addressed the review comments

redhatHameed · redhatHameed · commit 4541f3528a4b · 2025-03-06T09:55:36.000-05:00
Signed-off-by: Abdul Hameed &lt;ahameed@redhat.com&gt;
diff --git a/examples/operator-rbac/1-setup-operator-rbac.ipynb b/examples/operator-rbac/1-setup-operator-rbac.ipynb
@@ -28,7 +28,10 @@
     "* `Online Store Server`: Uses the `Registry Server` to query metadata and is responsible for low-latency serving of features.\n",
     "* `Offline Store Server`: Uses the `Registry Server` to query metadata and provides access to batch data for historical feature retrieval.\n",
     "* `Kubernetes` Authentication types for RBAC Configuration for Feast resources.\n",
-    "* Setting update Feast RBAC based on roles assigned then validating with client example.\n"
+    "\n",
+    "\n",
+    "Additionally, we will cover:\n",
+    "* RBAC Configuration with Kubernetes Authentication for Feast resources."
    ]
   },
   {
@@ -298,14 +301,14 @@
    "cell_type": "markdown",
    "source": [
     "## Configure the RBAC Permissions\n",
-    "we have defined permission in `permissions_apply.py`."
+    " As we have created Kubernetes roles in **FeatureStore CR** to manage access control feast objects, they python script permissions_apply.py will add into feature_repo and applied to registered the permission in registry. \n"
    ]
   },
   {
    "metadata": {
     "ExecuteTime": {
-     "end_time": "2025-03-05T18:49:43.015317Z",
-     "start_time": "2025-03-05T18:49:42.826986Z"
+     "end_time": "2025-03-06T14:04:10.725890Z",
+     "start_time": "2025-03-06T14:04:10.571089Z"
     }
    },
    "cell_type": "code",
@@ -318,31 +321,37 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
+      "# Necessary modules for permissions and policies in Feast for RBAC\r\n",
       "from feast.feast_object import ALL_RESOURCE_TYPES\r\n",
       "from feast.permissions.action import READ, AuthzedAction, ALL_ACTIONS\r\n",
       "from feast.permissions.permission import Permission\r\n",
       "from feast.permissions.policy import RoleBasedPolicy\r\n",
       "\r\n",
-      "admin_roles = [\"feast-writer\"]\r\n",
-      "user_roles = [\"feast-reader\"]\r\n",
+      "# Define roles\r\n",
+      "admin_roles = [\"feast-writer\"]  # Full access (can create, update, delete ) Feast Resources\r\n",
+      "user_roles = [\"feast-reader\"]   # Read-only access on Feast Resources\r\n",
       "\r\n",
+      "# User permissions (feast_user_permission)\r\n",
+      "# - Grants read and describing Feast objects access\r\n",
       "user_perm = Permission(\r\n",
       "    name=\"feast_user_permission\",\r\n",
       "    types=ALL_RESOURCE_TYPES,\r\n",
       "    policy=RoleBasedPolicy(roles=user_roles),\r\n",
-      "    actions=[AuthzedAction.DESCRIBE] + READ\r\n",
+      "    actions=[AuthzedAction.DESCRIBE] + READ  # Read access (READ_ONLINE, READ_OFFLINE) + describe other Feast Resources.\r\n",
       ")\r\n",
       "\r\n",
+      "# Admin permissions (feast_admin_permission)\r\n",
+      "# - Grants full control over all resources\r\n",
       "admin_perm = Permission(\r\n",
       "    name=\"feast_admin_permission\",\r\n",
       "    types=ALL_RESOURCE_TYPES,\r\n",
       "    policy=RoleBasedPolicy(roles=admin_roles),\r\n",
-      "    actions=ALL_ACTIONS\r\n",
+      "    actions=ALL_ACTIONS  # Full permissions: CREATE, UPDATE, DELETE, READ, WRITE\r\n",
       ")\r\n"
      ]
     }
    ],
-   "execution_count": 159
+   "execution_count": 167
   },
   {
    "metadata": {
@@ -726,7 +735,7 @@
   {
    "metadata": {},
    "cell_type": "markdown",
-   "source": "## Next Run Client notebook -> 2-client.ipynb"
+   "source": "[Next Run Client notebook](./2-client.ipynb)"
   }
  ],
  "metadata": {
diff --git a/examples/operator-rbac/2-client.ipynb b/examples/operator-rbac/2-client.ipynb
@@ -5,8 +5,13 @@
    "cell_type": "markdown",
    "source": [
     "## Feast Client with RBAC\n",
-    "### RBAC Kubernetes Authentication\n",
-    "Feast **Role-Based Access Control (RBAC)** in Kubernetes supports authentication  **inside a Kubernetes pod** and **outside a pod** when running a local script.\n",
+    "### Kubernetes RBAC Authorization\n",
+    "\n",
+    "## Feast Role-Based Access Control (RBAC) in Kubernetes  \n",
+    "\n",
+    "Feast **Role-Based Access Control (RBAC)** in Kubernetes supports authentication both **inside a Kubernetes pod** and for **external clients** using the `LOCAL_K8S_TOKEN` environment variable.  \n",
+    "\n",
+    "\n",
     "### Inside a Kubernetes Pod\n",
     "Feast automatically retrieves the Kubernetes ServiceAccount token from:\n",
     "```\n",
@@ -18,17 +23,16 @@
     "- Developer just need create the binding with role and service account accordingly.\n",
     "- Code Reference:  \n",
     "[Feast Kubernetes Auth Client Manager (Pod Token Usage)](https://github.com/feast-dev/feast/blob/master/sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py#L15) \n",
-    "- See the example will use service account from pod [Example](https://github.com/feast-dev/feast/blob/master/examples/rbac-remote/client/k8s/)\n",
+    "-  Using a service account from a pod   [Example](https://github.com/feast-dev/feast/blob/master/examples/rbac-remote/client/k8s/)\n",
     "\n",
-    "### Outside a Kubernetes Pod (Local Machine)\n",
-    "If running Feast outside of Kubernetes, authentication requires setting the token manually:\n",
+    "### Outside a Kubernetes Pod (External Clients & Local Testing)\n",
+    " \n",
+    "If running Feast outside of Kubernetes, authentication requires setting the token manually to the environment variable `LOCAL_K8S_TOKEN` :\n",
     "```sh\n",
     "export LOCAL_K8S_TOKEN=\"your-service-account-token\"\n",
     "```\n",
-    "Feast will use this token for authentication.\n",
     "\n",
-    "Reference:  \n",
-    "[Feast Authentication via `LOCAL_K8S_TOKEN`](https://github.com/feast-dev/feast/blob/master/sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py#L50)"
+    "For more details, refer the user guide:  [Kubernetes RBAC Authorization](https://docs.feast.dev/master/getting-started/components/authz_manager#kubernetes-rbac-authorization)  \n"
    ],
    "id": "bb0145c9c1f6ebcc"
   },
@@ -89,7 +93,7 @@
   {
    "metadata": {},
    "cell_type": "markdown",
-   "source": "**The Operator creates the client ConfigMap containing the feature_store.yaml. We can retrieve it and port froward to local**",
+   "source": "**The Operator client feature store ConfigMap** containing the feature_store.yaml settings. We can retrieve it and port froward to local as we are testing locally.",
    "id": "84f73e09711bff9f"
   },
   {
@@ -224,8 +228,8 @@
    "metadata": {},
    "cell_type": "markdown",
    "source": [
-    "**Generating training data. The following test functions were copied from the `test_workflow.py` template but we added `try` blocks to print only \n",
-    "the relevant error messages, since we expect to receive errors from the permission enforcement modules.**"
+    "**Generating training data**. The following test functions were copied from the `test_workflow.py` template but we added `try` blocks to print only \n",
+    "the relevant error messages, since we expect to receive errors from the permission enforcement modules."
    ],
    "id": "8c9e27ec4ed8ca2c"
   },
@@ -890,7 +894,7 @@
   {
    "metadata": {},
    "cell_type": "markdown",
-   "source": "Next :  Uninstall the Operator and all Feast objects -> 03-uninstall.ipynb",
+   "source": "[Next: Uninstall the Operator and all Feast objects](./03-uninstall.ipynb)",
    "id": "38c54e92643e0bda"
   }
  ],
diff --git a/examples/operator-rbac/permissions_apply.py b/examples/operator-rbac/permissions_apply.py
@@ -1,21 +1,27 @@
+# Necessary modules for permissions and policies in Feast for RBAC
 from feast.feast_object import ALL_RESOURCE_TYPES
 from feast.permissions.action import READ, AuthzedAction, ALL_ACTIONS
 from feast.permissions.permission import Permission
 from feast.permissions.policy import RoleBasedPolicy
 
-admin_roles = ["feast-writer"]
-user_roles = ["feast-reader"]
+# Define K8s roles same as created with FeatureStore CR
+admin_roles = ["feast-writer"]  # Full access (can create, update, delete ) Feast Resources
+user_roles = ["feast-reader"]   # Read-only access on Feast Resources
 
+# User permissions (feast_user_permission)
+# - Grants read and describing Feast objects access
 user_perm = Permission(
     name="feast_user_permission",
     types=ALL_RESOURCE_TYPES,
     policy=RoleBasedPolicy(roles=user_roles),
-    actions=[AuthzedAction.DESCRIBE] + READ
+    actions=[AuthzedAction.DESCRIBE] + READ  # Read access (READ_ONLINE, READ_OFFLINE) + describe other Feast Resources.
 )
 
+# Admin permissions (feast_admin_permission)
+# - Grants full control over all resources
 admin_perm = Permission(
     name="feast_admin_permission",
     types=ALL_RESOURCE_TYPES,
     policy=RoleBasedPolicy(roles=admin_roles),
-    actions=ALL_ACTIONS
+    actions=ALL_ACTIONS  # Full permissions: CREATE, UPDATE, DELETE, READ, WRITE
 )
