Skip to content

How To Configure External Access To A Model Deployment#

Introduction#

Hopsworks supports role-based access control (RBAC) for project members within a project, where a project ML assets can only be accessed by Hopsworks users that are members of that project (See governance).

However, there are cases where you might want to grant external users with access to specific model deployments without them having to register into Hopsworks or to join the project which will give them access to all project ML assets. For these cases, Hopsworks supports fine-grained access control to model deployments based on user groups managed by an external Identity Provider.

Authentication methods

Hopsworks can be configured to use different types of authentication methods including OAuth2, LDAP and Kerberos. See the Authentication Methods Guide for more information.

GUI (for Hopsworks users)#

Step 1: Navigate to a model deployment#

If you have at least one model deployment already created, navigate to the model deployments page by clicking on the Deployments tab on the navigation menu on the left.

Deployments navigation tab
Deployments navigation tab

Once in the model deployments page, find the model deployment you want to configure external access and click on the name of the deployment to open the model deployment overview page.

Deployment overview
Deployment overview

Step 2: Go to External Access#

You can find the external access configuration by clicking on External access on the navigation menu on the left or scrolling down to the external access section.

Deployment external access
External access configuration

Step 3: Add or remove user groups#

In this section, you can add and remove user groups by clicking on edit external user groups and typing the group name in the text-free input field or selecting one of the existing ones in the dropdown list. After that, click on the save button to persist the changes.

Case sensitivity

Inference requests are authorized using a case-sensitive exact match between the group names of the user making the request and the group names granted access to the model deployment. Therefore, a user assigned to the group lab1 won't have access to a model deployment accessible by group LAB1.

Deployment external access
External access configuration

GUI (for external users)#

Step 1: Login with the external identity provider#

Navigate to Hopsworks, and click on the Login with button to sign in using the configured external identity provider (e.g., Keycloak in this example).

Login external identity provider
Login with External Identity Provider

Step 2: Explore the model deployments you are granted access to#

Once you sign in to Hopsworks, you can see the list of model deployments you are granted access to based on your assigned groups.

Deployments list
Deployments with external access

Step 2: Inspect your current groups#

You can find the current groups you are assigned to at the top of the page.

External user groups
External user groups

Step 3: Get an API key#

Inference requests to model deployments are authenticated and authorized based on your external user and user groups. You can create API keys to authenticate your inference requests by clicking on the Create API Key button.

Authorization header

API keys are set in the Authorization header following the format ApiKey <api-key-value>

Get API key
Get API key

Step 4: Send inference requests#

Depending on the type of model deployment, the URI of the model server can differ (e.g., /chat/completions for LLM deployments or /predict for traditional model deployments). You can find the corresponding URI on every model deployment card.

In addition to the Authorization header containing the API key, the Host header needs to be set according to the model deployment where the inference requests are sent to. This header is used by the ingress to route the inference requests to the corresponding model deployment. You can find the Host header value in the model deployment card.

Code snippets

For clients sending inference requests using libraries similar to curl or OpenAI API-compatible libraries (e.g., LangChain), you can find code snippet examples by clicking on the Curl >_ and LangChain >_ buttons.

Deployment endpoint
Deployment endpoint

Refreshing External User Groups#

Every time an external user signs in to Hopsworks using a pre-configured authentication method, Hopsworks fetches the external user groups and updates the internal state accordingly. Given that groups can be added/removed from users at any time by the Identity Provider, Hopsworks needs to periodically fetch the external user groups to keep the state updated.

Therefore, external users that want to access model deployments are required to login periodically to ensure they are still part of the allowed groups. The timespan between logins is controlled by the configuration parameter requireExternalUserLoginAfterHours available during the Hopsworks installation and upgrade.

The requireExternalUserLoginAfterHours configuration parameter controls the number of hours after which external users are required to sign in to Hopsworks to refresh their external user groups.

Configuring requireExternalUserLoginAfterHours

Allowed values are -1, 0 and greater than 0, where -1 disables the periodic login requirement and 0 disables external access completely for every model deployment.