Title: feat: Provision minimal TokenReview RBAC for OIDC auth and add SSL error logging in token parser by aniketpalu · Pull Request #6240 · feast-dev/feast · GitHub
Open Graph Title: feat: Provision minimal TokenReview RBAC for OIDC auth and add SSL error logging in token parser by aniketpalu · Pull Request #6240 · feast-dev/feast
X Title: feat: Provision minimal TokenReview RBAC for OIDC auth and add SSL error logging in token parser by aniketpalu · Pull Request #6240 · feast-dev/feast
Description: What this PR does / why we need it: When `authz: oidc` is configured, the Feast server delegates Kubernetes service account (SA) tokens to a lightweight TokenReview for validation and namespace extraction. This requires the server SA to have `tokenreviews/create` permission. Previously, this RBAC was not provisioned automatically by the operator for OIDC deployments (only for `authz: kubernetes`), requiring manual ClusterRole creation. Operator: OIDC TokenReview RBAC The operator now provisions a dedicated feast-oidc-token-review ClusterRole and ClusterRoleBinding when authz: oidc is configured. The ClusterRole contains exactly one rule: authentication.k8s.io/tokenreviews/create This is the minimum permission needed for the SA token delegation path. No additional RBAC queries (rolebindings, clusterroles, namespaces) are granted, unlike the authz: kubernetes path which needs broader permissions for KubernetesTokenParser. Cleanup is handled automatically when switching auth types: OIDC to kubernetes: OIDC ClusterRole + ClusterRoleBinding deleted OIDC to no_auth: OIDC ClusterRole + ClusterRoleBinding deleted kubernetes/no_auth to OIDC: OIDC ClusterRole + ClusterRoleBinding created SDK: SSL Error Logging When verify_ssl: true is set but the OIDC provider uses self-signed certificates without a configured ca_cert_path, the server fails to reach the JWKS/discovery endpoints. Previously, this produced a generic "Invalid token" log with no indication of the root cause. The token parser now detects SSL errors in the exception chain and logs a clear, actionable message: OIDC provider SSL certificate verification failed. If using a self-signed certificate, set verify_ssl: false or provide a CA certificate via ca_cert_path. This applies to both the discovery endpoint (_validate_token) and the JWKS endpoint (_decode_token) error paths. Which issue(s) this PR fixes: Follow up to #6089 Checks I've made sure the tests are passing. My commits are signed off (git commit -s) My PR title follows conventional commits format Testing Strategy Unit tests Integration tests Manual tests Testing is not required for this change Misc
Open Graph Description: What this PR does / why we need it: When `authz: oidc` is configured, the Feast server delegates Kubernetes service account (SA) tokens to a lightweight TokenReview for validation and namespace ext...
X Description: What this PR does / why we need it: When `authz: oidc` is configured, the Feast server delegates Kubernetes service account (SA) tokens to a lightweight TokenReview for validation and namespace ext...
Opengraph URL: https://github.com/feast-dev/feast/pull/6240
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:c8317793-879c-0bec-bdad-24ffae7fdcab |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | CCE6:4FAAE:2DD747C:4112101:6A5004C4 |
| html-safe-nonce | 89bfaea795ff42df0a96d063c1392da7ac444c90c2d3f244c0c12383f4f9cff0 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDQ0U2OjRGQUFFOjJERDc0N0M6NDExMjEwMTo2QTUwMDRDNCIsInZpc2l0b3JfaWQiOiIxMDkwODA1NjUzNTQxMjI1NjY5IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 9e7d874dae7794944b01ae6355d44d241d0ba3b86369b328edee8a99e8cae0f6 |
| hovercard-subject-tag | pull_request:3503906595 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/feast-dev/feast/pull/6240/files |
| twitter:image | https://avatars.githubusercontent.com/u/64416568?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/64416568?s=400&v=4 |
| og:image:alt | What this PR does / why we need it: When `authz: oidc` is configured, the Feast server delegates Kubernetes service account (SA) tokens to a lightweight TokenReview for validation and namespace ext... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 56eec25a3430492dd6ec2a480eb33256a0da5192d5714b0db4f5ab5f33203d94 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/feast-dev/feast git https://github.com/feast-dev/feast.git |
| octolytics-dimension-user_id | 57027613 |
| octolytics-dimension-user_login | feast-dev |
| octolytics-dimension-repository_id | 161133770 |
| octolytics-dimension-repository_nwo | feast-dev/feast |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 161133770 |
| octolytics-dimension-repository_network_root_nwo | feast-dev/feast |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | e155b8a71f9284454f73118dfe5e634e74f7afb3 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width