Skip to main content
Version: 0.19.3

Authentication

Feature Store CLI provides 3 forms of authentication:

All authentication-related methods can be called on the auth object on the client object (e.g., client.auth.logout()).

You can also get the currently logged-in user:

client.auth.get_active_user()

Access token from external environment

If you are running Feature Store in an environment which already takes care of the client authentication and makes access tokens available, you need to implement a method which returns the access token from the environment and passes it to client.set_obtain_access_token_method. This is the same for H2O Wave.

This ensures that during each call, Feature Store obtains a valid access token from the external environment and uses it for authentication.

Refresh token from identity provider

First, we need to obtain the refresh token. We can achieve this by executing the login method.

client.auth.login()

This method will try to open the returned URL in the browser (if this fails, the user has to do this manually) and wait for the refresh token. Returned refresh tokens will be saved into the client's configuration file. The client configuration file is stored in your home directory under the name .featurestore.config. The format of the file is key=value. If you wish, you can also set the token in the configuration file by using key token directly.

You won't be asked for the authentication again until this token expires.

Personal access tokens (PATs)

In order to create a personal access token, you first need to be logged-in via one of the previously mentioned methods.

Once logged-in, you can create a personal access token:

token_str = client.auth.pats.generate(name="background_jobs", description="some description", expiry_date="<dd/MM/yyyy>", timezone=None)

Explanation of the parameters:

  • expiry_date is optional. When provided, it should be in the format dd/MM/yyyy. Tokens without expiry date will get an expiry date according to maximal allowed token duration which is a parameter controlled by a Feature Store administrator. To find out its actual value, call client.auth.pats.maximum_allowed_token_duration.
  • timezone is optional. If provided, the provided timezone overrides the system timezone of CLI environment.

This call returns the textual representation of the token. It is not possible to obtain the textual representation of the token again, so save it in a secure location.

You can now use this token for authentication:

client.auth.set_auth_token(token_str)

You can list existing token objects:

client.auth.pats.list()

You can obtain a particular token object:

token = client.auth.pats.get(token_id)
note

Token id is different from token name.

You can revoke the token:

token.revoke()
note

The Feature Store admin can configure the max.pat.number.per.user option to limit the number of personal access tokens one user can have at a single time.


Feedback