; | ||
| import org.pytorch.serve.util.ConfigManager; | ||
| import org.pytorch.serve.util.TokenType; | ||
| import org.pytorch.serve.wlm.WorkerInitializationException; | ||
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| /** | ||
| * A class handling token check for all inbound HTTP requests. | ||
| * | ||
| * <p>This class // | ||
| */ | ||
| public class TokenAuthorizationHandler extends HttpRequestHandlerChain { | ||
|
|
||
| private static final Logger logger = LoggerFactory.getLogger(TokenAuthorizationHandler.class); | ||
| private static TokenType tokenType; | ||
| private static Boolean tokenEnabled = false; | ||
| private static Class<?> tokenClass; | ||
| private static Object tokenObject; | ||
| private static Integer timeToExpirationMinutes = 60; | ||
|
|
||
| /** Creates a new {@code InferenceRequestHandler} instance. */ | ||
| public TokenAuthorizationHandler(TokenType type) { | ||
| tokenType = type; | ||
| } | ||
|
|
||
| @Override | ||
| public void handleRequest( | ||
| ChannelHandlerContext ctx, | ||
| FullHttpRequest req, | ||
| QueryStringDecoder decoder, | ||
| String[] segments) | ||
| throws ModelException, DownloadArchiveException, WorkflowException, | ||
| WorkerInitializationException { | ||
| if (tokenEnabled) { | ||
| ConfigManager configManager = ConfigManager.getInstance(); | ||
|
There was a problem hiding this comment. Can you clarify what this line does? There was a problem hiding this comment. No use so removed it. |
||
| if (tokenType == TokenType.MANAGEMENT) { | ||
| if (req.toString().contains("/token")) { | ||
| checkTokenAuthorization(req, "token"); | ||
| } else { | ||
| checkTokenAuthorization(req, "management"); | ||
| } | ||
| } else if (tokenType == TokenType.INFERENCE) { | ||
| checkTokenAuthorization(req, "inference"); | ||
| } | ||
| } | ||
| chain.handleRequest(ctx, req, decoder, segments); | ||
| } | ||
|
|
||
| public static void setupTokenClass() { | ||
| try { | ||
| tokenClass = Class.forName("org.pytorch.serve.plugins.endpoint.Token"); | ||
| tokenObject = tokenClass.getDeclaredConstructor().newInstance(); | ||
| Method method = tokenClass.getMethod("setTime", Integer.class); | ||
| Integer time = ConfigManager.getInstance().getTimeToExpiration(); | ||
| if (time != 0) { | ||
| timeToExpirationMinutes = time; | ||
| } | ||
| method.invoke(tokenObject, timeToExpirationMinutes); | ||
| method = tokenClass.getMethod("generateKeyFile", String.class); | ||
| if ((boolean) method.invoke(tokenObject, "token")) { | ||
| logger.info("TOKEN CLASS IMPORTED SUCCESSFULLY"); | ||
| } | ||
| } catch (ClassNotFoundException e) { | ||
| logger.error("TOKEN CLASS IMPORTED UNSUCCESSFULLY"); | ||
| e.printStackTrace(); | ||
| return; | ||
| } catch (NoSuchMethodException | ||
| | IllegalAccessException | ||
| | InstantiationException | ||
| | InvocationTargetException e) { | ||
| e.printStackTrace(); | ||
| logger.error("TOKEN CLASS IMPORTED UNSUCCESSFULLY"); | ||
| return; | ||
| } | ||
| tokenEnabled = true; | ||
| } | ||
|
|
||
| private void checkTokenAuthorization(FullHttpRequest req, String type) throws ModelException { | ||
|
|
||
| try { | ||
| Method method = | ||
| tokenClass.getMethod( | ||
| "checkTokenAuthorization", | ||
| io.netty.handler.codec.http.FullHttpRequest.class, | ||
| String.class); | ||
| boolean result = (boolean) (method.invoke(tokenObject, req, type)); | ||
| if (!result) { | ||
| throw new InvalidKeyException( | ||
| "Token Authentication failed. Token either incorrect, expired, or not provided correctly"); | ||
| } | ||
| } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException e) { | ||
| e.printStackTrace(); | ||
| throw new InvalidKeyException( | ||
| "Token Authentication failed. Token either incorrect, expired, or not provided correctly"); | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| package org.pytorch.serve.util; | ||
|
|
||
| public enum TokenType { | ||
| INFERENCE, | ||
| MANAGEMENT, | ||
| TOKEN_API | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to make this a json to make is easier machine readable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the key file example still accurate now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also why use an array to store the keys in the json file? Better to use a more structured approach like a dict:
{"management":{"key":"some_key", "expiration_time":"some_timestamp"},"inference":{}, ...etc}