Configure Downstream Access to Shared Models

Overview

Configure the upstream model owner to share models with other organizations having Istari installations.

Steps

1. Collaborate with the upstream model owner to securely obtain the necessary information to configure your Istari installation for remote sharing.

• NOTE: this information is sensitive, and should be exchanged via secure mechanisms and policies.

2. Confirm Istari Configuration Settings

• The upstream sharing organization (the owner of the models that will be shared), will provide you with the following information; this information will be used to configure environment variables in your Istari installation:
  • The URL of the upstream organization's control plane API endpoint
  • An access token (or 'PAT') that will be used by your control plane to make API calls to the upstream control plane
  • An object store (e.g. AWS S3 bucket) to be configured as a read-through cache for models shared by the upstream organization.

3. Confirm appropriate network and storage access

• Work with your network administrator(s) to ensure that:
  • Your Istari installation can communicate directly with the upstream organization's Istari instance over secure HTTP.
  • Your Istari installation, and the end users in your organization who need access to view models shared by the upstream organization, can view the upstream's shared cache object store.

4. Configure your Istari installation environment variables to enable remote sharing

• Ensure that the Istari kubernetes cluster is configured with the environment variables described below.

Environment Variables for Remote Sharing

In the examples below, the upstream model organization is referred to as 'ACME' and this should be replaced with the organization name or organization-project name for the sharing relationship.

End users will have the ability to synchronize models from the upstream owners via a dropdown in Istari that allows them to select one or all of the upstream sharing partners to pull models into the downstream's cache.

• Models shared in this manner will be available for read only access in the downstream organization.
• Downstream users with access to shared models from upstream organizations can re-share those models with other users in their (downstream) Istari installation.

Control Plane to Control Plane Communications Configuration

• FILE_SERVICE_UPSTREAM_REMOTES__ACME__REGISTRY_URL=https://ACME.istari.app
• FILE_SERVICE_UPSTREAM_REMOTES__ACME__REGISTRY_SECRET_KEY= ****

Downstream ownership of models in the shared cache

• FILE_SERVICE_UPSTREAM_REMOTES__ACME__OWNER_EMAILS=’[“PM1@downstream-org.com”, "PM2@downstream-org.com”, "admin@downstream-org.com"]’
  • These users will have read access to shared models, and can re-share those models with other users in their (downstream) Istari installation.

Downstream read-through cache object store configuration

• FILE_SERVICE_UPSTREAM_REMOTES__ACME__TENANT_NAME=remotes-as-downstream-for-ACME
• FILE_SERVICE_TENANTS_REMOTES-AS-DOWNSTREAM-FOR-ACME__OBJECT_STORE=remotes-as-downstream-for-ACME
• FILE_SERVICE_OBJECT_STORES_REMOTES-AS-DOWNSTREAM-FOR-ACME__NAME=istari-file-service-auth-ACME-remotes-as-downstream-for-ACME

NOTE For information on configuring an object store, the upstream installation administrator would refer to this section The object store should be provisioned by the upstream model owner, in a region or shared subnet that is accessible to:

• All end users in the downstream organization who will view models shared from the upstream.
• Your control plane's registry service
• The upstream control plane's registry service

Considerations

• For any upstreams configured on a downstream installation, the downstream owners of models shared in the read-through cache (defined in configuration settings) will have the ability to synchronize models and meta-data by pulling it into the read-through cache. Those individuals are treated as the read-only model owners on the local copies of remotely shared models, and they can re-share those cached models with other users in the downstream installation.
• If Control Tags are applied on the models owned by the upstream organization, the identity that is provisioned by the upstream organization for the purposes of remotely sharing models must have permissions to view all control tags associated with the model in order for downstream users to pull the model into their read-through cache. This also avoid inadvertently sharing models having sensitive control tags with an identity provisioned for downstream model sharing.

Expected Skills and Authorization

• Authorization to handle and configure sensitive data, including secrets/tokens
• Authorization to configure the Istari installation for remote sharing with other internal or external Istari installations
• Knowledge of you Istari's network configuration, including VPC and firewall configuration, and ability to set and modify environment variables in the Istari installation by modifying the Istari Kubernetes environment.