1. Setup multi-tenant subscribers and users ( under subscribers )

1.1. Setup a multi-tenant subscriber

1.1.1. Obtain a token for the superadmin user

Use the instructions in Infinstor Authentication page to obtain an ID token for the superadmin user. Note that the superadmin user was setup when installing the multi-tenant service as documented in Installation of multi-tenant Infinstor MLflow page

1.1.2. REST API to create a subscriber

Invoke the following REST API to create a new subscriber in the multi-tenant service. An example curl command is provided below. Replace the following with the appropriate values:

• <super_admin_token>
  • This is the token obtained from the step above Obtain a token for the superadmin user
• <subscriber-username>
• <subscriber-password>
• <email_for_subscriber>

curl --request POST \
  --url https://mlflow.<your_service_name>/api/2.0/mlflow/infinstor/add_subscriber \
  --header 'authorization: <super_admin_token>' \
  --header 'content-type: application/json' \
  --data '{ "userName":"<subscriber-username>", "password":"<subscriber-password>", "emailId": "<email_for_subscriber>" }'

This will return the custom token for the created subscriber. Save this custom token for the next step.

1.1.3. Cloud Formation Template to configure the subscriber

Configure the subscriber using the following CFT. Specify the build number in the URL below to match the build provided to you. You will need the custom token from the previous REST API to create a subscriber step, to run this CFT.

https://s3.amazonaws.com/infinstorcft/a.b.cc/infinstor-setup-customer.yaml

1.1.3.1. Encryption at rest for S3 MLFlow artifacts bucket

MLflow artifacts S3 bucket can be configured with one of the following encryption options

• sse-s3 S3 Owned Keys
• sse-kms with AWS Managed Key and bucket key
• sse-kms with Customer managed key and bucket key

If 'sse-kms with Customer managed key and bucket key' is used as the encryption option, you also

• need to specify the ARN of the Customer Managed Key.
• need to modify the key policy of the Customer Managed Key. See example below.

For details see:

• Protecting data with server-side encryption: Overview of various server-side encryption options such as SSE-S3, SSE-KMS, DSSE-KMS, SSE-C.
• Using server-side encryption with Amazon S3 managed keys (SSE-S3): Describes SSE-S3, which uses S3 managed keys
• Using server-side encryption with AWS KMS keys (SSE-KMS): Describes SSE-KMS with AWS managed key or Customer managed key
• Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys: Describes how to reduce costs fir SSE-KMS using a Bucket key option

1.1.3.2. Encryption at rest for MLFlow Dynamodb table

Dynamodb tables can be configured with one of the following encryption options

• AWS Owned key (default)
• AWS Managed key
• Customer Managed key. When using Customer Managed Key as the encryption option, you also
  • need to specify the ARN of the Customer Managed Key.
  • need to modify the key policy of the Customer Managed Key. See example below.

For details see:

• How Amazon DynamoDB uses AWS KMS
• AWS KMS concepts: describes AWS owned, AWS managed and Customer managed KMS keys.
• Allows key users to use the KMS key: describes how to modify the KMS key policy to allow Infinstor's IAM role to access this customer managed KMS key.

1.1.3.3. Modified KMS Key policy example

After the CFT is installed, check the resources tab of the CFT in AWS console, to get the ARN for the Infinstor IAM Role. The IAM Role has a name similar to RoleForInfinStorMlflowService-<subscriber-name>. Use this IAM Role ARN in the key policy below.

Example of a modified KMS key policy, to allow Infinstor's IAM Role to access the key is shown below. You will need to make a similar modification to the key policy of the customer managed key used to encrypt the Dynamodb table or S3 bucket, when specifying the customer managed key as the encryption option.

Note that the key policy created by KMS contains the Enable IAM User Permissions statement shown below. In addition to this statement, two additional statements ( Allow use of the key and Allow attachment of persistent resources ) need to be added, as described in Allows key users to use the KMS key.

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/RoleForInfinStorMlflowService-tenant-name"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/RoleForInfinStorMlflowService-tenant-name"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

1.1.4. Update Subscriber REST API

The API below can be used to update the attributes of a subscriber.

curl --request POST \
  --url https://mlflow.<service_dns_name>/api/2.0/mlflow/infinstor/update_subscriber \
  --header 'authorization: <auth_token>' \
  --header 'content-type: application/json' \
  --data '{ "userName":"<user_name>", "password":"<subscriber_password>", "emailId": "<subscriber_email>" }'

1.2. Setup a user under a multi-tenant subscriber

1.2.1. Obtain a token for the subscriber

For the subscriber under which a new user needs to be created, use the instructions in Infinstor Authentication page to obtain a token for the subscriber. Note that the subscriber was setup using the steps above REST API to create a subscriber

1.2.2. REST API to create a user under the subscriber

Invoke the following REST API to create a new user, under a specific subscriber, in the multi-tenant service. An example curl command is provided below. Replace the following with the appropriate values:

• <subcriber_token>
  • This is the token obtained using the step above: Obtain a token for the subscriber
• <new_user_name>
• <new_user_email>
• <new_user_password>

curl --request POST \
  --url https://infinstorapi.braindev.brainsaas.net/addsecondaryuser \
  --header 'authorization: Bearer <subscriber_token>' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data newuser=<new_user_name> \
  --data email=<new_user_email> \
  --data password=<new_user_password>

Response will be similar to below

HTTP/1.1 200 OK
Date: Fri, 11 Aug 2023 11:56:05 GMT
Content-Type: application/json
Content-Length: 25
Connection: close
x-amzn-RequestId: b82e3cbb-1a42-4a28-ade5-5fff2ba48cae
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: *
x-amz-apigw-id: Jfo4mF4hywMFdaw=
Access-Control-Allow-Methods: *
X-Amzn-Trace-Id: Root=1-64d621d0-33da555254ecebfd2bacdcc6;Sampled=0;lineage=e0ed8f9f:0
Access-Control-Allow-Credentials: *

Successfully created user