Configuration for API nodes¶
A major use case for audit centralization is to centralize logs of API node queries in order to perform ML Ops activities on these logs (analyzing predictions, performing input data drift, or model performance drift).
Automatic configuration through API deployer¶
The API deployer can automatically configure the audit dispatcher in the API nodes (both static and K8S infrastructures). This allows automatically configuring the API nodes so that they centralize their audit to a central DSS location.
Automatic send to event server¶
At the infrastructure or deployment level, you define the URL of the event server, and its authentication key At the deployment level, you define a routing key for this deployment.
The API node will then dispatch all apinode-query
audit events with this routing key to this event server, which will in turn by default write it into a folder-per-routing key, hence reaching our goal of having clean access to the logs of this API node only.
Sample setup: easy case¶
This sample setup shows you the easiest way to perform centralization of API node logs. Use this for as-simple-as-possible setup, when you don’t need strong security around the logs of a service (i.e. it is not a problem if the engineers of Service1 can see the logs of Service2).
The main advantage of this setup is that no admin intervention is required when new API services are created and deployed. Admin intervention is only required once at install time.
Setup once (as admin)¶
Install a design node, enable the EventServer on it
- Add a “files in connection” target on the event server
Set topics filtering to
apinode-query
Set routing keys filtering to
All
Enable creation of subfolders
Select any compatible file-like connection like S3
In the API deployer infrastructure, enable “auto-configure reporting to event server”, enter just the URL of the event server
For each service (as user)¶
Write your service, publish it to the API deployer
In the API deployer deployment, fill in the “routing key”. Just the deployment id is an appropriate routing key. It just needs to be unique.
Start sending queries
In your MLOps project, create a new dataset on the connection that has been selected by the admin, browse to the
path/apinode-query/your-routing-key
Enable partitioning on this dataset
Voila, you have the partitioned logs of just this service, across all API node instances
Behind the scenes¶
The API node emits audit events with
apinode-query
topic and with the routing key specified in the deployment settingsThe audit log of each API node is configured to send apinode-query/this-routing-key to the eventserver
The eventserver receives them, dispatches on the “files in connection” target which creates subfolders per topic and routing key
Sample setup: high-security API node centralization¶
Use this when you need to have differentiated security for accessing the nodes of individual API services. It also ensures that people who don’t have access to the deployment cannot send “fake” events for this deployment
Setup once (as admin)¶
Install a design node, enable the EventServer on it
Require authentication on events in the EventServer settings
For each service (as admin)¶
Generate a new authentication key (random string)
- Add a “files in connection” target on the event server
Set topics filtering to
apinode-query
Set routing keys filtering to only accept the routing key of the service
Enable creation of subfolders
Select any compatible file-like connection like S3
Add your authentication key to the list of valid authentication key for the events endpoint, and add it as the “required Auth key” for this event server destination
Give this service-specific authentication key to the developer of the service
For each service (as user)¶
Write your service, publish it to the API deployer
In the API deployer deployment settings, enable “override infrastructure settings” and enable “auto-configure reporting to event server”, enter the URL of the event server and the auth key
In the API deployer deployment, fill in the “routing key”. Just the deployment id is an appropriate routing key. It just needs to be unique.
Start sending queries
In your MLOps project, create a new dataset on the connection that has been selected by the admin, browse to the
path/apinode-query/your-routing-key
(you should not be able to browse other folders of course, this should be handled by connection security)Enable partitioning on this dataset
Voila, you have the partitioned logs of just this service, across all API node instances
Manual usage¶
Audit settings can be configured manually in the config/server.json file of the API node.
Here is a sample configuration:
"auditLog": {
"settings": {
"targets": [
{
"type": "EVENT_SERVER",
"url": "http://my-event-server:9999",
"routingKeyMode": "FROM_MESSAGE",
"topicsFiltering": "SELECTED",
"topics": [
"apinode-query"
],
"routingKeysFiltering": "ALL",
"routingKeys": [
"rk-clvs-1"
]
}
]
}
}