Authentication
Feature Store CLI provides 3 forms of authentication:
- Access token from external environment
- Refresh token from identity provider
- Personal Access Tokens (PATs)
All authentication-related methods can be called on the auth object on
the client object (e.g., client.auth.logout()).
You can also get the currently logged-in user:
- Python
- Scala
client.auth.get_active_user()
client.auth.getActiveUser()
Access token from external environment
If you are running Feature Store in an environment which already takes
care of the client authentication and makes access tokens available, you
need to implement a method which returns the access token from the
environment and passes it to client.set_obtain_access_token_method.
This is the same for H2O Wave.
This ensures that during each call, Feature Store obtains a valid access token from the external environment and uses it for authentication.
Refresh token from identity provider
First, we need to obtain the refresh token. We can achieve this by executing the login method.
- Python
- Scala
client.auth.login()
client.auth.login()
This method will try to open the returned URL in the browser (if this
fails, the user has to do this manually) and wait for the refresh token.
Returned refresh tokens will be saved into the client's configuration
file. The client configuration file is stored in your home directory
under the name .featurestore.config. The format of the file is
key=value. If you wish, you can also set the token in the
configuration file by using key token directly.
You won't be asked for the authentication again until this token expires.
Personal access tokens (PATs)
In order to create a personal access token, you first need to be logged-in via one of the previously mentioned methods.
Once logged-in, you can create a personal access token:
- Python
- Scala
token_str = client.auth.pats.generate(name="background_jobs", description="some description", expiry_date="<dd/MM/yyyy>", timezone=None)
val tokenStr = client.auth.pats.generate(name="background_jobs", description="some description", expiryDate="<dd/MM/yyyy>", timezone="")
Explanation of the parameters:
- Python
- Scala
expiry_dateis optional. When provided, it should be in the format dd/MM/yyyy. Tokens without expiry date will get an expiry date according to maximal allowed token duration which is a parameter controlled by a Feature Store administrator. To find out its actual value, call client.auth.pats.maximum_allowed_token_duration.timezoneis optional. If provided, the provided timezone overrides the system timezone of CLI environment.
expiryDateis optional. When provided, it should be in the format dd/MM/yyyy.Tokens without expiry date will get an expiry date according to maximal allowed token duration which is a parameter controlled by a Feature Store administrator. To find out its actual value, call client.auth.pats.maximumAllowedTokenDuration.timezoneis optional. If provided, the provided timezone overrides the system timezone of CLI environment.
This call returns the textual representation of the token. It is not possible to obtain the textual representation of the token again, so save it in a secure location.
You can now use this token for authentication:
- Python
- Scala
client.auth.set_auth_token(token_str)
client.auth.setAuthToken(tokenStr)
You can list existing token objects:
- Python
- Scala
client.auth.pats.list()
client.auth.pats.list()
You can obtain a particular token object:
- Python
- Scala
token = client.auth.pats.get(token_id)
val token = client.auth.pats.get(tokenId)
Token id is different from token name.
You can revoke the token:
- Python
- Scala
token.revoke()
token.revoke()
The Feature Store admin can configure the max.pat.number.per.user
option to limit the number of personal access tokens one user can have
at a single time.
- Submit and view feedback for this page
- Send feedback about H2O Feature Store to cloud-feedback@h2o.ai