Project-based Authentication

In large enterprises with multiple teams and departments, it's often necessary to restrict resources to specific users or groups, ensuring that the right people have access to the appropriate resources. In Seldon Enterprise Platform, this can be achieved by defining namespace or project-based access controls within an OPA policy ConfigMap called seldon-deploy-policies. This setup allows granting users or groups access to specific deployments or models within a namespace or project. For example, a data science team may have access to all models within a specific project, while a DevOps team may have access across all namespaces.

Prerequisites

Policies Setup

In this demo, you can use an OIDC provider for authentication, with two pre-configured users, alice and bob, who both belong to the data-scientist group. You need to set up the following permissions:

  • Members of the data-scientist group should have read-write access to all namespaces.

  • All users should have read-write access to the default project.

  • User alice should have read-write access to the iris and income projects.

  • User bob should have read-only access to the income project.

These permissions are reflected in the following seldon-deploy-policies ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: seldon-deploy-policies
  namespace: seldon-system
data:
  data: |-
    {
      "role_grants": {
        "data-scientist": [
          {
            "action": "read",
            "resource": "namespace/*"
          },
          {
            "action": "write",
            "resource": "namespace/*"
          }
        ],
        "system-admin": [
          {
            "resource": "system/iam",
            "action": "write"
          },
          {
            "resource": "system/iam",
            "action": "read"
          }
        ]
      },
      "user_grants": {
        "*": [
          {
            "action": "read",
            "resource": "project/default"
          },
          {
            "action": "write",
            "resource": "project/default"
          }
        ],
        "service-account-sd-api": [
          {
            "resource": "namespace/*",
            "action": "write"
          },
          {
            "resource": "namespace/*",
            "action": "read"
          },
          {
            "action": "read",
            "resource": "project/*"
          },
          {
            "action": "write",
            "resource": "project/*"
          }
        ],
        "alice": [
          {
            "action": "read",
            "resource": "project/iris"
          },
          {
            "action": "write",
            "resource": "project/iris"
          },
          {
            "action": "read",
            "resource": "project/income"
          },
          {
            "action": "write",
            "resource": "project/income"
          }
        ],
        "bob": [
          {
            "action": "read",
            "resource": "project/income"
          }
        ],
        "admin": [
          {
            "action": "read",
            "resource": "project/*"
          },
          {
            "action": "write",
            "resource": "project/*"
          },
          {
            "resource": "namespace/*",
            "action": "write"
          },
          {
            "resource": "namespace/*",
            "action": "read"
          },
          {
            "resource": "system/iam",
            "action": "write"
          },
          {
            "resource": "system/iam",
            "action": "read"
          }
        ]
      }
    }

Confirm Policies Are Working

  1. Log in as alice.

  2. Go to the Model Catalog page and create the following models. For more details, see Model Catalog:

    Name
    URI
    Project
    Artifact type

    1

    Iris

    gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn

    default

    SciKit Learn

    2

    Iris

    gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn

    iris

    SciKit Learn

    2

    Income

    gs://seldon-models/scv2/samples/mlserver_1.6.0/income-sklearn/classifier

    income

    SciKit Learn

    Your Model Catalog page should look similar to the following:

    Model Catalog page showing all three newly created models
  3. Create a Seldon ML Pipeline from each of these models using the Deploy option in the Model Catalog page. Make sure to set the deployment type as Seldon ML Pipeline in the Deployment Creation Wizard.

    The pipeline names could be:

    • iris-default

    • iris-iris

    • income

    Your Overview page should look similar to the following now:

    Overview page showing all three newly created Seldon Deployments
  4. Log out from the alice profile and log in as bob.

  5. Confirm you only see the deployments income and iris-default, because bob does not have any access to the iris project,

    Overview page showing only the deployments using models in the default and income projects
  6. Navigate to the Model Catalog page and verify that you only see the models in the default and income projects, but not the iris project.

    Model Catalog page showing only the models in the default and income projects
  7. Verify that you cannot delete or modify the income model in the Model Catalog, because bob has only read permissions on the income project.

    Bob cannot delete the model that is part of the income project due to lack of permissions
    Bob cannot modify the model that is part of the income project due to lack of permissions
  8. In the Overview page, click the income deployment, and in the Dashboard page, confirm that you cannot delete or modify the deployment.

Bob cannot delete the deployment that is part of the income project due to lack of permissions

Last updated

Was this helpful?