Authentication and Authorization (RBAC)
Warning
The FEDn RBAC system is an experimental feature and may change in the future.
FEDn supports Role-Based Access Control (RBAC) for controlling access to the FEDn API and gRPC endpoints. The RBAC system is based on JSON Web Tokens (JWT) and is implemented using the jwt package. The JWT tokens are used to authenticate users and to control access to the FEDn API. There are two types of JWT tokens used in the FEDn RBAC system: - Access tokens: Used to authenticate users and to control access to the FEDn API. - Refresh tokens: Used to obtain new access tokens when the old ones expire.
Note
Please note that the FEDn RBAC system is not enabled by default and does not issue JWT tokens. It is used to integrate with external authentication and authorization systems such as FEDn Studio.
FEDn RBAC system is by default configured with four types of roles: - admin: Has full access to the FEDn API. This role is used to manage the FEDn network using the API client or the FEDn CLI. - combiner: Has access to the /add_combiner endpoint in the API. - client: Has access to the /add_client endpoint in the API and various gRPC endpoint to participate in federated learning sessions.
A full list of the “roles to endpoint” mappings for gRPC can be found in the fedn/network/grpc/auth.py. For the API, the mappings are defined using custom decorators defined in fedn/network/api/auth.py.
Note
The roles are handled by a custom claim in the JWT token called role. The claim is used to control access to the FEDn API and gRPC endpoints.
To enable the FEDn RBAC system, you need to set the following environment variables in the controller and combiner:
Authentication Environment Variables
Additional Environment Variables
For further flexibility, you can also set the following environment variables:
Client Environment Variables
For the client, you need to set the following environment variables:
You can use –token flags in the FEDn CLI to set the access token.