Configure Upstream Owner for Remote Sharing
Overview
Configure the upstream user which will be used to share models with other organizations having independent Istari installations.
Steps
-
Create an isolated Istari tenant for the purposes of controlled model sharing with downstream organizations. See "Optional: Set Up and Manage Multi-Tenancy with Zitadel Dashboard" for instructions.
- The benefit of using an isolated Istari tenant for identities specifically created for remote sharing is those identities can be managed separately from your organization's internal Istari users.
- In addition, users in your organization wishing to share models with external organizations via Istari Remotes must do so by specifying a designated email address, not another named user in your organization.
-
Create the identity and access token (or 'PAT') for a downstream consumer in a designated tenant, directly using Zitadel.
- Istari highly recommends that the names of identities used for remote sharing should clearly indicate the
identity's role in remote sharing. For example, you might follow specific naming conventions such as:
share-to-<downstream-org-and-project-name>@upstream-org-name.external
- Istari highly recommends that the names of identities used for remote sharing should clearly indicate the
identity's role in remote sharing. For example, you might follow specific naming conventions such as:
-
Ensure that the identity created for remote sharing with the external organization has permissions for only the required control tags necessary for sharing models with the external organization.
- If appropriate or desired, a specific control tag may be created to designate models not for sharing with the downstream (i.e. an "Internal Use Only" control tag that would not be granted to the identity designated for external sharing). In that case no models that are not tagged with that specific tag could be pulled into the downstream cache.
-
Notify designated users in your organization that models shared with the identity created above will be viewable by the downstream organization. Users in your organization wishing to share models remotely must do so by sharing with the specific email address created for this purpose, as described above.
-
Configure a shared cache for model data that will be shared with the downstream organization ( see the next section for more information).
-
Securely provide the identity and PAT, and the shared cache information, to the downstream organization's Istari administrator
Considerations
- As the upstream owner of models to be shared exterally via a shared read-through cache, that cache will contain images of your model data and you are the owner of that shared cache.
- The cache must be provisioned in a network location that is accessible by downstream end users, the downstream control plane's registry service, and your own control plane's registry service.
- There are multiple options for cache configuration, these require careful consideration and network design. See the next section for more information).
Assumptions
This assumes you wish to share model data externally with other organizations having an Istari installation.
Expected Skills and Authorization
- Authorization to handle and configure sensitive data, including secrets/tokens
- Authorization to configure the Istari installation for remote sharing with other internal or external Istari installations
- Knowledge of you Istari's network configuration, including VPC and firewall configuration