Project-based Authentication
In large enterprises with multiple teams and departments, it's often necessary to restrict resources to specific users or groups, ensuring that the right people have access to the appropriate resources. In Seldon Enterprise Platform, this can be achieved by defining namespace or project-based access controls within an OPA
policy ConfigMap
called seldon-deploy-policies
. This setup allows granting users or groups access to specific deployments or models within a namespace or project. For example, a data science team may have access to all models within a specific project, while a DevOps team may have access across all namespaces.
Prerequisites
Install PostgreSQL.
Configure Authentication .
Enable Open Policy Agent authorization, along with project-based auth.
Policies Setup
In this demo, you can use an OIDC provider for authentication, with two pre-configured users, alice
and bob
, who both belong to the data-scientist
group. You need to set up the following permissions:
Members of the
data-scientist
group should have read-write access to all namespaces.All users should have read-write access to the default project.
User
alice
should have read-write access to the iris and income projects.User
bob
should have read-only access to the income project.
These permissions are reflected in the following seldon-deploy-policies
ConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
name: seldon-deploy-policies
namespace: seldon-system
data:
data: |-
{
"role_grants": {
"data-scientist": [
{
"action": "read",
"resource": "namespace/*"
},
{
"action": "write",
"resource": "namespace/*"
}
],
"system-admin": [
{
"resource": "system/iam",
"action": "write"
},
{
"resource": "system/iam",
"action": "read"
}
]
},
"user_grants": {
"*": [
{
"action": "read",
"resource": "project/default"
},
{
"action": "write",
"resource": "project/default"
}
],
"service-account-sd-api": [
{
"resource": "namespace/*",
"action": "write"
},
{
"resource": "namespace/*",
"action": "read"
},
{
"action": "read",
"resource": "project/*"
},
{
"action": "write",
"resource": "project/*"
}
],
"alice": [
{
"action": "read",
"resource": "project/iris"
},
{
"action": "write",
"resource": "project/iris"
},
{
"action": "read",
"resource": "project/income"
},
{
"action": "write",
"resource": "project/income"
}
],
"bob": [
{
"action": "read",
"resource": "project/income"
}
],
"admin": [
{
"action": "read",
"resource": "project/*"
},
{
"action": "write",
"resource": "project/*"
},
{
"resource": "namespace/*",
"action": "write"
},
{
"resource": "namespace/*",
"action": "read"
},
{
"resource": "system/iam",
"action": "write"
},
{
"resource": "system/iam",
"action": "read"
}
]
}
}
Confirm Policies Are Working
Log in as
alice
.Go to the Model Catalog page and create the following models. For more details, see Model Catalog:
NameURIProjectArtifact type1
Iris
gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn
default
SciKit Learn
2
Iris
gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn
iris
SciKit Learn
2
Income
gs://seldon-models/scv2/samples/mlserver_1.6.0/income-sklearn/classifier
income
SciKit Learn
Your Model Catalog page should look similar to the following:
Model Catalog page showing all three newly created models Create a
Seldon ML Pipeline
from each of these models using the Deploy option in the Model Catalog page. Make sure to set the deployment type asSeldon ML Pipeline
in the Deployment Creation Wizard.The pipeline names could be:
iris-default
iris-iris
income
Your Overview page should look similar to the following now:
Overview page showing all three newly created Seldon Deployments Log out from the
alice
profile and log in asbob
.Confirm you only see the deployments
income
andiris-default
, becausebob
does not have any access to theiris
project,Overview page showing only the deployments using models in the default and income projects Navigate to the Model Catalog page and verify that you only see the models in the
default
andincome
projects, but not theiris
project.Model Catalog page showing only the models in the default and income projects Verify that you cannot delete or modify the
income
model in the Model Catalog, becausebob
has onlyread
permissions on theincome
project.Bob cannot delete the model that is part of the income project due to lack of permissions Bob cannot modify the model that is part of the income project due to lack of permissions In the Overview page, click the
income
deployment, and in the Dashboard page, confirm that you cannot delete or modify the deployment.

Last updated
Was this helpful?