How to setup remote authenticator that can have the lakeFS client to pass in additional values in headers and body? config.yaml

auth:
  remote_authenticator:
    enabled: true
    endpoint: <https://testendpoint.com>
    default_user_group: "Developers"
  ui_config:
    logout_url: /logout
    login_cookie_names:
      - Authorization

Hey @Ocean Chang nice to meet waving axolotl That’s not possible (see available config options). The only thing it accepts is the endpoint. The cookies under

ui_config

is related to logout / login operation in the UI itself.

Thank you for your response. Do you know how else can I pass parameters from the LakeFS client to the remote authenticator I setup?

Hi @Ocean Chang, I'm not aware of any such option. You might be able to get by with path parameters on the endpoint URL. Currently we are focusing our efforts on the core of OSS lakeFS - data versioning - and therefore reducing our efforts on auth. We would probably be able to accept a small self-contained feature that adds this to lakeFS. The key point would be maintainability.

Thanks for the help @Ariel Shaqed (Scolnicov) I m also try to do the auth outside of LakeFS. Is there a way to auto populate the access key id and secret access key by passing the path parameter in url? Background: Streamlit app that plans to incorporate LakeFS UI either as an iframe or a navigatable URL. Task: LakeFS UI will be navigated from my streamlit client. I want to do the authentication there with our AWS Cognito server wrapped behind an API Gateway. I tried the remote authenticator, but it seems the parameter passing is too limiting for the use case. Once the user is authenticated in my streamlit client, they will receive the access key id and secret access key on the client. And I want the UI to be able to populate the retrieved access key id and secret access key to the Login Page below. Is there a way to auto-populate them? Is it possible to make the auth/login API call from the UI of my streamlit client, and then when user navigated to the LakeFS UI, it will still preserve the login tokens, so using don't need to log in manually again?

@Ocean Chang there’s no trivial way to achieve this since SSO (AWS Cognito) and exchanging more data is OIDC/SAML or anything like that does not exist in the OSS version. SSO auth is an enterprise / cloud feature The remote auth config is for simple cases, to implement such a flow you’ll have to look at the authentication.yaml swagger and implement your own authentication server.

I'm not aware of such a facility. It would be hard to justify passing credentials in something as exposed as a URL query parameter. You might look into creating a JWT token on your app; it would need to keep the same security token as lakeFS, and keep it securely. But I imagine that that could work. Note that we cannot provide in-depth support for auth integrations on OSS: doing so securely is a complex enough task when we do it for our customers, on much more controlled environments.