-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Feature/azure service principal #5765
base: develop
Are you sure you want to change the base?
feat: Feature/azure service principal #5765
Conversation
👷 Deploy request for label-studio-docs-new-theme pending review.Visit the deploys page to approve it
|
👷 Deploy request for heartex-docs pending review.Visit the deploys page to approve it
|
web/libs/datamanager/src/components/MainView/GridView/GridView.js
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also add pytest for this storage? There should be examples in tests/ folder for aws/gcs storages.
web/libs/datamanager/src/components/MainView/GridView/GridView.js
Outdated
Show resolved
Hide resolved
14e0ca5
to
de5ad0d
Compare
Can you help me on this part ? |
Sorry for the long delay, tests are located here: |
Thanks, I updated the get_import_export_storage_types test case to match the new syntax. I saw that other things for gcp and s3, but in my case i have a strong validation that the connection is valid and can be consume, then i can't use dummy client_id/client_secret/tenant_id. |
/jira create
|
PR fulfills these requirements
[fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made
ex.fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
Change has impacts in these area(s)
Describe the reason for change
For the moment, there is only an authentication through account key to Azure.
The problem is that account key give a lot of rights on the storage that may not be necessary in order to perform readonly operations.
What does this fix?
Now it is possible to have an azure integration that is based on a service principal.
What is the new behavior?
We have to create an app registration in Azure :
We give this registration specific rights depending on what we want to do in labelstudio :
In the UI, we create a new storage integration :
Under the hood :
What is the current behavior?
There is no impact on the previous behavior, it's just a new one.
What libraries were added/updated?
Azure Identity
Does this change affect performance?
Get a delegation key is quite slow, that's why there is :
There is a second minor change :
(Today there is a buggy behavior).
Does this change affect security?
It should improve the security for people who just need specific rights on the container.
For the moment, the "write" behavior have not been tested / developped on the container.
What alternative approaches were there?
We can use an enterprise application and SSO in order to be linked to a user right and act on behalf of him.
What feature flags were used to cover this change?
None
Does this PR introduce a breaking change?
(check only one)
What level of testing was included in the change?
Which logical domain(s) does this change affect?