Project Based Authorization

Pre-requisites

Setup

  • Set the policies in the seldon-deploy-policy config map as shown here:

cat << EOF | kubectl apply -n seldon-system -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: seldon-deploy-policies
data:
  data: '{
  "role_grants": {
    "data-scientist": [
      {
        "resource": "project/iris",
        "action": "read"
      }
    ]
  },
  "user_grants": {
    "*": [
      {
        "resource": "namespace/seldon",
        "action": "read"
      },
      {
        "resource": "namespace/seldon",
        "action": "write"
      },
      {
        "resource": "project/default",
        "action": "read"
      },
      {
        "resource": "project/default",
        "action": "write"
      }
    ],
    "alice": [
      {
        "resource": "project/income",
        "action": "write"
      },
      {
        "resource": "project/income",
        "action": "read"
      },
      {
        "resource": "project/iris",
        "action": "read"
      },
      {
        "resource": "project/iris",
        "action": "write"
      }
    ]
  }
}'
EOF

Note how all users (*) will have access to the seldon namespace and default project. Seldon Deploy should automatically pick up the changes in the configmap after a few seconds, but if you want to reload it immediately you can restart the Seldon Deploy pod.

Confirm Policies Are Working

  1. Log in as alice.

    alice_login

  2. Go to the Model Catalog page and create the following models:

    1. URI: gs://seldon-models/scv2/samples/rolling/iris/v1

      Project: default

      Artifact Type: SciKit Learn

    2. URI: gs://seldon-models/scv2/samples/rolling/iris/v1

      Project: iris

      Artifact Type: SciKit Learn

    3. URI: gs://seldon-models/scv2/examples/mlserver_1.2.3/income/classifier

      Project: income

      Artifact Type: SciKit Learn

    create_models

  3. Create a pipeline from each of these models using the Deploy functionality from the Model Catalog. Make sure to change from the default deployment type to Seldon ML Pipeline. Confirm all three deployments are shown in the Overview tab.

    The pipeline names could be:

    • iris-default

    • iris-iris

    • income

    create_deployments

  4. Log out from the alice profile and log in as bob.

    bob_login

  5. Confirm you only see the pipelines in the default and iris projects, but not the income project.

    bob_deployments

  6. Confirm you only see the models in the default and iris projects in the model catalog, but not the income one.

    bob_models

  7. Confirm that you cannot delete or modify the iris model in the model catalog, since bob has only read permissions on the iris project.

    bob_write_fail