Identity and Access Management
As Hazy's use cases often involves confidential data, robust access control management is required to ensure only the rightful party can access specific resources.
Currently, Hazy supports Role-based access control (RBAC), allowing for fine-grained configuration of different roles for its platform users.
User management and access control is configured via Keycloak, our chosen Identity and Access Management (IAM) server running in conjuction with the hub. Keycloak can be installed in both Hazy Single container and Distributed architecture deployments. Please refer to Hazy's Keycloak installation page for more details on setup.
Identity Management¶
Keycloak provides several identify providers, including:
- User federations from LDAP and Active Directory.
- OIDC
- SAML
These can be configured within Keycloak. Please refer to Keycloak documentaion for details on identify management setup.
Access Management¶
Hazy uses the OAuth2.0 to limit user's access to resources.
In the context of OIDC, there are typically 2 clients at play for a normal UI session. The UI context within the web browser acts as one OAuth client, named hazy-hub-frontend. The backend hub web server acts as the second client, named hazy-hub-backend. The OAuth mechanism is used to enable the user to provide, via login through keycloak (and possibly in turn a downstream idP such as Active Directory) a token to the Hazy frontend (SPA) web application which can be used to ensure actions that take place in the backend are authorised.
Moreover, the use of scopes are used to provide access to specific functionality within the context of Hazy. In short, scopes are privileges to resources that the Hazy platform gains on-behalf-of the user who is currently signed in. Please refer to OAuth2.0 Scopes for more details on the scope mechanism.
The Hub backend will verify incoming tokens to ensure the necessary scopes have been issued before handling the request. The required scopes for an operation in Hazy are not configrable but it is possible to adjust the mapping of roles to enabled scopes on a per user and/or client basis within keycloak.
The default hazy realm in the Hazy-provided keycloak image is pre-configured a set of recommended roles and mappings from those roles to client scopes.
The following scopes and roles are preconfigured upon a Hazy install:
| Object | Action | Scope | Role |
|---|---|---|---|
| Project | Create | hazy:Project:Create | hazy:ProjectAuthor |
| Project | Update | hazy:Project:Update | hazy:ProjectAuthor |
| Project | Read | hazy:Project:Read | hazy:ProjectViewer |
| Project | Delete | hazy:Project:Delete | hazy:ProjectAuthor |
| Project | List | hazy:Project:List | hazy:ProjectViewer |
| DataSource | List | hazy:DataSource:List | hazy:ConfigAuthor |
| DataSource | Read | hazyDataSource:Read | hazy:ConfigAuthor |
| Config | Create | hazy:Config:Create | hazy:ConfigAuthor |
| Config | Update | hazy:Config:Update | hazy:ConfigAuthor |
| Config | Read | hazy:Config:Read | hazy:ConfigViewer |
| Config | Delete | hazy:Config:Delete | hazy:ConfigAuthor |
| Config | List | hazy:Config:List | hazy:ConfigViewer |
| SampleData | Read | hazy:SampleData:Read | hazy:SampleDataViewer |
| ModelMetrics | Read | hazy:ModelMetrics:Read | hazy:MetricsViewer |
| QA Report | Create | hazy:QAReport:Create | hazy:QAReportAuthor |
| QA Report | Read | hazy:QAReport:Delete | hazy:QAReportViewer |
| Model | Create | hazy:Model:Create | hazy:ModelAuthor |
| Model | Update | hazy:Model:Update | hazy:ModelAuthor |
| Model | Read | hazy:Model:Read | hazy:ModelViewer |
| Model | Delete | hazy:Model:Delete | hazy:ModelAuthor |
| Model | List | hazy:Model:List | hazy:ModelViewer |
| SourceData | List | hazy:SourceData:List | hazy:ConfigAuthor |
| AnalysisJob | Create | hazy:AnalysisJob:Create | hazy:AnalysisJobAuthor |
| AnalysisJob | Update | hazy:AnalysisJob:Update | hazy:AnalysisJobAuthor |
| AnalysisJob | Read | hazy:AnalysisJob:Read | hazy:AnalysisJobViewer |
| AnalysisJob | Delete | hazy:AnalysisJob:Delete | hazy:AnalysisJobAuthor |
| AnalysisJob | List | hazy:AnalysisJob:List | hazy:AnalysisJobViewer |
| TrainJob | Create | hazy:TrainJob:Create | hazy:TrainJobAuthor |
| TrainJob | Update | hazy:TrainJob:Update | hazy:TrainJobAuthor |
| TrainJob | Read | hazy:TrainJob:Read | hazy:TrainJobViewer |
| TrainJob | Delete | hazy:TrainJob:Delete | hazy:TrainJobAuthor |
| TrainJob | List | hazy:TrainJob:List | hazy:TrainJobViewer |
| GenerateJob | Create | hazy:GenerateJob:Create | hazy:GenerateJobAuthor |
| GenerateJob | Update | hazy:GenerateJob:Update | hazy:GenerateJobAuthor |
| GenerateJob | Read | hazy:GenerateJob:Read | hazy:GenerateJobViewer |
| GenerateJob | Delete | hazy:GenerateJob:Delete | hazy:GenerateJobAuthor |
| GenerateJob | List | hazy:GenerateJob:List | hazy:GenerateJobViewer |
| SyntheticData | List | hazy:SyntheticData:List | hazy:SyntheticDataViewer |
| SyntheticData | Read | hazy:SyntheticData:Read | hazy:SyntheticDataViewer |
Notes:
- As explained above, roles are made up of a list of scopes (e.g. role
hazy:AnalysisJobAuthorcontains scopes[hazy:AnalysisJob:Create,hazy:AnalysisJob:Update, hazy:AnalysisJob:Delete]). - Whenever a user logs in, Keycloak will send two JavaScript Web Tokens (i) identity token - identifying the user and (ii) access token that lists the scopes that are defined under the user's roles. Hazy can then use these scopes on behalf of the user to access resources.
- Scope checking for the access token is done both on the frontend and backend of the hub.
- Hazy system admins can create additional roles, assign these to groups of users/specific users, add any of the scopes listed above through Keycloak, allowing for flexible access control management.
- In addition to these scopes, top level
hazy:DataProducerandhazy:DataConsumerroles, based other roles are available on initial install. These provide an example way to segregate viewers/authors of Generator Models:
| Top Role | Sub-Role |
|---|---|
| hazy:DataConsumer | hazy:ProjectViewer |
| hazy:DataConsumer | hazy:SyntheticDataViewer |
| hazy:DataConsumer | hazy:ModelViewer |
| hazy:DataConsumer | hazy:GenerateJobAuthor |
| hazy:DataConsumer | hazy:GenerateJobViewer |
| hazy:DataProducer | hazy:ProjectViewer |
| hazy:DataProducer | hazy:ProjectAuthor |
| hazy:DataProducer | hazy:ConfigViewer |
| hazy:DataProducer | hazy:ConfigAuthor |
| hazy:DataProducer | hazy:AnalysisJobViewer |
| hazy:DataProducer | hazy:AnalysisJobAuthor |
| hazy:DataProducer | hazy:TrainJobViewer |
| hazy:DataProducer | hazy:TrainJobAuthor |
| hazy:DataProducer | hazy:GenerateJobViewer |
| hazy:DataProducer | hazy:GenerateJobAuthor |
| hazy:DataProducer | hazy:ModelViewer |
| hazy:DataProducer | hazy:ModelAuthor |
| hazy:DataProducer | hazy:QAReportViewer |
| hazy:DataProducer | hazy:QAReportAuthor |
| hazy:DataProducer | hazy:SyntheticDataViewer |
Notes¶
- The
hazy:DataConsumerrole has access to the GeneratorModels and can create synthetic data. - The
hazy:DataProducerrole has a near full access to the Hazy platform. - The additional roles
hazy:SampleDataViewer(that allows for sampling of real data during configuration) andhazy:MetricsViewer(that allows for viewer the model metrics which includes evaluation between real/synthetic data) are both not part of the top-rolehazy:DataProducerandhazy:DataConsumerby default.
For further details on role managment and delegation to Hazy users, please refer to our Keycloak page for more details.
Identity and Access Management