Multi-User support for Kubeflow Pipelines #1223
Comments
|
Ideally this should be implemented in a way that get Kubeflow Pipeline closer to support multi-user. E.g. launch workflow in arbitrary namespace |
|
What's the priority of this? How does this align with the broader plans in Kubeflow to support multiple users? |
IronPan
changed the title
|
This is not yet being prioritized, although I think this deserve a high priority. In addition to admin/user isolation, here is a list of items to achieve the full multi-user support for KFP
|
IronPan
added
help wanted
|
Some references for implementing multi-user support on-prem |
vicaire
added
area/backend
area/frontend
area/wide-impact
and removed
area/backend
area/frontend
labels
|
@jessiezcc Any update on this work? Do you think this is something that will get done in Q3 and thus be part of 0.7? |
|
This work is not currently scheduled for Q3. |
|
Some customers express the interests of having ACL for API. e.g. lock down the API for deleting the resource to admin. |
|
/cc @krishnadurai |
|
/cc @songole |
|
Hi @IronPan. I'm assigning this to me, we have made good progress and we should have initial support for multi-user pipelines in v0.7. /assign @yanniszark |
|
Cross posting for clarification #4197 (comment): EDIT: described features below will be released with Kubeflow 1.1. You can use these instructions for preview on GCP. It's NOT RELEASED YET. pipeline runs are already designed to run in user namespaces. For details about which resources and which services support namespace separation, please read this early access user instruction: https://docs.google.com/document/d/1Ws4X1oNlaczhESNuEanZxbF-cnSfO78B1rBHWOkIAzo/. A quick list of things we don't support multi user separation in the upcoming KF 1.1 release:
|
|
If your organization would prefer pipeline resource separated by namespace, please upvote here. We can consider adding the support if there are enough user interest. EDIT: enough reactions collected, the issue is tracked in #4197 with priority |
|
@Bobgy it should be a feature which is enabled - if users want to "promote" their pipeline resource to be public, its allowed. Else int their namespace by default. |
Yes, I agree if we decide to implement, we'll make it configurable. |
|
Will upvote. Thanks!
…On Thu, Jul 9, 2020 at 11:43 PM Yuan (Bob) Gong ***@***.***> wrote:
@Bobgy <https://github.com/Bobgy> it should be a feature which is enabled
- if users want to "promote" their pipeline resource to be public, its
allowed. Else int their namespace by default.
Yes, I agree if we decide to implement, we'll make it configurable.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1223 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKSGHEYOKQAMX4ODRSHQ4RDR222CXANCNFSM4HIISE7Q>
.
|
|
Just working my way through the documentation, thanks for pointing me in that direction. It seems geared around using |
|
@jackwhelpton Yes, the feature you described is already there. They are not mentioned in the doc just because they work seamlessly. |
|
@Bobgy re minio artifact store not being supported in KF 1.1 release, does that mean that a pipeline running in my namespace still writes to a shared artifact store? For example, anything my pipeline writes implicitly (eg: data written when piping results between steps in a pipeline like |
|
@ca-scribner That's right. Or I think minio supports multi tenant natively: https://docs.min.io/docs/multi-tenant-minio-deployment-guide.html, we'd welcome contribution how that can be integrated with KFP multi user mode. |
|
@Bobgy ok we lose kfp's helpful automatic piping of real data, but the data is still secure. Only meaningful downside I think is that everyone has to teach their components how to talk to their blob storage rather than offloading it to reusable blob-put/blob-get components. That's a fair compromise. You're right about minio multi-tenancy (I work in one atm). I'll ask around for ideas. |
|
@ca-scribner I think the Minio "Multi tenant" is slightly different than what we're doing; I think we're using OPA or Istio magic or something to provide every namespace with a private bucket on a single tenant (We do have minimal v.s. premium tenants, but that's different). I think the term "tenant" is a bit overloaded here |
Hi @Bobgy, we're hoping to get more clarification on multi-tenancy and the expected behavior. When you say "seamlessly", does that mean kubeflow will natively assign new experiments to the user's namespace as long as the headers are passed correctly, or do we need to add more components to our pipeline configuration to get the experiments to run under the user's namespace? The reason I'm asking this is we're currently seeing the following msg in our [ ml-pipeline-scheduledworkflow ] logs: |
|
@RoyerRamirez Yes, experiments will be assigned to user's namespace (the namespace you selected in Kubeflow dashboard). Actions will be authorized by user's header.
Can you open a separate issue describing how you deployed and what problems you met? |
Any plans for MLMD? |
|
@Jeffwan Yes, you understandings are correct. /cc @neuromage @dushyanthsc |
|
@Jeffwan @Bobgy Based on the initial documents that the Karl shared as part of the Model Management group, MLMD was going to support a "Project" context, or at least the ability to create such a context. This project context could be tied to the User's Profile and provide the necessary isolation for metadata. |
|
@maganaluis em. Seems it remove |
|
@maganaluis I think @karlschriek 's doc is just a proposal; so it might change. I think in my discussions with @neuromage we were talking about using labels to group metadata. So "project", "experiment", etc... might just be user defined labels. As such they probably wouldn't be closely tied to multi-user support. |
Hi, we have no current plans to add multi-user support directly in MLMD at this point in time. As you point out, there is no support for users in the MLMD schemas right now unfortunately. It would be worth exploring the use-cases for multi-user MLMD to figure out the right approach as well. |
|
KFP multi-user shipped in KF 1.1. |
|
/close |
|
@jlewi: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…model container (kubeflow#1223) * Add batcher docker publisher * logger readiness probe * Consolidate loggger to agent * Inject logger to agent * Update to golang 1.14 * Inject agent when logger is specified * Fix port * Add readiness probe when injecting logger * Enable logger test * Fix logger and agent tests * Remove logger build * Consolidate files * Add dispatcher in test * Add cloud event check test * Fix agent image * Add debugging * Use a non-common port number
and others
[April/6/2020]
Latest design is in https://docs.google.com/document/d/1R9bj1uI0As6umCTZ2mv_6_tjgFshIKxkSt00QLYjNV4/edit?ts=5e4d8fbb#heading=h.5s8rbufek1ax
Areas we are working on:
Release
Areas related to integration with Kubeflow
=============== original description
Some users express the interest of an isolation between the cluster admin and cluster user - Cluster admin deploy Kubeflow Pipelines as part of Kubeflow in the cluster;
Cluster user can use Kubeflow Pipelines functionalities, without being able to access the control plane.
Here are the steps to support this functionality.
The text was updated successfully, but these errors were encountered: