How to use permissions
How are managed access
What is the URN of a resource ?
Hint
Usage of URN is not required anymore as it is possible to use the resource ID or fullName instead of the URN.
The following explanation can be useful to understand how Toolkit works behind the scenes.
The EAI toolkit provides an API to manage access to resources. In addition to their ID, each resource is assigned an explicit URN that indicates its type and ownership. For example, a user is a kind of resource owned by an organization. Assuming you are already logged in, you can get the URN of your user with this:
$ eai user get --field urn
491e3474-8382-4437-a68b-18414701dec3:user:3c0e93a5-4174-4487-bbaa-59138ba24833
Here:
491e3474-8382-4437-a68b-18414701dec2
is the organization and3c0e93a5-4174-4487-bbaa-59138ba24833
is the user.
How URN are used to build policy expression ?
URNs are useful to express access rules.
An access rule simply defines actions allowed on a URN expression.
Using the wildcard *
character, a rule can refers to a set of resources.
For example:
491e3474-8382-4437-a68b-18414701dec2
refers to the organization491e3474-8382-4437-a68b-18414701dec2:*
refers to all resources of the organization491e3474-8382-4437-a68b-18414701dec2:user:*
refers to all users of the organization
Each client access is validated against a set of access rules. You can list your access rules:
$ eai user policy ls --recursive
action expression
*:get 491e3474-8382-4437-a68b-18414701dec2
*:get 491e3474-8382-4437-a68b-18414701dec2:user:*
*:get 491e3474-8382-4437-a68b-18414701dec2:team:*
user:set 491e3474-8382-4437-a68b-18414701dec2:user:e44ce0fe-446d-4838-946b-9a61f886297b
data:get 491e3474-8382-4437-a68b-18414701dec2:account:3f0905b0-516c-4ac5-8b1f-f606770fc1cb:data:fe731f85-5d20-4bcf-986d-f458180b5000
data:read 491e3474-8382-4437-a68b-18414701dec2:account:3f0905b0-516c-4ac5-8b1f-f606770fc1cb:data:fe731f85-5d20-4bcf-986d-f458180b5000
data:write 491e3474-8382-4437-a68b-18414701dec2:account:3f0905b0-516c-4ac5-8b1f-f606770fc1cb:data:fe731f85-5d20-4bcf-986d-f458180b5000
Let’s go over those.
The first rule explicitly allows the user:set
action on yourself.
This action correspond to updating user details:
$ eai user set --name joe
The next 3 rules are inherited from the user
role attached to your organization.
When your user was created, it was authorized to assume the user
role for your organization.
This enables you to get details about your organization, its users and its teams.
This correspond to a number of commands:
$ eai organization get
$ eai user ls
$ eai team ls
How the expression based on URN is replaced ?
Expressions based on the URN are now replaced by 2 input fields to build the expression: - the resource used to build the expression - the cascade boolean to define if the expression is for the resource itself or all its children
Example of generated expression:
Resource |
Cascade |
Expression Generated |
---|---|---|
491e3474-8382-4437-a68b-18414701dec2 |
true |
491e3474-8382-4437-a68b-18414701dec2:* |
491e3474-8382-4437-a68b-18414701dec2 |
false |
491e3474-8382-4437-a68b-18414701dec2 |
3c0e93a5-4174-4487-bbaa-59138ba24833 |
false |
491e3474-8382-4437-a68b-18414701dec2:user:3c0e93a5-4174-4487-bbaa-59138ba24833 |
By doing that, it is now to return the fullName of the resource instead of the expression based on the URN.
The previous example with eai user policy ls --recursive
is now:
$ eai user policy ls --recursive
id source target action resource cascades shareable expiration
1b14b003-5986-410a-afe5-856639ec4c14 direct snow.guillaume_smaha *:get snow false false -
64d24c13-a9bb-46eb-af31-9ae9b3b71e61 direct snow.guillaume_smaha user:get snow true false -
5b07426b-6fca-4ff1-9d51-e569fb78d263 direct snow.guillaume_smaha team:get snow true false -
eb6a64e3-b817-4b3d-b0e7-dc25bf07ba60 direct snow.guillaume_smaha user:set snow.guillaume_smaha false false -
d5091fec-aa57-4faf-9d50-5e411c18e8f0 direct snow.guillaume_smaha data:get snow.home.guillaume_smaha false false -
be113ba2-93a8-44a8-b297-e16d8b87b3f7 direct snow.guillaume_smaha data:read snow.home.guillaume_smaha false false -
be113ba2-93a8-44a8-b297-e16d8b87b3f7 direct snow.guillaume_smaha data:write snow.home.guillaume_smaha false false -
Policies
Note
Previously, multiple access rules could be stored in one policy.
Now, rules are merged in policies and one policy is always one rule.
A policy is one statement that allow actions on resources, using syntax <action>@<resource>
.
Multiple actions and resources can still be defined with the syntaw <action>[+<action>...]@<resource>[+<resource>...]
,
in this case, multiple policies will be created.
It can be attached to clients of the API i.e. users, teams and roles. For example, this explicitely gives root access to the cluster to a single user:
$ eai user policy new 3c0e93a5-4174-4487-bbaa-59138ba24833 '*@*'
Users inherit policies from:
policies attached to them
policies attached to a team they are a member of directly or indirectly
policies attached to a role they can assume
Thus, there is 3 ways to create policies:
$ eai user policy new
$ eai team policy new
$ eai role policy new
Note that adding policies to a user, a team or a role requires access to that resource.
Roles
While it is possible to manage access with policies attached directly to users and teams, the most common way is to use roles. If a user or a team is allowed to assume a role, it inherits the role’s policies. There are a number of roles that are predefined. Since they can be attached to organizations, teams and accounts, they can be listed using:
$ eai organization role ls
$ eai team role ls
$ eai account role ls
For example:
$ eai organization role ls --fields id,name
id name
c53444c6-206e-4ae7-bab7-baacdab5a0a7 admin
e11bb1f4-b85a-4734-a5a4-f52cadd50ca6 user
To assume a role, a user or a team needs to be a member of that role. Thus, the following can be used to list members:
$ eai organization role member ls c53444c6-206e-4ae7-bab7-baacdab5a0a7
id name type
80db146b-1c79-4ed0-bb8b-db1698fddd58 jerome user
94731f2a-aa48-443a-b013-c00ea9507d0f guillaume user
0eb96759-aef0-4acc-91a7-202cac71c472 eric user
Simply use the add
or rm
commands to manager members:
$ eai organization role member rm c53444c6-206e-4ae7-bab7-baacdab5a0a7 --user 94731f2a-aa48-443a-b013-c00ea9507d0f
id name type
80db146b-1c79-4ed0-bb8b-db1698fddd58 jerome user
0eb96759-aef0-4acc-91a7-202cac71c472 eric user
$ eai organization role member add c53444c6-206e-4ae7-bab7-baacdab5a0a7 --user 94731f2a-aa48-443a-b013-c00ea9507d0f
id name type
80db146b-1c79-4ed0-bb8b-db1698fddd58 jerome user
94731f2a-aa48-443a-b013-c00ea9507d0f guillaume user
0eb96759-aef0-4acc-91a7-202cac71c472 eric user
How to access a python server in toolkit from a CICD
Use a Python framework like FastAPI, Django or Flask to write a small API that does what you want
Build a Docker image that expects to have the model data mounted and that runs the API. Example docker image can be found here
Submit a Toolkit job in the account, with the image and the model data mounted. If you want a long running server (more than 48hrs), use restartable with high bid.
Create a new role, policy and a key (token)
# create a new role $ eai role new account_fullname.job_access # attach a policy which gives access to the python server $ eai role policy new account_fullname.job_access "job:get@$JOB_ID # create a long lived token to access the python server $ eai role key new account_fullname.job_access
Use the token to call the API from anywhere (you can find the job’s accessUrl with the eai job info command)
How to tell who has specific rights over a resource?
eai rule who-is-allowed <action>@<resource urn>
Who can write to a specific data object:
eai rule who-is-allowed "data:set@$(eai data get <data id> --field urn)"
How to tell if you have specific rights over a resource?
eai rule allowed <action>@<resource urn>
Whether you can write to a specific data object:
eai rule allowed "data:set@$(eai data get <data id> --field urn)"