Project Based Authorization

Pre-requisites

Policies Setup

This demo assumes the existence of two users in your OIDC provider: alice and bob.

  • Both alice and bob belong to the data-scientist group.

  • From the role grants, they both get read-write access to all namespaces and the default project.

In addition:

  • alice has read-write access to the iris and income projects.

  • bob has read-only access to the income project.

These permissions are reflected in the following seldon-deploy-policies ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: seldon-deploy-policies
  namespace: seldon-system
data:
  data: |-
    {
      "role_grants": {
        "data-scientist": [
          {
            "action": "read",
            "resource": "namespace/*"
          },
          {
            "action": "write",
            "resource": "namespace/*"
          },
          {
            "action": "read",
            "resource": "project/default"
          },
          {
            "action": "write",
            "resource": "project/default"
          }
        ]
      },
      "user_grants": {
        "alice": [
          {
            "action": "read",
            "resource": "project/iris"
          },
          {
            "action": "write",
            "resource": "project/iris"
          },
          {
            "action": "read",
            "resource": "project/income"
          },
          {
            "action": "write",
            "resource": "project/income"
          }
        ],
        "bob": [
          {
            "action": "read",
            "resource": "project/income"
          }
        ]
      }
    }

Confirm Policies Are Working

  1. Log in as alice.

  2. Go to the Model Catalog page and create the following models (see Model Catalog demo for detailed instructions):

    Name

    URI

    Project

    Artifact type

    1

    Iris

    gs://seldon-models/v1.18.2/sklearn/iris

    default

    SciKit Learn

    2

    Iris

    gs://seldon-models/v1.18.2/sklearn/iris

    iris

    SciKit Learn

    3

    Income

    gs://seldon-models/sklearn/income/model-0.23.2

    income

    SciKit Learn

    Your Model Catalog page should look similar to the following now:

    models in catalog

  3. Create a deployment from each of these models using the Deploy functionality from the Model Catalog. The deployment names could be:

    • iris-default

    • iris-iris

    • income

    Your Overview page should look similar to the following now:

    models in overview

  4. Log out from the alice profile and log in as bob.

  5. Confirm you only see the deployments in the default and income projects, but not the iris project.

    models in overview

  6. Confirm you only see the models in the default and income projects in the Model Catalog, but not the iris one.

    models in catalog

  7. Confirm that you cannot delete or modify the income model in the Model Catalog, since bob has only read permissions on the income project.

    bob_write_fail

  8. Confirm that you cannot delete or modify the income Seldon Deployment in the Overview page.