| 95 | |
| 96 | |
| 97 | class RemoteRegistry(BaseRegistry): |
| 98 | def __init__( |
| 99 | self, |
| 100 | registry_config: Union[RegistryConfig, RemoteRegistryConfig], |
| 101 | project: str, |
| 102 | repo_path: Optional[Path], |
| 103 | auth_config: AuthConfig = NoAuthConfig(), |
| 104 | ): |
| 105 | self.auth_config = auth_config |
| 106 | assert isinstance(registry_config, RemoteRegistryConfig) |
| 107 | self.channel = self._create_grpc_channel(registry_config) |
| 108 | weakref.finalize(self, self.channel.close) |
| 109 | |
| 110 | auth_header_interceptor = GrpcClientAuthHeaderInterceptor(auth_config) |
| 111 | self.channel = grpc.intercept_channel(self.channel, auth_header_interceptor) |
| 112 | self.stub = RegistryServer_pb2_grpc.RegistryServerStub(self.channel) |
| 113 | |
| 114 | def _create_grpc_channel(self, registry_config): |
| 115 | assert isinstance(registry_config, RemoteRegistryConfig) |
| 116 | if registry_config.cert or registry_config.is_tls: |
| 117 | cafile = ( |
| 118 | registry_config.cert |
| 119 | or os.getenv("SSL_CERT_FILE") |
| 120 | or os.getenv("REQUESTS_CA_BUNDLE") |
| 121 | ) |
| 122 | if not cafile: |
| 123 | raise EnvironmentError( |
| 124 | "SSL_CERT_FILE or REQUESTS_CA_BUNDLE environment variable must be set to use secure TLS or set the cert parameter in feature_Store.yaml file under remote registry configuration." |
| 125 | ) |
| 126 | if (registry_config.client_cert and not registry_config.client_key) or ( |
| 127 | not registry_config.client_cert and registry_config.client_key |
| 128 | ): |
| 129 | raise ValueError( |
| 130 | "Both client_cert and client_key must be provided for mTLS. " |
| 131 | "Only one was set in the remote registry configuration." |
| 132 | ) |
| 133 | |
| 134 | with open(cafile, "rb") as cert_file: |
| 135 | trusted_certs = cert_file.read() |
| 136 | private_key: Optional[bytes] = None |
| 137 | certificate_chain: Optional[bytes] = None |
| 138 | if registry_config.client_cert and registry_config.client_key: |
| 139 | with open(registry_config.client_key, "rb") as key_file: |
| 140 | private_key = key_file.read() |
| 141 | with open(registry_config.client_cert, "rb") as cert_file: |
| 142 | certificate_chain = cert_file.read() |
| 143 | tls_credentials = grpc.ssl_channel_credentials( |
| 144 | root_certificates=trusted_certs, |
| 145 | private_key=private_key, |
| 146 | certificate_chain=certificate_chain, |
| 147 | ) |
| 148 | |
| 149 | options = [] |
| 150 | if registry_config.authority: |
| 151 | options.append(("grpc.default_authority", registry_config.authority)) |
| 152 | |
| 153 | return grpc.secure_channel( |
| 154 | registry_config.path, tls_credentials, options=options |
no outgoing calls