◐ Shell
reader mode source ↗
Skip to content

feat: Provision minimal TokenReview RBAC for OIDC auth and add SSL error logging in token parser#6240

Merged
ntkathole merged 4 commits into
feast-dev:masterfrom
aniketpalu:oidc-rbac-ssl-logging
May 1, 2026
Merged

feat: Provision minimal TokenReview RBAC for OIDC auth and add SSL error logging in token parser#6240
ntkathole merged 4 commits into
feast-dev:masterfrom
aniketpalu:oidc-rbac-ssl-logging

Conversation

@aniketpalu

@aniketpalu aniketpalu commented Apr 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

When `authz: oidc` is configured, the Feast server delegates Kubernetes service account (SA) tokens to a lightweight TokenReview for validation and namespace extraction. This requires the server SA to have `tokenreviews/create` permission. Previously, this RBAC was not provisioned automatically by the operator for OIDC deployments (only for `authz: kubernetes`), requiring manual ClusterRole creation.

Operator: OIDC TokenReview RBAC

The operator now provisions a dedicated feast-oidc-token-review ClusterRole and ClusterRoleBinding when authz: oidc is configured. The ClusterRole contains exactly one rule:

  • authentication.k8s.io/tokenreviews/create

This is the minimum permission needed for the SA token delegation path. No additional RBAC queries (rolebindings, clusterroles, namespaces) are granted, unlike the authz: kubernetes path which needs broader permissions for KubernetesTokenParser.

Cleanup is handled automatically when switching auth types:

  • OIDC to kubernetes: OIDC ClusterRole + ClusterRoleBinding deleted
  • OIDC to no_auth: OIDC ClusterRole + ClusterRoleBinding deleted
  • kubernetes/no_auth to OIDC: OIDC ClusterRole + ClusterRoleBinding created

SDK: SSL Error Logging

When verify_ssl: true is set but the OIDC provider uses self-signed certificates without a configured ca_cert_path, the server fails to reach the JWKS/discovery endpoints. Previously, this produced a generic "Invalid token" log with no indication of the root cause. The token parser now detects SSL errors in the exception chain and logs a clear, actionable message:

OIDC provider SSL certificate verification failed. If using a self-signed certificate,
set verify_ssl: false or provide a CA certificate via ca_cert_path.

This applies to both the discovery endpoint (_validate_token) and the JWKS endpoint (_decode_token) error paths.

Which issue(s) this PR fixes:

Follow up to #6089

Checks

  • I've made sure the tests are passing.
  • My commits are signed off (git commit -s)
  • My PR title follows conventional commits format

Testing Strategy

  • Unit tests
  • Integration tests
  • Manual tests
  • Testing is not required for this change

Misc

Open with Devin

@aniketpalu aniketpalu requested a review from a team as a code owner April 8, 2026 15:11
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

jyejare
jyejare reviewed Apr 9, 2026
View reviewed changes

@jyejare jyejare left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

  1. The Kubernetes auth path sets a status condition (AuthorizationReadyType) to indicate RBAC provisioning success/failure. The OIDC path does not. This means operators have no visibility into whether the OIDC RBAC was actually created.

  2. The existing OIDC test (featurestore_controller_oidc_auth_test.go) verifies that the Kubernetes-auth Role/RoleBinding are absent, but it does not verify that the new feast-oidc-token-review ClusterRole and per-instance ClusterRoleBinding are created with the correct rules. It also doesn't test the cleanup path (switching from OIDC to no-auth should delete the CRB).

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@aniketpalu aniketpalu force-pushed the oidc-rbac-ssl-logging branch from 4da984f to 15c8ec5 Compare April 27, 2026 16:06
jyejare
jyejare reviewed Apr 28, 2026
View reviewed changes

@jyejare jyejare left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

LGTM, small comment.

@aniketpalu aniketpalu requested a review from jyejare April 30, 2026 08:58
@aniketpalu aniketpalu force-pushed the oidc-rbac-ssl-logging branch from 557427c to 57a1824 Compare April 30, 2026 20:49
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

aniketpalu added 4 commits May 1, 2026 10:11
@aniketpalu @ntkathole
feat(operator): Provision minimal TokenReview RBAC for OIDC auth
d257265 
When authz: oidc is configured, the operator now provisions a dedicated
feast-oidc-token-review ClusterRole and per-instance ClusterRoleBinding
with tokenreviews/create permission for SA token delegation.
Changes:
- Add OIDC status condition (AuthorizationReadyType) for feature parity
  with Kubernetes auth
- Use instance-independent labels for shared ClusterRole to avoid
  misleading audit trails when multiple FeatureStores use OIDC
- Clean up Kubernetes ClusterRoleBinding when switching auth types
- Add test coverage for OIDC RBAC creation and cleanup

Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
@aniketpalu @ntkathole
fix: Add ManagedByLabelKey to shared OIDC ClusterRole labels
3ed93f1 
Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
@aniketpalu @ntkathole
fix: Add Get-first check to cleanupKubernetesClusterRbac
382e38b 
Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
@aniketpalu @ntkathole
Updated .secret.baseline
efc6d87 
Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
@ntkathole ntkathole force-pushed the oidc-rbac-ssl-logging branch from fa88079 to efc6d87 Compare May 1, 2026 04:41
ntkathole
ntkathole approved these changes May 1, 2026
View reviewed changes

@ntkathole ntkathole left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

lgtm

Hide details View details @ntkathole ntkathole merged commit dca57e8 into feast-dev:master May 1, 2026
21 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@ntkathole ntkathole ntkathole approved these changes

+1 more reviewer

@jyejare jyejare jyejare approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aniketpalu @jyejare @ntkathole