deephaven_enterprise.client.auth¶

class AuthClient(host=None, port=None, rpc_timeout_seconds=120, channel=None, channel_options=None)[source]¶

Bases: object

AuthClient authenticates to a Deephaven authentication server and produces tokens for use with other Deephaven services.

Presently, password and private key authentication are provided.

Create an AuthClient and connect to the server.

You may either specify the host and port to connect to, or provide your own grpc channel. The simplest case is to simply provide the host and port, but if you need advanced channel configuration or want to share the channel for several clients, then you can create it and pass it in.

Parameters:

host (Optional[str]) – the host to connect to, requires port
port (Optional[int]) – the port to connect to, requires host
rpc_timeout_seconds (int) – the rpc timeout period to use, defaults to 120 seconds if not provided
channel (Optional[Channel]) – a pre-created channel to use for the gRPC messages
channel_options – a list of options for channel creation (not used if the channel is provided)

close()[source]¶

Logout from the authentication server. No further tokens may be requested by this client.

Return type:: None

static generate_keypair(user)[source]¶

Generate a new keypair in Deephaven format.

The private key can be stored as a file and used to authenticate using the private_key method. The public key contains a username followed by the public key. The public key should be uploaded to the Deephaven ACL write server.

Parameters:: user – the username to write into the key
Returns:: a tuple containing the private key text and the public key text in Deephaven format

get_token(service, timeout=None)[source]¶

Get an authentication token to present to another Deephaven service. This token may only be used one time, as it is consumed by the authentication server during the verification process.

Parameters:

service (str) – the service that will verify the token (e.g., “PersistentQueryController”)
timeout (Optional[float]) – how long to wait for the gRPC call to complete

Return type:

Token

Returns:

the token

password(user, password, effective_user=None)[source]¶

Authenticates to the server using a username and password.

Parameters:

user (str) – the user to authenticate
password (str) – the user’s password
effective_user (Optional[str]) – the user to operate as, defaults to the user to authenticate

Return type:

None

ping()[source]¶: Pings the server, refreshing our cookie. :returns: True if a ping was sent, False if there is no active cookie.

private_key(file)[source]¶

Authenticate to the server using a Deephaven format private key file.

https://deephaven.io/enterprise/docs/resources/how-to/connect-from-java/#instructions-for-setting-up-private-keys :rtype: None

Parameters:: file (Union[str | io.StringIO]) – a string file name containing the private key produced by generate-iris-keys, or alternatively an

io.StringIO instance (which may be closed after it is read)

saml(login_uri)[source]¶

Authenticate using SAML, which must be configured on the server.

Parameters:: login_uri (str) – the URI for the Deephaven SAML plugin. Often “https://deephaven-auth-server:9032/dh-saml/”, but is dependent on configuration.
Return type:: None

upload_key(pubtext, url, delete=False)[source]¶

Upload a public key to the ACL write server.

Parameters:

pubtext (str) – text of the public key, in Deephaven format
url (str) – URL of the ACL write server (e.g., https://foo.bar.company.com:9044/acl/)
delete (bool) – True to delete the key instead of add the key

exception AuthenticationFailedException[source]¶

Bases: Exception

This Exception is raised when the server responds to our authentication request with a failure (e.g. bad password or bad key). Other errors, like the server not responding at all are not covered by this Exception.

with_traceback()¶: Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

class RefreshThread(auth_client, slack_seconds=120)[source]¶

Bases: Thread

Create a thread to refresh the authentication cookie. If the cookie is not refreshed within the deadline, then we will become unauthenticated and not be able to generate any more tokens. :type auth_client: AuthClient :param auth_client: auth client to refresh :type slack_seconds: int :param slack_seconds: how long before the cookie’s expiration, in seconds, should we begin the refresh. Defaults to two minutes.

property daemon¶

A boolean value indicating whether this thread is a daemon thread.

This must be set before start() is called, otherwise RuntimeError is raised. Its initial value is inherited from the creating thread; the main thread is not a daemon thread and therefore all threads created in the main thread default to daemon = False.

The entire Python program exits when only daemon threads are left.

property ident¶

Thread identifier of this thread or None if it has not been started.

This is a nonzero integer. See the get_ident() function. Thread identifiers may be recycled when a thread exits and another thread is created. The identifier is available even after the thread has exited.

is_alive()¶

Return whether the thread is alive.

This method returns True just before the run() method starts until just after the run() method terminates. See also the module function enumerate().

join(timeout=None)¶

Wait until the thread terminates.

This blocks the calling thread until the thread whose join() method is called terminates – either normally or through an unhandled exception or until the optional timeout occurs.

When the timeout argument is present and not None, it should be a floating point number specifying a timeout for the operation in seconds (or fractions thereof). As join() always returns None, you must call is_alive() after join() to decide whether a timeout happened – if the thread is still alive, the join() call timed out.

When the timeout argument is not present or None, the operation will block until the thread terminates.

A thread can be join()ed many times.

join() raises a RuntimeError if an attempt is made to join the current thread as that would cause a deadlock. It is also an error to join() a thread before it has been started and attempts to do so raises the same exception.

property name¶

A string used for identification purposes only.

It has no semantics. Multiple threads may be given the same name. The initial name is set by the constructor.

property native_id¶

Native integral thread ID of this thread, or None if it has not been started.

This is a non-negative integer. See the get_native_id() function. This represents the Thread ID as reported by the kernel.

run()[source]¶

Method representing the thread’s activity.

You may override this method in a subclass. The standard run() method invokes the callable object passed to the object’s constructor as the target argument, if any, with sequential and keyword arguments taken from the args and kwargs arguments, respectively.

start()¶

Start the thread’s activity.

It must be called at most once per thread object. It arranges for the object’s run() method to be invoked in a separate thread of control.

This method will raise a RuntimeError if called more than once on the same thread object.