Project Based Authorization

Pre-requisites

• Ensure PostgreSQL has been installed.

• Ensure Open Policy Agent authorization is enabled, along with project-based auth.

Setup

• Set the policies in the seldon-deploy-policy ConfigMap as shown here:

cat << EOF | kubectl apply -n seldon-system -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: seldon-deploy-policies
data:
  data: '{
  "role_grants": {
    "data-scientist": [
      {
        "resource": "project/iris",
        "action": "read"
      }
    ]
  },
  "user_grants": {
    "*": [
      {
        "resource": "namespace/seldon",
        "action": "read"
      },
      {
        "resource": "project/default",
        "action": "read"
      },
    ],
    "alice": [
      {
        "resource":"namespace/seldon",
        "action":"write"
      },
      {
        "resource": "project/default",
        "action": "write"
      }
      {
        "resource": "project/income",
        "action": "write"
      },
      {
        "resource": "project/income",
        "action": "read"
      },
      {
        "resource": "project/movie",
        "action": "read"
      },
      {
        "resource": "project/movie",
        "action": "write"
      }
    ]
  }
}'
EOF

Note how all users (*) will have access to the seldon namespace and default project. Seldon Deploy should automatically pick up the changes in the ConfigMap after a few seconds, but if you want to reload it immediately you can restart the Seldon Deploy pod.

• Create two users. If you’re using the reference installation with Keycloak, then you can create a user as described in the official documentation ,and you can assign them to a group as described there as well.

  If using Keycloak as shown in the reference installation documentation, the admin panel can be found at http://$DEPLOY_IP/auth/.

  Note that you might have to create the data-scientist group first.

  The two users must be:

  1. alice with no groups associated with her. According to the policies above, she will have read/write access to 3 projects - default, movie, and income.

  2. bob in the data-scientist group. According to the policies above, he will only have read access in projects default and iris and namespace seldon.

Confirm Policies Are Working

1. Log in as alice.

   

2. Go to the Model Catalog page and create the following models:

	URI	Project	Artifact type
1	gs://seldon-models/scv2/samples/rolling/iris/v1	default	SciKit Learn
2	gs://seldon-models/scv2/examples/mlserver_1.3.0/income/classifier	income	SciKit Learn
3	gs://seldon-models/scv2/examples/moviesentiment/classifierr	movie	SciKit Learn
4	gs://seldon-models/v1.15.0/sklearn/moviesentiment	default	SciKit Learn

1. Create a pipeline for the first 3 models using the Deploy functionality from the Model Catalog. Make sure to change from the default deployment type to Seldon ML Pipeline. Confirm all both deployments are shown in the Overview tab.

   The pipeline names could be:

   • iris-default

   • income-income

   • movie-movie

1. Log out from the alice profile and log in as bob.

   As you can see bob can only see the pipeline in the default project.

   

2. Confirm bob only sees models in the default project and not in income and movie

   

3. Confirm that bob can not edit model metadata

1. Confirm that bob can not delete a model