Security

Secure Feast with SSL/TLS, Authentication and Authorization.

1. Overview

Overview of Feast's Security Methods.

Feast supports the following security methods:

Important notes to take note when using Authentication/Authorization.

2. SSL/TLS

Feast supports SSL/TLS encryption for inter-service communication between Core, Serving and SDKs to be encrypted with SSL/TLS.

Configuring SSL/TLS on Core/Serving

SSL/TLS can be configured via the following properties in their corresponding application.ymlfiles:

Configuration {Property

Description

grpc.server.security.enabled

Enables SSL/TLS functionality if true

grpc.server.security.certificateChain

Provide the path to certificate chain.

grpc.server.security.privateKey

Provide the to private key.

Read more on enabling SSL/TLS in the gRPC starter docs.

Configuring SSL/TLS on Python SDK/CLI

To enable SSL/TLS in the Feast Python SDK/CLI, the config options should be set via feast config:

Configuration Option

Description

core_enable_ssl

Enables SSL/TLS functionality on connections to Feast core if true

serving_enable_ssl

Enables SSL/TLS functionality on connections to Feast Serving if true

core_server_ssl_cert

Optional. Specifies the path of the root certificate used to verify Core Service's identity. If omitted, will use system certificates.

serving_server_ssl_cert

Optional. Specifies the path of the root certificate used to verify Serving Service's identity. If omitted, will use system certificates.

The Python SDK automatically uses SSL/TLS when connecting to Feast Core/Serving via port 443.

Configuring SSL/TLS on Go SDK

Configure SSL/TLS on the Go SDK by passing configuration via SecurityConfig:

cli, err := feast.NewSecureGrpcClient("localhost", 6566, feast.SecurityConfig{
EnableTLS: true,
TLSCertPath: "/path/to/cert.pem",
})Option

Config Option

Description

EnableTLS

Enables SSL/TLS functionality when connecting to Feast if true

TLSCertPath

Optional. Provides the path of the root certificate used to verify Feast Service's identity. If omitted, will use system certificates.

Configuring SSL/TLS on Java SDK

Configure SSL/TLS on the Java SDK by passing configuration via SecurityConfig:

FeastClient client = FeastClient.createSecure("localhost", 6566,
SecurityConfig.newBuilder()
.setTLSEnabled(true)
.setCertificatePath(Optional.of("/path/to/cert.pem"))
.build());

Config Option

Description

setTLSEnabled()

Enables SSL/TLS functionality when connecting to Feast if true

setCertificatesPath()

Optional. Set the path of the root certificate used to verify Feast Service's identity. If omitted, will use system certificates.

3. Authentication

It is recommended that SSL/TLS be enabled prior to enabling authentication to prevent man in the middle attacks.

Authentication can be enabled to authenticate and identify client requests to Feast Core/Serving. Currently, Feast uses Open ID Connect (OIDC) ID tokens (ie Google Open ID Connect) to authenticate client requests.

Configuring Authentication in Core/Serving

Authentication can be configured for Core/Serving via properties in their corresponding application.yml:

Configuration Property

Description

feast.security.authentication.enabled

Enables Authentication functionality if true.

feast.security.authentication.provider

Authentication Provider type. Currently only supports jwt

feast.security.authentication.option.jwkEndpointURI

HTTPS URL used by Feast to retrieved the JWK used verify OIDC ID tokens.

jwkEndpointURI is set retrieve Google's OIDC JWK by default, allowing OIDC ID tokens issued by Google to be used for authentication.

Behind the scenes, Feast Core/Serving authenticates by:

  • Extracting the OIDC ID token TOKENfrom gRPC metadata submitted with request:

('authorization', 'Bearer: TOKEN')
  • Validating the token's signature using the JWK retrieved from the jwkEndpointURIto ensure token is authentic and produced by the Authentication Provider.

Authenticating Serving with Core

Feast Serving needs to communicate with Core during normal operation. When both authentication and authorization is enabled on Core, Serving is forced to authenticate its requests to Core. Otherwise, Serving will fail to start with an Authentication failure error when connecting to Core.

Properties used to configure Serving authentication via application.yml:

Configuration Property

Description

feast.core-authentication.enabled

Indicates to Serving to authenticate when communicating with Feast Core.

feast.core-authentication.provider

Selects the provider that Serving will use to retrieve credentials that it will use to authenticate with Core. Valid providers are google and oauth.

Google Provider
OAuth Provider
Google Provider

Google Provider automatically extracts the credential from the credential JSON file.

OAuth Provider

OAuth Provider makes an OAuth client credentials request to obtain the credential. It requires the following options to be set at feast.security.core-authentication.options.:

Configuration Property

Description

oauth_url

Target URL to make the client credentials request to.

grant_type

OAuth grant type. Should be set as client_credentials

client_id

Client Id used in the client credentials request.

client_secret

Client secret used in the client credentials request.

audience

Target audience of the credential. Should be set to host URL of Core.

(ie https://localhost if Core listens on localhost).

jwkEndpointURI

HTTPS URL used to retrieve a JWK that can be used to decode the credential.

Enabling Authentication in Python SDK/CLI

Configure the Feast Python SDK/CLI to use authentication via feast config:

$ feast config set enable_auth true

Configuration Option

Description

enable_auth

Enables authentication functionality if set to true.

auth_provider

Use an authentication provider to obtain a credential for authentication. Currently supports google and oauth.

auth_token

Manually specify an static token for use in authentication. Overrules auth_provider if both are set.

Google Provider
OAuth Provider
Google Provider

Google Provider automatically finds and use Google Credentials for authenticating requests:

  • Google Provider would automatically use user credentials for authenticating requests if user has authenticated with the gcloud CLI via:

$ gcloud auth application-default login
  • Alternatively the Google Provider can be configured to use credentials JSON file viaGOOGLE_APPLICATION_CREDENTIALS environmental variable (read more):

$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
OAuth Provider

OAuth Provider makes an OAuth client credentials request to obtain the credential/token used to authenticate Feast requests. The OAuth provider requires the following config options to be set via feast config:

Configuration Property

Description

oauth_token_request_url

Target URL to make the client credentials request to.

oauth_grant_type

OAuth grant type. Should be set as client_credentials

oauth_client_id

Client Id used in the client credentials request.

oauth_client_secret

Client secret used in the client credentials request.

oauth_audience

Target audience of the credential. Should be set to host URL of target Service.

(ie https://localhost if Service listens on localhost).

Enabling Authentication in Go SDK

Configure the Feast Java SDK to use authentication by specifying credential via SecurityConfig:

// error handling omitted.
// Use Google Credential as provider.
cred, _ := feast.NewGoogleCredential("localhost:6566")
cli, _ := feast.NewSecureGrpcClient("localhost", 6566, feast.SecurityConfig{
// Specify the credential to provide tokens for Feast Authentication.
Credential: cred,
})
Google Credential
OAuth Credential
Google Credential

Google Credential uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS environmental variable (read more) to obtain tokens for Authenticating Feast requests:

  • Exporting GOOGLE_APPLICATION_CREDENTIALS

$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
  • Create Google Credential with target audience.

cred, _ := feast.NewGoogleCredential("localhost:6566")

Target audience of the credential should be set to host URL of target Service. (ie https://localhost if Service listens on localhost):

OAuth Credential

OAuth Credential makes an OAuth client credentials request to obtain the credential/token used to authenticate Feast requests:

  • Create OAuth Credential with parameters:

cred := feast.NewOAuthCredential("localhost:6566", "client_id", "secret", "https://oauth.endpoint/auth")

Parameter

Description

audience

Target audience of the credential. Should be set to host URL of target Service.

(ie https://localhost if Service listens on localhost).

clientId

Client Id used in the client credentials request.

clientSecret

Client secret used in the client credentials request.

endpointURL

Target URL to make the client credentials request to.

Enabling Authentication in Java SDK

Configure the Feast Java SDK to use authentication by setting credentials via SecurityConfig:

// Use GoogleAuthCredential as provider.
CallCredentials credentials = new GoogleAuthCredentials(
Map.of("audience", "localhost:6566"));
FeastClient client = FeastClient.createSecure("localhost", 6566,
SecurityConfig.newBuilder()
// Specify the credentials to provide tokens for Feast Authentication.
.setCredentials(Optional.of(creds))
.build());
GoogleAuthCredentials
OAuthCredentials
GoogleAuthCredentials

GoogleAuthCredentials uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS environmental variable (read more) to obtain tokens for Authenticating Feast requests:

  • Exporting GOOGLE_APPLICATION_CREDENTIALS

$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
  • Create Google Credential with target audience.

CallCredentials credentials = new GoogleAuthCredentials(
Map.of("audience", "localhost:6566"));

Target audience of the credentials should be set to host URL of target Service. (ie https://localhost if Service listens on localhost):

OAuthCredentials

OAuthCredentials makes an OAuth client credentials request to obtain the credential/token used to authenticate Feast requests:

  • Create OAuthCredentials with parameters:

CallCredentials credentials = new OAuthCredentials(Map.of(
"audience": "localhost:6566",
"grant_type", "client_credentials",
"client_id", "some_id",
"client_id", "secret",
"oauth_url", "https://oauth.endpoint/auth",
"jwkEndpointURI", "https://jwk.endpoint/jwk"));

Parameter

Description

audience

Target audience of the credential. Should be set to host URL of target Service.

(ie https://localhost if Service listens on localhost).

grant_type

OAuth grant type. Should be set as client_credentials

client_id

Client Id used in the client credentials request.

client_secret

Client secret used in the client credentials request.

oauth_url

Target URL to make the client credentials request to obtain credential.

jwkEndpointURI

HTTPS URL used to retrieve a JWK that can be used to decode the credential.

4. Authorization

Authorization requires authentication to be configured in order to obtain user identity to use for authorizing requests.

Authorization provides access control to FeatureSets/Features based on project membership. Users that are members of a project are authorized to:

  • Create/Update a Feature Set in the Project.

  • Retrieve Feature Values for Features in that Project.

Authorization API/Server

Feast Authorization Flow

Feast delegates Authorization grants to a external Authorization Server that implements the Authorization Open API specification.

  • Feast checks whether a user is authorized to make a request by making a checkAccessRequest to the Authorization Server.

  • The Authorization Server should return a AuthorizationResult with whether user is allowed to make the request.

Authorization can be configured for Core/Serving via properties in their corresponding application.yml

Configuration Property

Description

feast.security.authorization.enabled

Enables authorization functionality if true.

feast.security.authorization.provider

Authentication Provider type. Currently only supports http

feast.security.authorization.option.authorizationUrl

URL endpoint of Authorization Server to make check access requests to.

feast.security.authorization.option.subjectClaim

Optional. Name of the claim of the to extract from the ID Token to include in the check access request as Subject.

Example of Authorization Server with Keto can used as a reference implementation for implementing an Authorization Server that Feast supports.

5. Authentication & Authorization

Things to note when using Authentication & Authorization:

  • Enabling Authentication without Authorization makes authentication optional. Users can still make requests unauthenticated.

  • Enabling Authorization forces all requests made to be authenticated. Requests that are not authenticated are dropped.