Project-based Authentication

Prerequisites

Install PostgreSQL.
Configure Authentication .
Enable Open Policy Agent authorization, along with project-based auth.

Policies Setup

In this demo, you can use an OIDC provider for authentication, with two pre-configured users, alice and bob, who both belong to the data-scientist group. You need to set up the following permissions:

Members of the data-scientist group should have read-write access to all namespaces.
All users should have read-write access to the default project.
User alice should have read-write access to the iris and income projects.
User bob should have read-only access to the income project.

These permissions are reflected in the following seldon-deploy-policies ConfigMap:

Confirm Policies Are Working

Log in as alice.
Go to the Model Catalog page and create the following models. For more details, see Model Catalog:
Name
URI
Project
Artifact type
1
Iris
gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn
default
SciKit Learn
2
Iris
gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn
iris
SciKit Learn
2
Income
gs://seldon-models/scv2/samples/mlserver_1.6.0/income-sklearn/classifier
income
SciKit Learn
Your Model Catalog page should look similar to the following:
Create a Seldon ML Pipeline from each of these models using the Deploy option in the Model Catalog page. Make sure to set the deployment type as Seldon ML Pipeline in the Deployment Creation Wizard.
The pipeline names could be:
- iris-default
- iris-iris
- income
Your Overview page should look similar to the following now:
Log out from the alice profile and log in as bob.
Confirm you only see the deployments income and iris-default, because bob does not have any access to the iris project,
Navigate to the Model Catalog page and verify that you only see the models in the default and income projects, but not the iris project.
Verify that you cannot delete or modify the income model in the Model Catalog, because bob has only read permissions on the income project.
In the Overview page, click the income deployment, and in the Dashboard page, confirm that you cannot delete or modify the deployment.

PreviousModel Catalog NextSeldon Core 2

Last updated 11 days ago

Policies Setup

Members of the data-scientist group should have read-write access to all namespaces.

All users should have read-write access to the default project.

User alice should have read-write access to the iris and income projects.

User bob should have read-only access to the income project.

These permissions are reflected in the following seldon-deploy-policies ConfigMap:

Confirm Policies Are Working

Go to the Model Catalog page and create the following models. For more details, see Model Catalog:

Name

URI

Project

Artifact type

Iris

gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn

default

SciKit Learn

Iris

gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn

iris

SciKit Learn

Income

gs://seldon-models/scv2/samples/mlserver_1.6.0/income-sklearn/classifier

income

SciKit Learn

Your Model Catalog page should look similar to the following:

Create a Seldon ML Pipeline from each of these models using the Deploy option in the Model Catalog page. Make sure to set the deployment type as Seldon ML Pipeline in the Deployment Creation Wizard.

The pipeline names could be:

iris-default
iris-iris
income

Your Overview page should look similar to the following now:

Log out from the alice profile and log in as bob.

Confirm you only see the deployments income and iris-default, because bob does not have any access to the iris project,

Navigate to the Model Catalog page and verify that you only see the models in the default and income projects, but not the iris project.

Verify that you cannot delete or modify the income model in the Model Catalog, because bob has only read permissions on the income project.

In the Overview page, click the income deployment, and in the Dashboard page, confirm that you cannot delete or modify the deployment.

apiVersion: v1 kind: ConfigMap metadata: name: seldon-deploy-policies namespace: seldon-system data: data: |- { "role_grants": { "data-scientist": [ { "action": "read", "resource": "namespace/*" }, { "action": "write", "resource": "namespace/*" } ], "system-admin": [ { "resource": "system/iam", "action": "write" }, { "resource": "system/iam", "action": "read" } ] }, "user_grants": { "*": [ { "action": "read", "resource": "project/default" }, { "action": "write", "resource": "project/default" } ], "service-account-sd-api": [ { "resource": "namespace/*", "action": "write" }, { "resource": "namespace/*", "action": "read" }, { "action": "read", "resource": "project/*" }, { "action": "write", "resource": "project/*" } ], "alice": [ { "action": "read", "resource": "project/iris" }, { "action": "write", "resource": "project/iris" }, { "action": "read", "resource": "project/income" }, { "action": "write", "resource": "project/income" } ], "bob": [ { "action": "read", "resource": "project/income" } ], "admin": [ { "action": "read", "resource": "project/*" }, { "action": "write", "resource": "project/*" }, { "resource": "namespace/*", "action": "write" }, { "resource": "namespace/*", "action": "read" }, { "resource": "system/iam", "action": "write" }, { "resource": "system/iam", "action": "read" } ] } }