Skip to content

[AuthN] Support Using Service Account Tokens For Internal System Requests #9171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
quaark merged 8 commits into from
Jan 8, 2026
Merged

[AuthN] Support Using Service Account Tokens For Internal System Requests #9171

quaark merged 8 commits into from
Jan 8, 2026

Conversation

@quaark
Copy link
Member

@quaark quaark commented Jan 7, 2026

📝 Description

This pull request introduces enhancements and fixes related to authentication and service account token handling in the MLRun framework.

🛠️ Changes Made

  • Introduced a Claims class for JWT claims constants in mlrun/auth/utils.py.
  • Added is_token_expired and _decode_token_unverified utility functions for JWT token handling.
  • Added a new igz_authenticator_kind header constant in mlrun/common/schemas/constants.py.
  • Introduced a service_account configuration section in mlrun/config.py for Kubernetes service account tokens.
  • Created a new service_account_token.py client for managing service account tokens.
  • Updated Iguazio client logic to use the service account token for escalated requests.
  • Added unit tests for the service_account_token.py client.
  • Enhanced existing tests in test_auth_utils.py to cover token expiration scenarios.
  • Made the delete project alerts functionality escalate to the service account token in case the project permissions are already removed

✅ Checklist

  • I have tested the changes in this PR

🧪 Testing

  • Added unit tests for the service_account_token.py client to validate token caching, expiration handling, and header escalation.
  • Added unit tests in test_auth_utils.py to cover token expiration and missing claims scenarios.
  • Verified changes manually in a Kubernetes environment to ensure proper handling of service account tokens.

🔗 References

🚨 Breaking Changes?

  • Yes (explain below)
  • No

🔍️ Additional Notes

  • Known issue: The create_default_project_policies method currently relies on incoming request auth info. Future updates to the Iguazio API are required to support explicit owner parameters.

@quaark quaark requested review from a team, liranbg and moranbental as code owners January 7, 2026 10:39
liranbg
liranbg approved these changes Jan 7, 2026
View reviewed changes
Copy link
Member

@liranbg liranbg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looking good

TomerShor
TomerShor reviewed Jan 7, 2026
View reviewed changes
@quaark quaark merged commit 0be4ad5 into mlrun:development Jan 8, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liranbg liranbg liranbg approved these changes

@TomerShor TomerShor TomerShor approved these changes

@moranbental moranbental Awaiting requested review from moranbental moranbental is a code owner

Assignees

No one assigned

Labels

area/api area/framework area/sdk area/server area/tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@quaark @liranbg @TomerShor