From eb2a5b89613c417c6b1b063fc1f66debcbe639b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?=
 <23639005+israel-hdez@users.noreply.github.com>
Date: Mon, 19 Aug 2024 18:24:09 -0600
Subject: [PATCH] Use a more fine-grained SAR for Authorino
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In created AuthConfigs, instead of checking for GET over Kubernetes Services, do a more fine-grained check over InferenceServices: test that the user can GET the specific InferenceServices. This will allow protecting models individually.

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
---
 controllers/resources/authconfig.go                        | 7 ++++---
 controllers/resources/template/authconfig_userdefined.yaml | 6 +++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/controllers/resources/authconfig.go b/controllers/resources/authconfig.go
index 6ebad418..71d1f9d8 100644
--- a/controllers/resources/authconfig.go
+++ b/controllers/resources/authconfig.go
@@ -84,9 +84,10 @@ func (s *staticTemplateLoader) Load(ctx context.Context, authType AuthType, key
 	}
 
 	templateData := map[string]interface{}{
-		"Namespace":      key.Namespace,
-		"Audiences":      getAuthAudience(),
-		"AuthorinoLabel": authKey + ": " + authVal,
+		"Namespace":            key.Namespace,
+		"Audiences":            getAuthAudience(),
+		"AuthorinoLabel":       authKey + ": " + authVal,
+		"InferenceServiceName": key.Name,
 	}
 	template := authConfigTemplateAnonymous
 	if authType == UserDefined {
diff --git a/controllers/resources/template/authconfig_userdefined.yaml b/controllers/resources/template/authconfig_userdefined.yaml
index 79a62cba..46634787 100644
--- a/controllers/resources/template/authconfig_userdefined.yaml
+++ b/controllers/resources/template/authconfig_userdefined.yaml
@@ -22,14 +22,14 @@ spec:
           verb:
             value: get
           group:
-            value: ""
+            value: "serving.kserve.io"
           resource:
-            value: services
+            value: inferenceservices
           namespace:
             value: {{ .Namespace }}
           subresource:
             value: ""
           name:
-            value: ""
+            value: "{{ .InferenceServiceName }}"
         user:
           selector: auth.identity.user.username
\ No newline at end of file