User Authorization

Once a user is authenticated their requests can be authorized based on their permissions. The user information from the OIDC token is used to identify the user by their ID and the groups they belong to. Permissions can be defined both on user and on group level.

Resources in Deploy are grouped into two categories:

  • Namespace based resources - these are resources that belong to a specific Kubernetes namespace. This includes all Seldon Deployments and Inference Services running in Deploy. All endpoints and UI actions that read or modify a namespaced resource can be authorized based on the permission of the user to that namespace.

  • Project based resources - these are the models stored in the Model Catalog and deployments using these models.

Currently, there are two ways of defining permissions on the various resources served by Seldon Deploy.

Kubernetes Namespace Labels

As described on the namespace visibility page, a Kubernetes namespace can be labelled to denote who has access to it. Seldon Deploy will check if the user requesting a namespaced resource is given the required permissions by the namespace labels before serving the request.

Namespace labels are used only for authorizing requests to namespace based resources. For a more complete authorization solution, check the Open Policy Agent policies.

Open Policy Agent policies

Seldon Deploy can use Open Policy Agent (OPA) policies to determine if a user has access to a resource. OPA is popular open-source technology for defining flexible cloud-native policies. To enable it follow the installation guide. This is an experimental feature.

OPA policies can be used to authorize both namespace based resources and project based resources.

OPA policies will become the primary way of authorization in future releases. We are working on improving the support and functionality around IAM. If you have any feedback please reach out to your Seldon representative.