examples/rbac-local/01.3-setup-feast.ipynb
Create a sample rbac project with local storage.
!rm -rf rbac
!feast init rbac
Update the feature_store.yaml with an auth section derived from the Keycloak setup file .env
!cat .env
Update the server YAML to use OIDC authorization
from dotenv import load_dotenv
import os
import yaml
def load_config_file(path):
load_dotenv()
with open(path, 'r') as file:
config = yaml.safe_load(file) or {}
return config
def update_config_with_auth(config, is_client=False):
config['auth']={}
config['auth']['type']='oidc'
config['auth']['auth_discovery_url']=f"{os.getenv('OIDC_SERVER_URL')}/realms/{os.getenv('REALM')}/.well-known/openid-configuration"
config['auth']['client_id']=os.getenv('CLIENT_ID')
if is_client:
config['auth']['client_secret']=os.getenv('CLIENT_SECRET')
config['auth']['username']=''
config['auth']['password']='password'
def update_config_file(path):
with open(path, 'w') as file:
yaml.safe_dump(config, file, default_flow_style=False)
config = load_config_file('rbac/feature_repo/feature_store.yaml')
update_config_with_auth(config)
update_config_file('rbac/feature_repo/feature_store.yaml')
!cat rbac/feature_repo/feature_store.yaml
Update the client YAML to use OIDC authorization
config = load_config_file('client/feature_store.yaml')
update_config_with_auth(config, is_client=True)
update_config_file('client/feature_store.yaml')
!cat client/feature_store.yaml
!feast -c rbac/feature_repo apply
There are no permissions after applying the example:
!feast -c rbac/feature_repo permissions list
The permissions check command identifies the resources that have no permissions matching their type, name or tags.
!feast -c rbac/feature_repo permissions check
Let's create some Permissions to cover basic scenarios.
First a simple permission to read the status of all the objects.
from feast import FeatureStore
from feast.feast_object import ALL_RESOURCE_TYPES
from feast.permissions.action import CRUD, AuthzedAction, ALL_ACTIONS
from feast.permissions.permission import Permission
from feast.permissions.policy import RoleBasedPolicy
store = FeatureStore("rbac/feature_repo")
read_permission = Permission(
name="read_permission",
types=ALL_RESOURCE_TYPES,
policy=RoleBasedPolicy(roles=["reader"]),
actions=AuthzedAction.DESCRIBE
)
store.registry.apply_permission(read_permission, store.project)
Now a specific permission to write online data (e.g. materialize) the FeatureViews whose name ends by fresh
from feast.feature_view import FeatureView
write_fresh_permission = Permission(
name="write_fresh_permission",
types=FeatureView,
name_patterns=".*_fresh",
policy=RoleBasedPolicy(roles=["fresh_writer"]),
actions=AuthzedAction.WRITE_ONLINE
)
store.registry.apply_permission(write_fresh_permission, store.project)
Another one to match allow access to OFFLINE functions.
from feast.feature_view import FeatureView
from feast.feature_service import FeatureService
from feast.on_demand_feature_view import OnDemandFeatureView
offline_permission = Permission(
name="offline_permission",
types=[FeatureView, OnDemandFeatureView, FeatureService],
policy=RoleBasedPolicy(roles=["batch_admin"]),
actions= CRUD + [AuthzedAction.WRITE_OFFLINE, AuthzedAction.READ_OFFLINE]
)
store.registry.apply_permission(offline_permission, store.project)
Finally, ad admin permission to manage all the resources
admin_permission = Permission(
name="admin_permission",
types=ALL_RESOURCE_TYPES,
policy=RoleBasedPolicy(roles=["store_admin"]),
actions=ALL_ACTIONS
)
store.registry.apply_permission(admin_permission, store.project)
List all the permissions.
!feast -c rbac/feature_repo permissions list
List all the resources matching each configured permission.
!feast -c rbac/feature_repo permissions list -v
Describe one of the permissions.
!feast -c rbac/feature_repo permissions describe admin_permission
List the roles specified by these permissions.
!feast -c rbac/feature_repo permissions list-roles
For each configured role, list all the resources and operations that are allowed to a user impersonating this role.
!feast -c rbac/feature_repo permissions list-roles -v