Permissions
Permissions determine the level of access that a user has to various components of the Feature Store. For example, depending on the level of permission granted, a user may be authorized to edit feature sets, while another user with limited view-only permission can only observe the feature set.
Levels of permission
Feature Store has five levels of permission:
Additionally, Feature Store also has the concept of an admin account. An admin is any user with the admin role specified in their identity provider. Admin users can perform additional management tasks.
The name of the claim storing the roles and name of admin role is configurable during Feature Store deployment.
Owner
- Owner permission for a project
- Owner permission for feature sets
You become the owner by creating a project. As the owner, you can remove the project and assign the owner, editor, consumer, sensitive consumer or viewer permission levels to other users. If you are the project owner, you are automatically granted owner permissions to all the feature sets within that project.
You become the owner by creating a feature set. As the owner, you can remove the feature set and assign the owner, editor, consumer, sensitive consumer or viewer permission levels to other users.
As the owner, you have all the other permissions.
- Editor
- Sensitive consumer
- Consumer
- Viewer
Editor
- Editor permission for a project
- Editor permission for feature sets
If you have editor permission for a project in the Feature Store, you are authorized to update the project's metadata and register new feature sets within the project. As the editor of the project, you are automatically granted owner permission for all feature sets associated with the project.
If you have editor permission for a feature set, you are authorized to update the feature set's metadata and call ingest
on the feature set.
As an editor, you also have the following permissions,
- Sensitive consumer
- Consumer
- Viewer
Sensitive consumer
- Sensitive consumer permission for a project
- Sensitive consumer permission for feature sets
If you have sensitive consumer permission for a project in the Feature Store, you are authorized to list or obtain a feature set from the project. As the sensitive consumer of the project, you are automatically granted sensitive consumer permission for all feature sets associated with the project.
If you have sensitive consumer permission for a feature set, you are authorized to call retrieve
on
the feature set. The retrieved data contains data in its original,
unmasked variant (raw data).
As an sensitive consumer, you also have the following permissions,
- Consumer
- Viewer
Consumer
- Consumer permission for a project
- Consumer permission for feature sets
If you have consumer permission for a project in the Feature Store, you are authorized to list or obtain a feature set from the project. In other words, as a consumer of a project, you can retrieve data from all feature sets. As the consumer of the project, you are automatically granted consumer permission for all feature sets associated with the project.
If you have consumer permission for a feature set, you are authorized to call retrieve
on
the feature set. Among retrieved features, only masked features will be displayed as
hashed values.
As an consumer, you also have the following permission,
- Viewer
Viewer
- Viewer permission for a project
- Viewer permission for feature sets
If you have viewer permission for a project in the Feature Store, you are authorized to see what feature sets are available when the project is locked. If you do not have viewer permission and the project is locked, you are not allowed to list and obtain feature sets in a project. If the project is unlocked, you can view feature sets of the project without any permission.
For feature sets, the viewer permission has same effect as having no permission on a feature set.
Secret project and secret feature set
Projects and feature sets can be marked as secret, which means that when secret=True
, the project or feature set can be seen only by its owner.
Create a secret project
To create a secret project:
- Python
- Scala
Projects can also be marked as secret by passing secret=True
to the
client.projects.create
call. In this case, only project owners can see
the project in client.projects.list
and can obtain the project via
client.projects.get
method.
Projects can also be marked as secret by passing secret=true
to the
client.projects.create
call. In this case, only project owners can see
the project in client.projects.list
and can obtain the project via
client.projects.get
method.
Create a secret feature set
To create a secret feature set:
- Python
- Scala
Feature sets can also be marked as secret by passing secret=True
to
the project.feature_sets.register
call. In this case, only feature set
owners (which are also all owners of the project where this feature set
is located) can see the feature set in project.feature_sets.list
and
can obtain the feature set via the project.feature_sets.get
method.
Feature sets can also be marked as secret by passing secret=true
to
the project.featureSets.register
call. In this case, only feature set
owners (which are also all owners of the project where this feature set
is located) can see the feature set in project.featureSets.list
and
can obtain the feature set via the project.featureSets.get
method.
Locked project
Only projects can be marked as locked, which means when Locked=True
, only users with viewer and higher permissions(owner, editor, sensitive consumer, consumer) are allowed to access and list feature sets within the project. Users without viewer permission cannot list and obtain feature sets from the project.
Project permission API
Add permissions to the project
To add additional owners to the project, call:
- Python
- Scala
project.add_owners(["bob@h2o.ai", "alice@h2o.ai"])
project.addOwners(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional editors to the project, call:
- Python
- Scala
project.add_editors(["bob@h2o.ai", "alice@h2o.ai"])
project.addEditors(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional consumers to the project, call:
- Python
- Scala
project.add_consumers(["bob@h2o.ai", "alice@h2o.ai"])
project.addConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional sensitive consumers to the project, call:
- Python
- Scala
project.add_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])
project.addSensitiveConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional viewers to the project, call:
- Python
- Scala
project.add_viewers(["bob@h2o.ai", "alice@h2o.ai"])
project.addViewers(Array("bob@h2o.ai", "alice@h2o.ai"))
Remove permissions from the project
To remove owners from the project, call:
- Python
- Scala
project.remove_owners(["bob@h2o.ai", "alice@h2o.ai"])
project.removeOwners(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove editors from the project, call:
- Python
- Scala
project.remove_editors(["bob@h2o.ai", "alice@h2o.ai"])
project.removeEditors(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove consumers from the project, call:
- Python
- Scala
project.remove_consumers(["bob@h2o.ai", "alice@h2o.ai"])
project.removeConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove sensitive consumers from the project, call:
- Python
- Scala
project.remove_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])
project.removeSensitiveConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove viewers from the project, call:
- Python
- Scala
project.remove_viewers(["bob@h2o.ai", "alice@h2o.ai"])
project.removeViewers(Array("bob@h2o.ai", "alice@h2o.ai"))
Request permissions to a project
When cooperating with several users on a project, you may not have a specific permission (i.e., owner/editor/consumer/sensitive consumer) for that project. You can request a specific permission from the project owner.
To begin, check your current access rights:
- Python
- Scala
from featurestore.core.access_type import AccessType
my_access_type = project.current_permission()
# returns None in case the user has no access to the project
import ai.h2o.featurestore.core.AccessType
val myAccessType = project.currentPermission()
// returns None in case the user has no access to the project
If your level of permission is not sufficient for your needs, you can request the project owner for access rights:
- Python
- Scala
my_request_id = project.request_access(AccessType.CONSUMER, "Preparing the best model")
val myRequestId = project.requestAccess(AccessType.Consumer, "Preparing the best model")
You can track your pending permission requests from the clients API:
- Python
- Scala
my_requests = client.acl.requests.projects.list()
val myRequests = client.acl.requests.projects.list()
When you can no longer see your request, this means it has been processed. To view the result of your request, call:
- Python
- Scala
my_permissions = client.acl.permissions.projects.list(filters)
val myPermissions = client.acl.permissions.projects.list(filters)
The filters
argument is optional and specifies which permissions
state(s) you are interested in. Its default value is
PermissionState.GRANTED (which is the most common case). If you do
not find your original request granted, it was most likely either
rejected or was granted and then revoked.
To verify the status of your request, specify using the corresponding filters. For example:
- Python
- Scala
filters = [PermissionState.REJECTED]
val filters = Seq(PermissionState.REJECTED)
Manage permission requests from other users
As a project owner, a user can request access to that project from you.
To list the requests pending for you to handle, call:
- Python
- Scala
manageable_requests = client.acl.requests.projects.list_manageable()
val manageableRequests = client.acl.requests.projects.listManageable()
You can then take an item from the returned list and either approve it:
- Python
- Scala
manageable_requests = client.acl.requests.projects.list_manageable()
oldest_request = # select an item from manageable_requests
oldest_request.approve("it will be fun")
val manageableRequest = ... // select an item from manageableRequests
manageableRequest.approve("it will be fun")
or reject it:
- Python
- Scala
manageable_requests = client.acl.requests.projects.list_manageable()
oldest_request = # select an item from manageable_requests
oldest_request.reject("it's not ready yet")
val manageableRequest = ... // select an item from manageableRequests
manageableRequest.reject("it's not ready yet")
You can also revoke previously granted access to a project.
First, list the existing permissions that you handle:
- Python
- Scala
manageable_permissions = client.acl.permissions.projects.list_manageable()
val manageablePermissions = client.acl.permissions.projects.listManageable()
Then, select the permission you want to revoke from the returned list:
- Python
- Scala
manageable_permission = ... # select an item from manageable_permissions
manageable_permission.revoke("user left the project")
val manageablePermission = ... // select an item from manageablePermissions
manageablePermission.revoke("user left the project")
The returned request and permission objects from the list()
and
list_manageable()
method calls contain convenient methods for
accessing the internal state (the following code is not exhaustive):
- Python
- Scala
manageable_requests = client.acl.requests.projects.list_manageable()
manageable_request = # select an item from manageable_requests
manageable_request.requestor() # only on manageable objects
manageable_request.access_type()
manageable_request.status()
manageable_request.reason()
manageable_request.created_on()
manageable_request.resource_type() # requested resource type, PROJECT or FEATURE_SET
manageable_request.get_resource() # returns corresponding feature set/project
val manageableRequests = client.acl.requests.projects.listManageable()
val manageableRequest = ... // select an item from manageableRequests
manageableRequest.requestor // only on manageable objects
manageableRequest.accessType
manageableRequest.status
manageableRequest.reason
manageableRequest.createdOn
manageableRequest.resourceType // requested resource type, PROJECT or FEATURE_SET
manageableRequest.getResource // returns corresponding project/feature set
Feature set permissions API
Add permissions to the feature set
In order to add feature set permissions (owner
/ editor
/ consumer
/ sensitive consumer
), those users should already have the project
consumer permission.
For the following examples, "bob@h2o.ai" and "alice@h2o.ai" should already have consumer permissions to the project which consists of the respective feature set.
To add additional owners to the feature set, call:
- Python
- Scala
fs.add_owners(["bob@h2o.ai", "alice@h2o.ai"])
fs.addOwners(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional editors to the feature set, call:
- Python
- Scala
fs.add_editors(["bob@h2o.ai", "alice@h2o.ai"])
fs.addEditors(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional consumers to the feature set, call:
- Python
- Scala
fs.add_consumers(["bob@h2o.ai", "alice@h2o.ai"])
fs.addConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional sensitive consumers to the feature set, call:
- Python
- Scala
fs.add_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])
fs.addSensitiveConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To add additional viewers to the feature set, call:
- Python
- Scala
fs.add_viewers(["bob@h2o.ai", "alice@h2o.ai"])
fs.addViewers(Array("bob@h2o.ai", "alice@h2o.ai"))
Remove permissions from the feature set
To remove owners from the feature set, call:
- Python
- Scala
fs.remove_owners(["bob@h2o.ai", "alice@h2o.ai"])
fs.removeOwners(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove editors from the feature set, call:
- Python
- Scala
fs.remove_editors(["bob@h2o.ai", "alice@h2o.ai"])
fs.removeEditors(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove consumers from the feature set, call:
- Python
- Scala
fs.remove_consumers(["bob@h2o.ai", "alice@h2o.ai"])
fs.removeConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove sensitive consumers from the feature set, call:
- Python
- Scala
fs.remove_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])
fs.removeSensitiveConsumers(Array("bob@h2o.ai", "alice@h2o.ai"))
To remove viewers from the feature set, call:
- Python
- Scala
fs.remove_viewers(["bob@h2o.ai", "alice@h2o.ai"])
fs.removeViewers(Array("bob@h2o.ai", "alice@h2o.ai"))
Request permissions to a feature set
Feature set permissions follow the same structure and reasoning as project permissions. The following is a short list of available methods.
To list current feature set permissions, call:
- Python
- Scala
from featurestore.core.access_type import AccessType
my_access_type = fs.current_permission()
# returns None in case the user does not have access to the project
import ai.h2o.featurestore.core.AccessType
val myAccessType = fs.currentPermission()
// returns None in case the user does not have access to the project
To request feature set permissions, call:
- Python
- Scala
my_request_id = fs.request_access(AccessType.CONSUMER, "Preparing the best model")
val myRequestId = fs.requestAccess(AccessType.Consumer, "Preparing the best model")
To list pending requests, call:
- Python
- Scala
my_requests = client.acl.requests.feature_sets.list()
val myRequests = client.acl.requests.featureSets.list()
To list granted (without passing an argument) or
rejected/revoked (with provided corresponding filters
argument)
permissions, call:
- Python
- Scala
filters = [PermissionState.REJECTED]
my_permissions = client.acl.permissions.feature_sets.list(filters)
filters = Seq(PermissionState.REJECTED)
val myPermissions = client.acl.permissions.featureSets.list(filters)
Manage feature set permissions
Feature set permissions follow the same structure and reasoning as project permissions. The following is a short list of available methods.
To list and approve/reject a pending feature set permission request, call:
- Python
- Scala
manageable_requests = client.acl.requests.feature_sets.list_manageable()
manageable_request = # select an item from manageable_requests
manageable_request.approve("it will be fun")
# or
manageable_request.reject("not yet ready")
val manageableRequests = client.acl.requests.featureSets.listManageable()
val manageableRequest = ... // select an item from manageableRequests
manageableRequest.approve("it will be fun")
// or
manageableRequest.reject("not yet ready")
To list and revoke an existing feature set permission, call:
- Python
- Scala
manageable_permissions = client.acl.requests.feature_sets.list_manageable()
manageable_permission = ... # select an item from manageable_permissions
manageable_permission.revoke("user left project")
val manageablePermissions = client.acl.requests.featureSets.listManageable()
val manageablePermission = ... // select an item from manageablePermissions
manageablePermission.revoke("user left project")
- Submit and view feedback for this page
- Send feedback about H2O Feature Store to cloud-feedback@h2o.ai