LogoLogo
v0.11-branch
v0.11-branch
  • Introduction
  • Quickstart
  • Getting started
    • Install Feast
    • Create a feature repository
    • Deploy a feature store
    • Build a training dataset
    • Load data into the online store
    • Read features from the online store
  • Community
  • Roadmap
  • Changelog
  • Concepts
    • Overview
    • Feature view
    • Data model
    • Online store
    • Offline store
    • Provider
    • Architecture
  • Reference
    • Data sources
      • BigQuery
      • File
    • Offline stores
      • File
      • BigQuery
    • Online stores
      • SQLite
      • Redis
      • Datastore
    • Providers
      • Local
      • Google Cloud Platform
    • Feature repository
      • feature_store.yaml
      • .feastignore
    • Feast CLI reference
    • Python API reference
    • Usage
  • Feast on Kubernetes
    • Getting started
      • Install Feast
        • Docker Compose
        • Kubernetes (with Helm)
        • Amazon EKS (with Terraform)
        • Azure AKS (with Helm)
        • Azure AKS (with Terraform)
        • Google Cloud GKE (with Terraform)
        • IBM Cloud Kubernetes Service (IKS) and Red Hat OpenShift (with Kustomize)
      • Connect to Feast
        • Python SDK
        • Feast CLI
      • Learn Feast
    • Concepts
      • Overview
      • Architecture
      • Entities
      • Sources
      • Feature Tables
      • Stores
    • Tutorials
      • Minimal Ride Hailing Example
    • User guide
      • Overview
      • Getting online features
      • Getting training features
      • Define and ingest features
      • Extending Feast
    • Reference
      • Configuration Reference
      • Feast and Spark
      • Metrics Reference
      • Limitations
      • API Reference
        • Go SDK
        • Java SDK
        • Core gRPC API
        • Python SDK
        • Serving gRPC API
        • gRPC Types
    • Advanced
      • Troubleshooting
      • Metrics
      • Audit Logging
      • Security
      • Upgrading Feast
  • Contributing
    • Contribution process
    • Development guide
    • Versioning policy
    • Release process
Powered by GitBook
On this page
  • Overview
  • SSL/TLS
  • Configuring SSL/TLS on Feast Core and Feast Serving
  • Configuring SSL/TLS on Python SDK/CLI
  • Configuring SSL/TLS on Go SDK
  • Configuring SSL/TLS on Java SDK
  • Authentication
  • Configuring Authentication in Feast Core and Feast Online Serving
  • Authenticating Serving with Feast Core
  • Enabling Authentication in Python SDK/CLI
  • Enabling Authentication in Go SDK
  • Enabling Authentication in Java SDK
  • Authorization
  • Authorization API/Server
  • Authentication & Authorization

Was this helpful?

Edit on Git
Export as PDF
  1. Feast on Kubernetes
  2. Advanced

Security

Secure Feast with SSL/TLS, Authentication and Authorization.

PreviousAudit LoggingNextUpgrading Feast

Last updated 3 years ago

Was this helpful?

This page applies to Feast 0.7. The content may be out of date for Feast 0.8+

Overview

Feast supports the following security methods:

SSL/TLS

Feast supports SSL/TLS encrypted inter-service communication among Feast Core, Feast Online Serving, and Feast SDKs.

Configuring SSL/TLS on Feast Core and Feast Serving

The following properties configure SSL/TLS. These properties are located in their corresponding application.ymlfiles:

Configuration Property

Description

grpc.server.security.enabled

Enables SSL/TLS functionality if true

grpc.server.security.certificateChain

Provide the path to certificate chain.

grpc.server.security.privateKey

Provide the to private key.

Configuring SSL/TLS on Python SDK/CLI

Configuration Option

Description

core_enable_ssl

Enables SSL/TLS functionality on connections to Feast core if true

serving_enable_ssl

Enables SSL/TLS functionality on connections to Feast Online Serving if true

core_server_ssl_cert

Optional. Specifies the path of the root certificate used to verify Core Service's identity. If omitted, uses system certificates.

serving_server_ssl_cert

Optional. Specifies the path of the root certificate used to verify Serving Service's identity. If omitted, uses system certificates.

The Python SDK automatically uses SSL/TLS when connecting to Feast Core and Feast Online Serving via port 443.

Configuring SSL/TLS on Go SDK

cli, err := feast.NewSecureGrpcClient("localhost", 6566, feast.SecurityConfig{
    EnableTLS: true,
         TLSCertPath: "/path/to/cert.pem",
})Option

Config Option

Description

EnableTLS

Enables SSL/TLS functionality when connecting to Feast if true

TLSCertPath

Optional. Provides the path of the root certificate used to verify Feast Service's identity. If omitted, uses system certificates.

Configuring SSL/TLS on Java SDK

FeastClient client = FeastClient.createSecure("localhost", 6566, 
    SecurityConfig.newBuilder()
      .setTLSEnabled(true)
      .setCertificatePath(Optional.of("/path/to/cert.pem"))
      .build());

Config Option

Description

setTLSEnabled()

Enables SSL/TLS functionality when connecting to Feast if true

setCertificatesPath()

Optional. Set the path of the root certificate used to verify Feast Service's identity. If omitted, uses system certificates.

Authentication

To prevent man in the middle attacks, we recommend that SSL/TLS be implemented prior to authentication.

Configuring Authentication in Feast Core and Feast Online Serving

Authentication can be configured for Feast Core and Feast Online Serving via properties in their corresponding application.yml files:

Configuration Property

Description

feast.security.authentication.enabled

Enables Authentication functionality if true

feast.security.authentication.provider

Authentication Provider type. Currently only supports jwt

feast.security.authentication.option.jwkEndpointURI

jwkEndpointURIis set to retrieve Google's OIDC JWK by default, allowing OIDC ID tokens issued by Google to be used for authentication.

Behind the scenes, Feast Core and Feast Online Serving authenticate by:

  • Extracting the OIDC ID token TOKENfrom gRPC metadata submitted with request:

('authorization', 'Bearer: TOKEN')
  • Validates token's authenticity using the JWK retrieved from the jwkEndpointURI

Authenticating Serving with Feast Core

Feast Online Serving communicates with Feast Core during normal operation. When both authentication and authorization are enabled on Feast Core, Feast Online Serving is forced to authenticate its requests to Feast Core. Otherwise, Feast Online Serving produces an Authentication failure error when connecting to Feast Core.

Properties used to configure Serving authentication via application.yml:

Configuration Property

Description

feast.core-authentication.enabled

Requires Feast Online Serving to authenticate when communicating with Feast Core.

feast.core-authentication.provider

Selects provider Feast Online Serving uses to retrieve credentials then used to authenticate requests to Feast Core. Valid providers are google and oauth.

Google Provider automatically extracts the credential from the credential JSON file.

Configuration Property

Description

oauth_url

Target URL receiving the client-credentials request.

grant_type

OAuth grant type. Set as client_credentials

client_id

Client Id used in the client-credentials request.

client_secret

Client secret used in the client-credentials request.

audience

Target audience of the credential. Set to host URL of Feast Core.

(i.e. https://localhost if Feast Core listens on localhost).

jwkEndpointURI

HTTPS URL used to retrieve a JWK that can be used to decode the credential.

Enabling Authentication in Python SDK/CLI

$ feast config set enable_auth true

Configuration Option

Description

enable_auth

Enables authentication functionality if set to true.

auth_provider

Use an authentication provider to obtain a credential for authentication. Currently supports google and oauth.

auth_token

Manually specify a static token for use in authentication. Overrules auth_provider if both are set.

Google Provider automatically finds and uses Google Credentials to authenticate requests:

  • Google Provider automatically uses established credentials for authenticating requests if you are already authenticated with the gcloud CLI via:

$ gcloud auth application-default login
$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"

Configuration Property

Description

oauth_token_request_url

Target URL receiving the client-credentials request.

oauth_grant_type

OAuth grant type. Set as client_credentials

oauth_client_id

Client Id used in the client-credentials request.

oauth_client_secret

Client secret used in the client-credentials request.

oauth_audience

Target audience of the credential. Set to host URL of target Service.

(https://localhost if Service listens on localhost).

Enabling Authentication in Go SDK

// error handling omitted.
// Use Google Credential as provider.
cred, _ := feast.NewGoogleCredential("localhost:6566")
cli, _ := feast.NewSecureGrpcClient("localhost", 6566, feast.SecurityConfig{
  // Specify the credential to provide tokens for Feast Authentication.  
    Credential: cred, 
})
  • Exporting GOOGLE_APPLICATION_CREDENTIALS

$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
  • Create a Google Credential with target audience.

cred, _ := feast.NewGoogleCredential("localhost:6566")

Target audience of the credential should be set to host URL of target Service. (ie https://localhost if Service listens on localhost):

  • Create OAuth Credential with parameters:

cred := feast.NewOAuthCredential("localhost:6566", "client_id", "secret", "https://oauth.endpoint/auth")

Parameter

Description

audience

Target audience of the credential. Set to host URL of target Service.

( https://localhost if Service listens on localhost).

clientId

Client Id used in the client-credentials request.

clientSecret

Client secret used in the client-credentials request.

endpointURL

Target URL to make the client-credentials request to.

Enabling Authentication in Java SDK

// Use GoogleAuthCredential as provider.
CallCredentials credentials = new GoogleAuthCredentials(
    Map.of("audience", "localhost:6566"));

FeastClient client = FeastClient.createSecure("localhost", 6566, 
    SecurityConfig.newBuilder()
      // Specify the credentials to provide tokens for Feast Authentication.  
      .setCredentials(Optional.of(creds))
      .build());
  • Exporting GOOGLE_APPLICATION_CREDENTIALS

$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
  • Create a Google Credential with target audience.

CallCredentials credentials = new GoogleAuthCredentials(
    Map.of("audience", "localhost:6566"));

Target audience of the credentials should be set to host URL of target Service. (ie https://localhost if Service listens on localhost):

  • Create OAuthCredentials with parameters:

CallCredentials credentials = new OAuthCredentials(Map.of(
  "audience": "localhost:6566",
  "grant_type", "client_credentials",
  "client_id", "some_id",
  "client_id", "secret",
  "oauth_url", "https://oauth.endpoint/auth",
  "jwkEndpointURI", "https://jwk.endpoint/jwk"));

Parameter

Description

audience

Target audience of the credential. Set to host URL of target Service.

( https://localhost if Service listens on localhost).

grant_type

OAuth grant type. Set as client_credentials

client_id

Client Id used in the client-credentials request.

client_secret

Client secret used in the client-credentials request.

oauth_url

Target URL to make the client-credentials request to obtain credential.

jwkEndpointURI

HTTPS URL used to retrieve a JWK that can be used to decode the credential.

Authorization

Authorization requires that authentication be configured to obtain a user identity for use in authorizing requests.

Authorization provides access control to FeatureTables and/or Features based on project membership. Users who are members of a project are authorized to:

  • Create and/or Update a Feature Table in the Project.

  • Retrieve Feature Values for Features in that Project.

Authorization API/Server

  • Feast checks whether a user is authorized to make a request by making a checkAccessRequest to the Authorization Server.

  • The Authorization Server should return a AuthorizationResult with whether the user is allowed to make the request.

Authorization can be configured for Feast Core and Feast Online Serving via properties in their corresponding application.yml

Configuration Property

Description

feast.security.authorization.enabled

Enables authorization functionality if true.

feast.security.authorization.provider

Authentication Provider type. Currently only supports http

feast.security.authorization.option.authorizationUrl

URL endpoint of Authorization Server to make check access requests to.

feast.security.authorization.option.subjectClaim

Optional. Name of the claim of the to extract from the ID Token to include in the check access request as Subject.

Authentication & Authorization

When using Authentication & Authorization, consider:

  • Enabling Authentication without Authorization makes authentication optional. You can still send unauthenticated requests.

  • Enabling Authorization forces all requests to be authenticated. Requests that are not authenticated are dropped.

.

Read more on enabling SSL/TLS in the

To enable SSL/TLS in the or , set the config options via feast config:

Configure SSL/TLS on the by passing configuration via SecurityConfig:

Configure SSL/TLS on the by passing configuration via SecurityConfig:

Authentication can be implemented to identify and validate client requests to Feast Core and Feast Online Serving. Currently, Feast uses ID tokens (i.e. ) to authenticate client requests.

HTTPS URL used by Feast to retrieved the used to verify OIDC ID tokens.

Set to the path of the credential in the JSON file.

OAuth Provider makes an OAuth request to obtain the credential. OAuth requires the following options to be set at feast.security.core-authentication.options.:

Configure the and to use authentication via feast config:

Alternatively Google Provider can be configured to use the credentials in the JSON file viaGOOGLE_APPLICATION_CREDENTIALS environmental variable ():

OAuth Provider makes an OAuth request to obtain the credential/token used to authenticate Feast requests. The OAuth provider requires the following config options to be set via feast config:

Configure the to use authentication by specifying the credential via SecurityConfig:

Google Credential uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS environmental variable () to obtain tokens for Authenticating Feast requests:

OAuth Credential makes an OAuth request to obtain the credential/token used to authenticate Feast requests:

Configure the to use authentication by setting credentials via SecurityConfig:

GoogleAuthCredentials uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS environmental variable () to obtain tokens for Authenticating Feast requests:

OAuthCredentials makes an OAuth request to obtain the credential/token used to authenticate Feast requests:

Feast delegates Authorization grants to an external Authorization Server that implements the .

This example of the can be used as a reference implementation for implementing an Authorization Server that Feast supports.

gRPC starter docs.
Feast Python SDK
Feast CLI
Go SDK
Feast Java SDK
Open ID Connect (OIDC)
Google Open ID Connect
GOOGLE_APPLICATION_CREDENTIALS environment variable
client credentials
Feast Python SDK
Feast CLI
Google Cloud Authentication documentation
client credentials
Feast Java SDK
Google Cloud Authentication documentation
client credentials
Feast Java SDK
Google Cloud authentication documentation
client credentials
Authorization Open API specification
Authorization Server with Keto
SSL/TLS on messaging between Feast Core, Feast Online Serving and Feast SDKs.
Authentication to Feast Core and Serving based on Open ID Connect ID tokens.
Authorization based on project membership and delegating authorization grants to external Authorization Server.
Important considerations when integrating Authentication/Authorization
JWK
Overview of Feast's Security Methods.
Feast Authorization Flow