Authorization
Last updated
Was this helpful?
Last updated
Was this helpful?
Configure authorization for Seldon Enterprise Platform and Seldon Core
Authorization is a recommended but optional feature. It can be enabled later on, should you choose not to use it initially.
To enable OPA authorization in Seldon Enterprise Platform the following values must be set in the install-values.yaml
file:
Seldon Enterprise Platform uses the OPA policies in the given ConfigMap to authorize requests to its API endpoints.
For a detailed explanation of the policy schema and how to set up the ConfigMap, follow the .
Access to Seldon Core deployments can be configured to require authorization. Seldon Enterprise Platform does this by managing Istio AuthorizationPolicy
CRDs. It is assumed that you are running Istio with sidecar injection disabled.
To enable Seldon Enterprise Platform to manage Istio authorization policies, you need to set the Helm parameter rbac.opa.istioPolicySyncInterval
to a strictly positive duration. The suggested interval is 5 minutes, denoted 5m
.
REPLACE_ME_TOKEN_ISSUER
must be the same as the issuer field for tokens used to access Seldon Enterprise Platform.
Then you can add a couple of policies to allow token-less access to the rest of the platform, but forbid requests with no token to Seldon Core deployments. The policies can be modified to better fit your platform needs.
If using Keycloak in the same cluster as Seldon Enterprise Platform, the configuration is slightly different to allow access to Keycloak for authentication or user management.
The RequestAuthentication
resource now has two issuer rules: one for Seldon, as before, and another for Keycloak administrative access.
There is also a new AuthorizationPolicy
defined for access to Keycloak. In the following content REPLACE_ME_KEYCLOAK_ADDRESS
is the IP address or the URI of Keycloak .
Further information on this parameter can be found in the .
You first need to add a resource to authenticate incoming requests. The CRD looks like this:
REPLACE_ME_URI_FOR_TOKEN_ISSUER_JWKS
is the URI from which Istio can fetch the issuer's JWKS in order to verify the incoming requests' tokens. Alternatively, you can use the JWKS directly using jwks
instead of jwksUri
in the jwtRules
section of the CRD as described in the .