1. Keycloak as OAuth2 Provider for ML Model Serving APIs


    In this scenario, we want to set up Keycloak as an OAuth2 Provider for securing Machine Learning (ML) model serving APIs. This would typically involve creating a Keycloak Realm to define the security domain, creating clients that can access the realm, and configuring roles and users to manage access control.

    Below is a Pulumi program in Python that demonstrates how to set up Keycloak using the pulumi_keycloak provider. This program creates a realm, a confidential client (which requires a client secret for access), and defines a user with roles that grant access to the ML model serving APIs.

    To begin with, you'll need to install the pulumi_keycloak provider:

    pip install pulumi_keycloak

    This should be done in a Python virtual environment where you have Pulumi CLI installed and are logged in to your Pulumi account. The following Pulumi program assumes that you have the Keycloak server running and accessible, and you can authenticate with the admin credentials via environment variables or the Keycloak configuration.

    Now, let's see the program:

    import pulumi import pulumi_keycloak as keycloak # Create a new Keycloak Realm realm = keycloak.Realm("my-realm", realm="example-realm", enabled=True, displayName="Example Realm") # Create a confidential client (typically for server-side apps) confidential_client = keycloak.openid.Client("my-client", clientId="model-serving-api", realmId=realm.id, secret=pulumi.Output.secret("your-client-secret"), # Replace with your desired secret directAccessGrantsEnabled=True, serviceAccountsEnabled=True, standardFlowEnabled=True, implicitFlowEnabled=False, baseUrl="http://my-api-server/api", # Replace with the actual base URL of your model serving API adminUrl="http://my-api-server/admin", # The admin URL (if applicable) webOrigins=["*"], # Define the allowed web origins or be more restrictive based on your requirements redirectUris=["http://my-api-server/*"], # The URIs to redirect to after login/logout enabled=True) # Create a user in the realm user = keycloak.User("my-user", realmId=realm.id, username="ml-api-user", email="user@example.com", enabled=True, emailVerified=True, initialPassword=keycloak.UserInitialPassword( value="user-password", # Replace with the user's desired password temporary=False)) # Create a role for accessing ML model APIs api_access_role = keycloak.Role("api-access-role", realmId=realm.id, name="model-api-access") # Assign the role to the user user_role = keycloak.UserRoles("my-user-role", realmId=realm.id, userId=user.id, roleIds=[api_access_role.id]) # Output the client secret (sensitive information) pulumi.export("client_secret", confidential_client.secret) # Output the realm name pulumi.export("realm_name", realm.realm) # Output the client ID pulumi.export("client_id", confidential_client.clientId)

    Here's what the program does:

    1. Creates a new realm (example-realm) which is a logical grouping that contains the client, roles, and users.
    2. Configures a client (model-serving-api) as a confidential client, typically used for server-side applications that can keep a secret. This client is allowed direct access grants, which is a simple way to obtain an access token.
    3. Creates a user (ml-api-user) with a specified username and email. The user's initial password is set, and it is not marked as temporary.
    4. Defines a role (model-api-access) that will be used to grant access to the model serving API.
    5. Associates the newly created role with the user, effectively granting ml-api-user the permission to access the model serving API.
    6. Exports the client secret, realm name, and client ID as stack outputs.

    The client secret output is marked as a secret, so it will be encrypted and not displayed in plaintext in the console.

    This is a basic setup that could be the starting point for your OAuth2 secured ML model serving API. Depending on your needs, you might need to add more clients, roles, and users to the Keycloak realm, and configure other settings such as token exchange, token lifespan, user federation, etc.

    Please ensure you replace placeholders like your-client-secret, user-password, http://my-api-server/api, http://my-api-server/admin, etc., with the actual values appropriate for your environment.