In v0.7, Feast Core no longer accepts starting with number (0-9) and using dash in names for:
Project
Feature Set
Entities
Features
Migrate all project, feature sets, entities, feature names:
with ‘-’ by recreating them with '-' replace with '_'
recreate any names with a number (0-9) as the first letter to one without.
Feast now prevents feature sets from being applied if no store is subscribed to that Feature Set.
Ensure that a store is configured to subscribe to the Feature Set before applying the Feature Set.
In v0.7, Feast Core's Job Coordinator has been decoupled from Feast Core and runs as a separate Feast Job Controller application. See its Configuration reference for how to configure Feast Job Controller.
Ingestion Job API
In v0.7, the following changes are made to the Ingestion Job API:
Changed List Ingestion Job API to return list of FeatureSetReference instead of list of FeatureSet in response.
Moved ListIngestionJobs, StopIngestionJob, RestartIngestionJob calls from CoreService to JobControllerService.
Python SDK/CLI: Added new Job Controller client and jobcontroller_url config option.
Users of the Ingestion Job API via gRPC should migrate by:
Add new client to connect to Job Controller endpoint to call JobControllerService and call ListIngestionJobs, StopIngestionJob, RestartIngestionJob from new client.
Migrate code to accept feature references instead of feature sets returned in ListIngestionJobs response.
Users of Ingestion Job via Python SDK (ie feast ingest-jobs list or client.stop_ingest_job() etc.) should migrate by:
ingest_job()methods only: Create a new separate Job Controller client to connect to the job controller and call ingest_job() methods using the new client.
Configure the Feast Job Controller endpoint url via jobcontroller_url config option.
Rename feast.jobs.consolidate-jobs-per-source property to feast.jobs.controller.consolidate-jobs-per-sources
Renamefeast.security.authorization.options.subjectClaim to feast.security.authentication.options.subjectClaim
Rename feast.logging.audit.messageLoggingEnabled to feast.audit.messageLogging.enabled
In Release 0.6 we introduced Flyway to handle schema migrations in PostgreSQL. Flyway is integrated into core and for now on all migrations will be run automatically on core start. It uses table flyway_schema_history in the same database (also created automatically) to keep track of already applied migrations. So no specific maintenance should be needed.
If you already have existing deployment of feast 0.5 - Flyway will detect existing tables and omit first baseline migration.
After core started you should have flyway_schema_history look like this
In this release next major schema changes were done:
Source is not shared between FeatureSets anymore. It's changed to 1:1 relation
and source's primary key is now auto-incremented number.
Due to generalization of Source sources.topics & sources.bootstrap_servers columns were deprecated.
They will be replaced with sources.config. Data migration handled by code when respected Source is used.
topics and bootstrap_servers will be deleted in the next release.
Job (table jobs) is no longer connected to Source (table sources) since it uses consolidated source for optimization purposes.
All data required by Job would be embedded in its table.
New Models (tables):
feature_statistics
Minor changes:
FeatureSet has new column version (see proto for details)
Connecting table jobs_feature_sets in many-to-many relation between jobs & feature sets
has now version and delivery_status.
For all versions earlier than 0.5 seamless migration is not feasible due to earlier breaking changes and creation of new database will be required.
Since database will be empty - first (baseline) migration would be applied:
This page applies to Feast 0.7. The content may be out of date for Feast 0.8+
Feast Components export metrics that can provide insight into Feast behavior:
See the Metrics Reference for documentation on metrics are exported by Feast.
Feast Job Controller currently does not export any metrics on its own. However its application.yml is used to configure metrics export for ingestion jobs.
Feast Ingestion Job can be configured to push Ingestion metrics to a StatsD instance. Metrics export to StatsD for Ingestion Job is configured in Job Controller's application.yml under feast.jobs.metrics
If you need Ingestion Metrics in Prometheus or some other metrics backend, use a metrics forwarder to forward Ingestion Metrics from StatsD to the metrics backend of choice. (ie Use prometheus-statsd-exporter to forward metrics to Prometheus).
Feast Core and Serving exports metrics to a Prometheus instance via Prometheus scraping its /metrics endpoint. Metrics export to Prometheus for Core and Serving can be configured via their corresponding application.yml
Direct Prometheus to scrape directly from Core and Serving's /metrics endpoint.
See the Metrics Reference for documentation on metrics are exported by Feast.
Secure Feast with SSL/TLS, Authentication and Authorization.
This page applies to Feast 0.7. The content may be out of date for Feast 0.8+
Feast supports the following security methods:
Important considerations when integrating Authentication/Authorization.
Feast supports SSL/TLS encrypted inter-service communication among Feast Core, Feast Online Serving, and Feast SDKs.
The following properties configure SSL/TLS. These properties are located in their corresponding application.ymlfiles:
Read more on enabling SSL/TLS in the gRPC starter docs.
To enable SSL/TLS in the Feast Python SDK or Feast CLI, set the config options via feast config:
The Python SDK automatically uses SSL/TLS when connecting to Feast Core and Feast Online Serving via port 443.
Configure SSL/TLS on the Go SDK by passing configuration via SecurityConfig:
Configure SSL/TLS on the Feast Java SDK by passing configuration via SecurityConfig:
To prevent man in the middle attacks, we recommend that SSL/TLS be implemented prior to authentication.
Authentication can be implemented to identify and validate client requests to Feast Core and Feast Online Serving. Currently, Feast uses Open ID Connect (OIDC) ID tokens (i.e. Google Open ID Connect) to authenticate client requests.
Authentication can be configured for Feast Core and Feast Online Serving via properties in their corresponding application.yml files:
jwkEndpointURIis set to retrieve Google's OIDC JWK by default, allowing OIDC ID tokens issued by Google to be used for authentication.
Behind the scenes, Feast Core and Feast Online Serving authenticate by:
Extracting the OIDC ID token TOKENfrom gRPC metadata submitted with request:
Validates token's authenticity using the JWK retrieved from the jwkEndpointURI
Feast Online Serving communicates with Feast Core during normal operation. When both authentication and authorization are enabled on Feast Core, Feast Online Serving is forced to authenticate its requests to Feast Core. Otherwise, Feast Online Serving produces an Authentication failure error when connecting to Feast Core.
Properties used to configure Serving authentication via application.yml:
Google Provider automatically extracts the credential from the credential JSON file.
Set GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the credential in the JSON file.
OAuth Provider makes an OAuth client credentials request to obtain the credential. OAuth requires the following options to be set at feast.security.core-authentication.options.:
Configure the Feast Python SDK and Feast CLI to use authentication via feast config:
Google Provider automatically finds and uses Google Credentials to authenticate requests:
Google Provider automatically uses established credentials for authenticating requests if you are already authenticated with the gcloud CLI via:
Alternatively Google Provider can be configured to use the credentials in the JSON file viaGOOGLE_APPLICATION_CREDENTIALS environmental variable (Google Cloud Authentication documentation):
OAuth Provider makes an OAuth client credentials request to obtain the credential/token used to authenticate Feast requests. The OAuth provider requires the following config options to be set via feast config:
Configure the Feast Java SDK to use authentication by specifying the credential via SecurityConfig:
Google Credential uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS environmental variable (Google Cloud Authentication documentation) to obtain tokens for Authenticating Feast requests:
Exporting GOOGLE_APPLICATION_CREDENTIALS
Create a Google Credential with target audience.
Target audience of the credential should be set to host URL of target Service. (ie
https://localhostif Service listens onlocalhost):
OAuth Credential makes an OAuth client credentials request to obtain the credential/token used to authenticate Feast requests:
Create OAuth Credential with parameters:
Configure the Feast Java SDK to use authentication by setting credentials via SecurityConfig:
GoogleAuthCredentials uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS environmental variable (Google Cloud authentication documentation) to obtain tokens for Authenticating Feast requests:
Exporting GOOGLE_APPLICATION_CREDENTIALS
Create a Google Credential with target audience.
Target audience of the credentials should be set to host URL of target Service. (ie
https://localhostif Service listens onlocalhost):
OAuthCredentials makes an OAuth client credentials request to obtain the credential/token used to authenticate Feast requests:
Create OAuthCredentials with parameters:
Authorization requires that authentication be configured to obtain a user identity for use in authorizing requests.
Authorization provides access control to FeatureTables and/or Features based on project membership. Users who are members of a project are authorized to:
Create and/or Update a Feature Table in the Project.
Retrieve Feature Values for Features in that Project.
Feast delegates Authorization grants to an external Authorization Server that implements the Authorization Open API specification.
Feast checks whether a user is authorized to make a request by making a checkAccessRequest to the Authorization Server.
The Authorization Server should return a AuthorizationResult with whether the user is allowed to make the request.
Authorization can be configured for Feast Core and Feast Online Serving via properties in their corresponding application.yml
This example of the Authorization Server with Keto can be used as a reference implementation for implementing an Authorization Server that Feast supports.
When using Authentication & Authorization, consider:
Enabling Authentication without Authorization makes authentication optional. You can still send unauthenticated requests.
Enabling Authorization forces all requests to be authenticated. Requests that are not authenticated are dropped.
This page applies to Feast 0.7. The content may be out of date for Feast 0.8+
If at any point in time you cannot resolve a problem, please see the section for reaching out to the Feast community.
The containers should be in an up state:
All services should either be in a RUNNING state or COMPLETEDstate:
First locate the the host and port of the Feast Services.
You will probably need to connect using the hostnames of services and standard Feast ports:
You will probably need to connect using localhost and standard ports:
You will need to find the external IP of one of the nodes as well as the NodePorts. Please make sure that your firewall is open for these ports:
Use grpc_cli to test connetivity by listing the gRPC methods exposed by Feast services:
Feast will typically have three services that you need to monitor if something goes wrong.
Feast Core
Feast Job Controller
Feast Serving (Online)
Feast Serving (Batch)
In order to print the logs from these services, please run the commands below.
Use docker-compose logs to obtain Feast component logs:
Use kubectl logs to obtain Feast component logs:
This page applies to Feast 0.7. The content may be out of date for Feast 0.8+
Feast provides audit logging functionality in order to debug problems and to trace the lineage of events.
Audit Logs produced by Feast come in three favors:
Audit Logs produced by Feast are written to the console similar to normal logs but in a structured, machine parsable JSON. Example of a Message Audit Log JSON entry produced:
Fields common to all Audit Log Types:
Fields in Message Audit Log Type
Fields in Action Audit Log Type
Fields in Transition Audit Log Type
Feast currently only supports forwarding Request/Response (Message Audit Log Type) logs to an external fluentD service with feast.** Fluentd tag.
The Fluentd Log Forwarder configured with the with the following configuration options in application.yml:
When using Fluentd as the Log forwarder, a Feast release_name can be logged instead of the IP address (eg. IP of Kubernetes pod deployment), by setting an environment variable RELEASE_NAME when deploying Feast.
netcat, telnet, or even curl can be used to test whether all services are available and ports are open, but grpc_cli is the most powerful. It can be installed from .
Configuration Property
Description
grpc.server.security.enabled
Enables SSL/TLS functionality if true
grpc.server.security.certificateChain
Provide the path to certificate chain.
grpc.server.security.privateKey
Provide the to private key.
Configuration Option
Description
core_enable_ssl
Enables SSL/TLS functionality on connections to Feast core if true
serving_enable_ssl
Enables SSL/TLS functionality on connections to Feast Online Serving if true
core_server_ssl_cert
Optional. Specifies the path of the root certificate used to verify Core Service's identity. If omitted, uses system certificates.
serving_server_ssl_cert
Optional. Specifies the path of the root certificate used to verify Serving Service's identity. If omitted, uses system certificates.
Config Option
Description
EnableTLS
Enables SSL/TLS functionality when connecting to Feast if true
TLSCertPath
Optional. Provides the path of the root certificate used to verify Feast Service's identity. If omitted, uses system certificates.
Config Option
Description
setTLSEnabled()
Enables SSL/TLS functionality when connecting to Feast if true
setCertificatesPath()
Optional. Set the path of the root certificate used to verify Feast Service's identity. If omitted, uses system certificates.
Configuration Property
Description
feast.security.authentication.enabled
Enables Authentication functionality if true
feast.security.authentication.provider
Authentication Provider type. Currently only supports jwt
feast.security.authentication.option.jwkEndpointURI
HTTPS URL used by Feast to retrieved the JWK used to verify OIDC ID tokens.
Configuration Property
Description
feast.core-authentication.enabled
Requires Feast Online Serving to authenticate when communicating with Feast Core.
feast.core-authentication.provider
Selects provider Feast Online Serving uses to retrieve credentials then used to authenticate requests to Feast Core. Valid providers are google and oauth.
Configuration Property
Description
oauth_url
Target URL receiving the client-credentials request.
grant_type
OAuth grant type. Set as client_credentials
client_id
Client Id used in the client-credentials request.
client_secret
Client secret used in the client-credentials request.
audience
Target audience of the credential. Set to host URL of Feast Core.
(i.e. https://localhost if Feast Core listens on localhost).
jwkEndpointURI
HTTPS URL used to retrieve a JWK that can be used to decode the credential.
Configuration Option
Description
enable_auth
Enables authentication functionality if set to true.
auth_provider
Use an authentication provider to obtain a credential for authentication. Currently supports google and oauth.
auth_token
Manually specify a static token for use in authentication. Overrules auth_provider if both are set.
Configuration Property
Description
oauth_token_request_url
Target URL receiving the client-credentials request.
oauth_grant_type
OAuth grant type. Set as client_credentials
oauth_client_id
Client Id used in the client-credentials request.
oauth_client_secret
Client secret used in the client-credentials request.
oauth_audience
Target audience of the credential. Set to host URL of target Service.
(https://localhost if Service listens on localhost).
Parameter
Description
audience
Target audience of the credential. Set to host URL of target Service.
( https://localhost if Service listens on localhost).
clientId
Client Id used in the client-credentials request.
clientSecret
Client secret used in the client-credentials request.
endpointURL
Target URL to make the client-credentials request to.
Parameter
Description
audience
Target audience of the credential. Set to host URL of target Service.
( https://localhost if Service listens on localhost).
grant_type
OAuth grant type. Set as client_credentials
client_id
Client Id used in the client-credentials request.
client_secret
Client secret used in the client-credentials request.
oauth_url
Target URL to make the client-credentials request to obtain credential.
jwkEndpointURI
HTTPS URL used to retrieve a JWK that can be used to decode the credential.
Configuration Property
Description
feast.security.authorization.enabled
Enables authorization functionality if true.
feast.security.authorization.provider
Authentication Provider type. Currently only supports http
feast.security.authorization.option.authorizationUrl
URL endpoint of Authorization Server to make check access requests to.
feast.security.authorization.option.subjectClaim
Optional. Name of the claim of the to extract from the ID Token to include in the check access request as Subject.
Audit Log Type | Description |
Message Audit Log | Logs service calls that can be used to track Feast request handling. Currently only gRPC request/response is supported. Enabling Message Audit Logs can be resource intensive and significantly increase latency, as such is not recommended on Online Serving. |
Transition Audit Log | Logs transitions in status in resources managed by Feast (ie an Ingestion Job becoming RUNNING). |
Action Audit Log | Logs actions performed on a specific resource managed by Feast (ie an Ingestion Job is aborted). |
Audit Log Type | Description |
Message Audit Log | Enabled when both |
Transition Audit Log | Enabled when |
Action Audit Log | Enabled when |
Field | Description |
| Log Type. Always set to |
| Application. Always set to |
| Feast Component producing the Audit Log. Set to |
| Version of Feast producing this Audit Log. Use to filtering out Audit Logs by version. |
Field | Description |
| Generated UUID that uniquely identifies the service call. |
| Name of the Service that handled the service call. |
| Name of the Method that handled the service call. Useful for filtering Audit Logs by method (ie |
| Full request submitted by client in the service call as JSON. |
| Full response returned to client by the service after handling the service call as JSON. |
| Identity of the client making the service call as an user Id. Only set when Authentication is enabled. |
| The status code returned by the service handling the service call (ie |
Field | Description |
| Name of the action taken on the resource. |
| Type of resource of which the action was taken on (i.e |
resource.id | Identifier specifying the specific resource of which the action was taken on. |
Field | Description |
| The new status that the resource transitioned to |
| Type of resource of which the transition occurred (i.e |
| Identifier specifying the specific resource of which the transition occurred. |
Settings | Description |
|
|
|
|
|
|
