Skip to content

[Serving] Implement SageMaker Secure Mode & support for multiple data sources #2042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 29 commits into from
Jun 13, 2024
Merged

[Serving] Implement SageMaker Secure Mode & support for multiple data sources #2042

merged 29 commits into from
Jun 13, 2024

Conversation

@ethnzhng
Copy link
Contributor

@ethnzhng ethnzhng commented Jun 10, 2024
edited
Loading

This draft PR adds the initial implementation of SageMaker Secure Mode, as well as support for multiple data sources.

I have tested the security control scenarios locally in Docker, and am currently working on adding unit tests and integration tests.

Summary of functionality

Basic support for additional model data sources

  • Install requirements.txts found in trusted additional data sources.
  • Note: Only the serving.properties found in the main model directory /opt/ml/model is applied (same as existing behavior). In the scope of this PR, serving.properties found in other data sources are ignored.

Specify trusted and untrusted data source paths

  • Each additional data source, as well as the main model directory /opt/ml/model can be designated as trusted or untrusted by SM platform.
  • Trusted paths are not subject to security scans, while untrusted are.

Configure individual DLC-level security controls which scan untrusted paths

  • If Secure Mode and required associated variables are set, run the enabled individual security controls for each untrusted path. Upon any security violation, we fast-fail and exit the model server.
    • Disallow requirements.txt – check for requirements.txt file
    • Disallow pickle files – check for files with pickle file extensions
    • Disallow trust_remote_code – check if this option is set via env vars or untrusted serving.properties
    • Disallow custom entryPoint – env vars or untrusted serving.properties can only set entryPoint to built-in modules e.g. djl_python. . Trusted serving.properties can set to anything.
    • Disallow Jinja chat_template – check if this field is set in tokenizer_config.json file

Example scenarios:

  • If Secure Mode is not enabled, no change from normal LMI flow
  • If Secure Mode is enabled:
    • Trusted base model + trusted draft model --> No additional restrictions
    • Untrusted base model + trusted draft model --> Fast-fail if any security violations

ethnzhng added 2 commits June 10, 2024 18:43
@ethnzhng
[Serving] Implement SageMaker Secure Mode
304561c 
- Basic support for Additional Model Data Sources
- Specify trusted and untrusted data source paths
- Configure individual DLC-level security controls which scan untrusted paths
@ethnzhng
Add comment
35ee95e
@ethnzhng ethnzhng requested review from a team, frankfliu and zachgk as code owners June 10, 2024 20:44
@ethnzhng ethnzhng marked this pull request as draft June 10, 2024 20:45
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 10, 2024
View reviewed changes
frankfliu
frankfliu reviewed Jun 10, 2024
View reviewed changes
frankfliu
frankfliu reviewed Jun 12, 2024
View reviewed changes
frankfliu
frankfliu reviewed Jun 12, 2024
View reviewed changes
frankfliu
frankfliu reviewed Jun 12, 2024
View reviewed changes
@lanking520 lanking520 marked this pull request as ready for review June 12, 2024 21:53
@ethnzhng ethnzhng requested review from frankfliu and lanking520 June 13, 2024 00:36
@sindhuvahinis sindhuvahinis merged commit e6c1b8b into deepjavalibrary:master Jun 13, 2024
sindhuvahinis pushed a commit to sindhuvahinis/djl-serving that referenced this pull request Jun 13, 2024
@ethnzhng @sindhuvahinis
[Serving] Implement SageMaker Secure Mode & support for multiple data…
e5cd334 
… sources (deepjavalibrary#2042)
@sindhuvahinis sindhuvahinis mentioned this pull request Jun 13, 2024
Merged
@ethnzhng ethnzhng deleted the sm-security-controls branch June 25, 2024 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zachgk zachgk Awaiting requested review from zachgk zachgk is a code owner

@frankfliu frankfliu Awaiting requested review from frankfliu

1 more reviewer

@lanking520 lanking520 lanking520 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ethnzhng @lanking520 @frankfliu @sindhuvahinis