Project Based Authorization¶

Pre-requisites¶

Ensure PostgreSQL has been installed.
Ensure Open Policy Agent authorization is enabled, along with project-based auth.

Setup¶

Set the policies in the seldon-deploy-policy ConfigMap as shown here:

cat << EOF | kubectl apply -n seldon-system -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: seldon-deploy-policies
data:
  data: '{
  "role_grants": {
    "data-scientist": [
      {
        "resource": "project/iris",
        "action": "read"
      }
    ]
  },
  "user_grants": {
    "*": [
      {
        "resource": "namespace/seldon",
        "action": "read"
      },
      {
        "resource": "namespace/seldon",
        "action": "write"
      },
      {
        "resource": "project/default",
        "action": "read"
      },
      {
        "resource": "project/default",
        "action": "write"
      }
    ],
    "alice": [
      {
        "resource": "project/income",
        "action": "write"
      },
      {
        "resource": "project/income",
        "action": "read"
      },
      {
        "resource": "project/iris",
        "action": "read"
      },
      {
        "resource": "project/iris",
        "action": "write"
      }
    ]
  }
}'
EOF

Note how all users (*) will have access to the seldon namespace and default project. Seldon Deploy should automatically pick up the changes in the ConfigMap after a few seconds, but if you want to reload it immediately you can restart the Seldon Deploy pod.

Create two users. If using the reference installation with Keycloak, you can create a user as described in the official documentation and you can assign them to a group as described there as well.

If using Keycloak as shown in the reference installation documentation, the admin panel can be found at http://$DEPLOY_IP/auth/.

Note that you might have to create the data-scientist group first.

The two users must be:
1. alice with no groups associated with her. According to the policies above, she will have read/write access to 3 projects - default, iris, and income.
2. bob in the data-scientist group. According to the policies above, he will have read/write access only to the default project, and read-only access to the iris project.

Confirm Policies Are Working¶

Log in as alice.
Go to the Model Catalog page and create the following models:
1. URI: gs://seldon-models/v1.16.0/sklearn/iris
  
  Project: default
  
  Artifact Type: SciKit Learn
2. URI: gs://seldon-models/v1.16.0/sklearn/iris
  
  Project: iris
  
  Artifact Type: SciKit Learn
3. URI: gs://seldon-models/sklearn/income/model-0.23.2
  
  Project: income
  
  Artifact Type: SciKit Learn
Create a deployment from each of these models using the Deploy functionality from the Model Catalog. Confirm all three deployments are shown in the Overview tab.

The deployment names could be:
- iris-default
- iris-iris
- income
Log out from the alice profile and log in as bob.
Confirm you only see the deployments in the default and iris projects, but not the income project.
Confirm you only see the models in the default and iris projects in the model catalog, but not the income one.
Confirm that you cannot delete or modify the iris model in the model catalog, since bob has only read permissions on the iris project.