Cloudera Docs

Managing Model Endpoint Permissions using API

You can manage Fine-grained Access Control for model endpoints using the Cloudera AI Inference service API.

Listing Permissions

To retrieve the current permission set for a specific model endpoint, use the listPermissions endpoint.

curl -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${CDP_TOKEN}" \
        "https://${DOMAIN}/api/v1alpha1/listPermissions" \
        -d '{"resource":{"namespace": "serving-default","endpoint": "ranger-demo-embedding"}}'

The following is a sample output:

{
  "resource": {
    "namespace":"serving-default",
    "endpoint":"ranger-demo-embedding",
    "application":"","model":""
  },
  "permissions":[
    {"access_type":"manage",
     "users":["{OWNER}"],
     "groups":["{ML_ADMIN}"]
    },
    {"access_type":"view",
     "users":[],
     "groups":["{ML_USER}"]
    },
    {"access_type":"access",
     "users":["csso_zoram"],
     "groups":[]}
  ]
}

The API utilizes specific placeholders to represent environment-wide roles and ownership:

  • {OWNER}: The creator/owner of the model endpoint.
  • {ML_ADMIN}: Users assigned the MLAdmin resource role in the Cloudera Environment.
  • {ML_USER}: Users assigned the MLUser resource role in the Cloudera Environment.

Granting Permissions

To assign an access level to a specific user or group, use the grantPermission endpoint.

curl -H "content-type: application/json" \
     -H "Authorization: Bearer ${CDP_TOKEN}" \      
     "https://${DOMAIN}/api/v1alpha1/grantPermission" \
     -d '{
{
  "resource": {
    "namespace": "serving-default",
    "endpoint": "ranger-demo-embedding"
  },
  "permission": {
    "access_type": "view",
    "subject": {
      "group": "example_group"
    }
  }
}}'

Revoking Permissions

To remove a previously granted permission, use the revokePermission endpoint. The request body must match the specific permission/subject pair you wish to remove.

curl -H "content-type: application/json" \
     -H "Authorization: Bearer ${CDP_TOKEN}" \      
     "https://${DOMAIN}/api/v1alpha1/revokePermission" \
     -d '{
{
  "resource": {
    "namespace": "serving-default",
    "endpoint": "ranger-demo-embedding"
  },
  "permission": {
    "access_type": "view",
    "subject": {
      "group": "example_group"
    }
  }
}}'