Project-based Authentication

In large enterprises with multiple teams and departments, it's often necessary to restrict resources to specific users or groups, ensuring that the right people have access to the appropriate resources. In Seldon Enterprise Platform, this can be achieved by defining namespace or project-based access controls within an OPA policy ConfigMap called seldon-deploy-policies. This setup allows granting users or groups access to specific deployments or models within a namespace or project. For example, a data science team may have access to all models within a specific project, while a DevOps team may have access across all namespaces.

Prerequisites

Install PostgreSQL.
Configure Authentication .
Enable Open Policy Agent authorization, along with project-based auth.

Policies Setup

In this demo, you can use an OIDC provider for authentication, with two pre-configured users, alice and bob, who both belong to the data-scientist group. You need to set up the following permissions:

Members of the data-scientist group should have read-write access to all namespaces.
All users should have read-write access to the default project.
User alice should have read-write access to the iris and income projects.
User bob should have read-only access to the income project.

These permissions are reflected in the following seldon-deploy-policies ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: seldon-deploy-policies
  namespace: seldon-system
data:
  data: |-
    {
      "role_grants": {
        "data-scientist": [
          {
            "action": "read",
            "resource": "namespace/*"
          },
          {
            "action": "write",
            "resource": "namespace/*"
          }
        ],
        "system-admin": [
          {
            "resource": "system/iam",
            "action": "write"
          },
          {
            "resource": "system/iam",
            "action": "read"
          }
        ]
      },
      "user_grants": {
        "*": [
          {
            "action": "read",
            "resource": "project/default"
          },
          {
            "action": "write",
            "resource": "project/default"
          }
        ],
        "service-account-sd-api": [
          {
            "resource": "namespace/*",
            "action": "write"
          },
          {
            "resource": "namespace/*",
            "action": "read"
          },
          {
            "action": "read",
            "resource": "project/*"
          },
          {
            "action": "write",
            "resource": "project/*"
          }
        ],
        "alice": [
          {
            "action": "read",
            "resource": "project/iris"
          },
          {
            "action": "write",
            "resource": "project/iris"
          },
          {
            "action": "read",
            "resource": "project/income"
          },
          {
            "action": "write",
            "resource": "project/income"
          }
        ],
        "bob": [
          {
            "action": "read",
            "resource": "project/income"
          }
        ],
        "admin": [
          {
            "action": "read",
            "resource": "project/*"
          },
          {
            "action": "write",
            "resource": "project/*"
          },
          {
            "resource": "namespace/*",
            "action": "write"
          },
          {
            "resource": "namespace/*",
            "action": "read"
          },
          {
            "resource": "system/iam",
            "action": "write"
          },
          {
            "resource": "system/iam",
            "action": "read"
          }
        ]
      }
    }

Confirm Policies Are Working

Log in as alice.
Go to the Model Catalog page and create the following models. For more details, see Model Catalog:
Name
URI
Project
Artifact type
1
Iris
gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn
default
SciKit Learn
2
Iris
gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn
iris
SciKit Learn
2
Income
gs://seldon-models/scv2/samples/mlserver_1.6.0/income-sklearn/classifier
income
SciKit Learn
Your Model Catalog page should look similar to the following:
Model Catalog page showing all three newly created models
Create a Seldon ML Pipeline from each of these models using the Deploy option in the Model Catalog page. Make sure to set the deployment type as Seldon ML Pipeline in the Deployment Creation Wizard.
The pipeline names could be:
- iris-default
- iris-iris
- income
Your Overview page should look similar to the following now:
Overview page showing all three newly created Seldon Deployments
Log out from the alice profile and log in as bob.
Confirm you only see the deployments income and iris-default, because bob does not have any access to the iris project,
Overview page showing only the deployments using models in the default and income projects
Navigate to the Model Catalog page and verify that you only see the models in the default and income projects, but not the iris project.
Model Catalog page showing only the models in the default and income projects
Verify that you cannot delete or modify the income model in the Model Catalog, because bob has only read permissions on the income project.
Bob cannot delete the model that is part of the income project due to lack of permissions
Bob cannot modify the model that is part of the income project due to lack of permissions
In the Overview page, click the income deployment, and in the Dashboard page, confirm that you cannot delete or modify the deployment.

PreviousModel Catalog NextSeldon Core 2

Last updated 8 months ago

Was this helpful?