OIDC Token-based Authentication
This page describes how to configure the OIDC token-based authentication security option for a new deployment.
This security option requires the following additional configuration when deploying H2O MLOps:
-
To enable this option, update
securityOptions.activated
in thevalues.yaml
file (charts/mlops/values.yaml
) to include the valueAUTHORIZATION_PROTOCOL_OIDC
in the list:securityOptions:
activated:
- .......
- "AUTHORIZATION_PROTOCOL_OIDC"
- ....... -
Set the
deployer.config.securityProxy.oidcIssuers
(OIDC issuer-related values) in thevalues.yaml
file, including the OIDC issuer URL and TLS credentials.
Import Modules
import time
import httpx
import h2o_mlops
from h2o_authn import TokenProvider
from h2o_mlops.options import SecurityOptions
REFRESH_TOKEN = "<REFRESH_TOKEN>"
CLIENT_ID = "<CLIENT_ID>"
TOKEN_ENDPOINT_URL = "<TOKEN_ENDPOINT_URL>"
GATEWAY_URL = "<GATEWAY_URL>"
DATA_DIR = "<DATA_DIR>"
Connect to H2O MLOps
token_provider = TokenProvider(
refresh_token=REFRESH_TOKEN,
client_id=CLIENT_ID,
token_endpoint_url=TOKEN_ENDPOINT_URL,
)
mlops = h2o_mlops.Client(
gateway_url=GATEWAY_URL,
token_provider=token_provider,
)
Create a New Deployment with Security Options
-
Prepare everything you need to create a deployment.
project = mlops.projects.create(name="demo")
experiment = project.experiments.create(
data=f"{DATA_DIR}/mojo.zip",
name="experiment-from-client"
)
model = project.models.create(name="model-from-client")
model.register(experiment=experiment)
environment = project.environments.list(name="DEV")[0]
scoring_runtime = mlops.runtimes.scoring.list(
artifact_type="dai_mojo_pipeline",
uid="dai_mojo_runtime",
)[0] -
Define a
SecurityOptions
for OIDC token-based authentication.security_options = SecurityOptions(
oidc_token_auth=True,
) -
Deploy using the
security_options
argument.deployment = environment.deployments.create_single(
name="deployment-from-client",
model=model,
scoring_runtime=scoring_runtime,
security_options=security_options,
)
while not deployment.is_healthy():
deployment.raise_for_failure()
time.sleep(5)
print(deployment.security_options)
Output:
passphrase: None
hashed_passphrase: None
oidc_token_auth: True
Score Against the Newly Created Deployment
You can score against the newly created deployment that is configured with the OIDC token-based authentication security option. However, an access token must be supplied in the Authorization header in the form Authorization: Bearer <token>
.
access_token = token_provider()
response = httpx.post(
url=deployment.url_for_scoring,
json=deployment.get_sample_request(
auth_value=access_token,
),
headers={
"Authorization": f"Bearer {access_token}",
},
)
response.json()
Output:
{'id': '268b2733-9f51-48f1-9a4f-70b06ba35d08',
'fields': ['default payment next month.0', 'default payment next month.1'],
'score': [['0.7441956', '0.25580445']]}
Cleanup
for p in mlops.projects.list(name="demo"):
p.delete()
- Submit and view feedback for this page
- Send feedback about H2O MLOps to cloud-feedback@h2o.ai