Project Based Authorization

Pre-requisites

• Ensure PostgreSQL has been installed.

• Ensure Authentication is enabled.

• Ensure Open Policy Agent authorization is enabled, along with project-based auth.

Policies Setup

This demo assumes the existence of two users in your OIDC provider: alice and bob.

• Both alice and bob belong to the data-scientist group.

• From the role grants, they both get read-write access to all namespaces and the default project.

In addition:

• alice has read-write access to the iris and income projects.

• bob has read-only access to the income project.

These permissions are reflected in the following seldon-deploy-policies ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: seldon-deploy-policies
  namespace: seldon-system
data:
  data: |-
    {
      "role_grants": {
        "data-scientist": [
          {
            "action": "read",
            "resource": "namespace/*"
          },
          {
            "action": "write",
            "resource": "namespace/*"
          },
          {
            "action": "read",
            "resource": "project/default"
          },
          {
            "action": "write",
            "resource": "project/default"
          }
        ]
      },
      "user_grants": {
        "alice": [
          {
            "action": "read",
            "resource": "project/iris"
          },
          {
            "action": "write",
            "resource": "project/iris"
          },
          {
            "action": "read",
            "resource": "project/income"
          },
          {
            "action": "write",
            "resource": "project/income"
          }
        ],
        "bob": [
          {
            "action": "read",
            "resource": "project/income"
          }
        ]
      }
    }

Confirm Policies Are Working

1. Log in as alice.

2. Go to the Model Catalog page and create the following models (see Model Catalog demo for detailed instructions):

   	Name	URI	Project	Artifact type
   1	Iris	gs://seldon-models/scv2/samples/rolling/iris/v1	default	SciKit Learn
   2	Iris	gs://seldon-models/scv2/samples/rolling/iris/v1	iris	SciKit Learn
   2	Income	gs://seldon-models/scv2/examples/mlserver_1.4.0/income/classifier	income	SciKit Learn

   Your Model Catalog page should look similar to the following now:

   

3. Create a pipeline from each of these models using the Deploy functionality from the Model Catalog. Make sure to set the deployment type as Seldon ML Pipeline.

   The pipeline names could be:

   • iris-default

   • iris-iris

   • income

   Your Overview page should look similar to the following now:

   

4. Log out from the alice profile and log in as bob.

5. Confirm you only see the pipelines in the default and income projects, but not the iris project.

   

6. Confirm you only see the models in the default and income projects in the Model Catalog, but not the iris one.

   

7. Confirm that you cannot delete or modify the income model in the Model Catalog, since bob has only read permissions on the income project.

   

8. Confirm that you cannot delete or modify the income Pipeline in the Overview page.