Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/master' into feature/SK-946
Browse files Browse the repository at this point in the history
  • Loading branch information
viktorvaladi committed Sep 2, 2024
2 parents 756e8de + 3619bb0 commit baf11ec
Show file tree
Hide file tree
Showing 16 changed files with 638 additions and 379 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ RUN mkdir -p /app \
# Install FEDn and requirements
&& python -m venv /venv \
&& /venv/bin/pip install --upgrade pip \
&& /venv/bin/pip install --no-cache-dir setuptools>=65 \
&& /venv/bin/pip install --no-cache-dir 'setuptools>=65' \
&& /venv/bin/pip install --no-cache-dir -e . \
&& if [[ ! -z "$REQUIREMENTS" ]]; then \
/venv/bin/pip install --no-cache-dir -r /app/config/requirements.txt; \
Expand Down
88 changes: 64 additions & 24 deletions docs/apiclient.rst
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
.. _apiclient-label:

APIClient
=========
Using the Python API
====================

FEDn comes with an *APIClient* - a Python3 library that can be used to interact with FEDn programmatically.
In this tutorial we show how to use the APIClient to initialize the server-side with the compute package and seed models,
run and control training sessions, use different aggregators, and to retrieve models and metrics.

We assume a basic understanding of the FEDn framework, i.e. that the user have taken the Getting Started tutorial: :ref:`quickstart-label`

**Installation**

Expand All @@ -13,12 +17,11 @@ The APIClient is available as a Python package on PyPI, and can be installed usi
$ pip install fedn
**Initialize the APIClient**
**Initialize the APIClient to a FEDn Studio project**

The FEDn REST API is available at <controller-host>/api/v1/. To access this API you need the url to the controller-host, as well as an admin API token. The controller host can be found in the project dashboard (top right corner).
To obtain an admin API token, navigate to the "Settings" tab in your Studio project and click on the "Generate token" button. Copy the 'access' token and use it to access the API using the instructions below.


.. code-block:: python
>>> from fedn import APIClient
Expand All @@ -36,28 +39,65 @@ Then passing a token as an argument is not required.
>>> from fedn import APIClient
>>> client = APIClient(host="<controller-host>", secure=True, verify=True)
**Set the active compute package and seed model**

**Set active package and seed model**
To set the active compute package in the FEDn Studio Project:

The active package can be set using the following code snippet:
.. code:: python
.. code-block:: python
client.set_active_package(path="path/to/package.tgz", helper="numpyhelper")
>>> from fedn import APIClient
>>> client = APIClient(host="<controller-host>", token="<access-token>", secure=True, verify=True)
>>> client.set_active_package("package.tgz", helper="numpyhelper")
>>> client.set_active_model("seed.npz")
To set the initial seed model, you can use the following code snippet:
**Start a training session**

.. code-block:: python
client.set_active_model(path="path/to/seed.npz")
Once the active package and seed model are set, you can connect clients to the network and start training models. To run a training session
using the default aggregator (FedAvg):

**Start a training session**
.. code:: python
>>> ...
>>> client.start_session(id="test-session", rounds=3)
# Wait for training to complete, when controller is idle:
>>> client.get_controller_status()
# Show model trail:
>>> models = client.get_model_trail()
# Show performance of latest global model:
>>> model_id = models[-1]['model']
>>> validations = client.get_validations(model_id=model_id)
Once the active package and seed model are set, you can connect clients to the network and start training models. The following code snippet starts a traing session:
To run a session using the FedAdam aggregator using custom hyperparamters:

.. code-block:: python
session = client.start_session(id="session_name")
>>> session_id = "experiment_fedadam"
>>> session_config = {
"helper": "numpyhelper",
"id": session_id,
"aggregator": "fedopt",
"aggregator_kwargs": {
"serveropt": "adam",
"learning_rate": 1e-2,
"beta1": 0.9,
"beta2": 0.99,
"tau": 1e-4
},
"model_id": seed_model['model'],
"rounds": 10
}
>>> result_fedadam = client.start_session(**session_config)
**Download a global model**

To download a global model and write it to file:

.. code:: python
>>> ...
>>> client.download_model("<model-id>", path="model.npz")
**List data**

Expand All @@ -77,17 +117,17 @@ Entities represented in the APIClient are:
* statuses
* validations

The following code snippet shows how to list all sessions:

To list all sessions:
.. code-block:: python
sessions = client.get_sessions()
>>> sessions = client.get_sessions()
And the following code snippet shows how to get a specific session:
To get a specific session:

.. code-block:: python
session = client.get_session(id="session_name")
>>> session = client.get_session(id="session_name")
For more information on how to use the APIClient, see the :py:mod:`fedn.network.api.client`, and the example `Notebooks <https://github.com/scaleoutsystems/fedn/tree/master/examples/notebooks>`_.
For more information on how to use the APIClient, see the :py:mod:`fedn.network.api.client`, and the collection of example Jupyter Notebooks:

- `API Example <https://github.com/scaleoutsystems/fedn/tree/master/examples/notebooks>`_ .
4 changes: 3 additions & 1 deletion docs/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
"sphinx.ext.viewcode",
"sphinx_rtd_theme",
"sphinx_code_tabs",
"sphinx_design",
]

# The master toctree document.
Expand Down Expand Up @@ -97,7 +98,8 @@
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(master_doc, "fedn", "FEDn Documentation", author, "fedn", "One line description of project.", "Miscellaneous"),
(master_doc, "fedn", "FEDn Documentation", author, "fedn",
"One line description of project.", "Miscellaneous"),
]

# Bibliographic Dublin Core info.
Expand Down
145 changes: 125 additions & 20 deletions docs/developer.rst
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
.. _developer-label:

Local development and deployment
================================
================
Developer guide
================

.. note::
These instructions are for users wanting to set up a local development deployment of FEDn (i.e. without FEDn Studio).
This requires practical knowledge of Docker and docker-compose.

Running the FEDn development sandbox (docker-compose)
------------------------------------------------------
Pseudo-distributed sandbox
===========================

During development on FEDn, and when working on own aggregators/helpers, it is
useful to have a local development setup of the core FEDn services (controller, combiner, database, object store).
For this, we provide Dockerfiles and docker-compose template.
.. note::
These instructions are for users wanting to set up a bare-minimum local deployment of FEDn (without FEDn Studio).
We here assume practical knowledge of Docker and docker-compose. We recommend all new users of FEDn to start
by taking the Getting Started tutorial: :ref:`quickstart-label`

To start a development sandbox for FEDn using docker-compose:
During development on FEDn, and when working on own extentions including aggregators and helpers, it is
useful to have a local development setup of the core FEDn server-side services (controller, combiner, database, object store).
We provide Dockerfiles and docker-compose template for an all-in-one local sandbox:

.. code-block::
Expand All @@ -24,14 +25,14 @@ To start a development sandbox for FEDn using docker-compose:
up
This starts up local services for MongoDB, Minio, the API Server, one Combiner and two clients.
You can verify the deployment using these urls:
You can verify the deployment on localhost using these urls:

- API Server: http://localhost:8092/get_controller_status
- Minio: http://localhost:9000
- Mongo Express: http://localhost:8081

This setup does not include the security features of Studio, and thus will not require authentication of clients.
To use the APIClient to test a compute package and seed model against a local FEDn deployment:
This setup does not include any of the security and authentication features available in a Studio Project,
so we will not require authentication of clients (insecure mode) when using the APIClient:

.. code-block::
Expand All @@ -40,8 +41,7 @@ To use the APIClient to test a compute package and seed model against a local FE
client.set_active_package("package.tgz", helper="numpyhelper")
client.set_active_model("seed.npz")
To connect a native FEDn client, you need to make sure that the combiner service can be resolved using the name "combiner".
To connect a native FEDn client to the sandbox deployment, you need to make sure that the combiner service can be resolved by the client using the name "combiner".
One way to achieve this is to edit your '/etc/hosts' and add a line '127.0.0.1 combiner'.

Access message logs and validation data from MongoDB
Expand Down Expand Up @@ -76,7 +76,6 @@ You can clean up by running
docker-compose -f ../../docker-compose.yaml -f docker-compose.override.yaml down -v
Connecting clients using Docker:
------------------------------------------------------

Expand All @@ -93,8 +92,8 @@ and FEDN 0.10.0, run this from the example folder:
ghcr.io/scaleoutsystems/fedn/fedn:0.10.0 run client -in client.yaml --force-ssl --secure=True
Self-managed distributed deployment
------------------------------------------------------
Distributed deployment on a local network
=========================================

You can use different hosts for the various FEDn services. These instructions shows how to set up FEDn on a **local network** using a single workstation or laptop as
the host for the servier-side components, and other hosts or devices as clients.
Expand All @@ -116,7 +115,6 @@ the host for the servier-side components, and other hosts or devices as clients.
Launch a distributed FEDn Network
---------------------------------


Start by noting your host's local IP address, used within your network. Discover it by running ifconfig on UNIX or
ipconfig on Windows, typically listed under inet for Unix and IPv4 for Windows.

Expand Down Expand Up @@ -159,3 +157,110 @@ Alternatively updating the `/etc/hosts` file, appending the following lines for
<host local ip> api-server
<host local ip> combiner
.. _auth-label:

Authentication and Authorization (RBAC)
========================================

.. warning:: The FEDn RBAC system is an experimental feature and may change in the future.

FEDn supports Role-Based Access Control (RBAC) for controlling access to the FEDn API and gRPC endpoints. The RBAC system is based on JSON Web Tokens (JWT) and is implemented using the `jwt` package. The JWT tokens are used to authenticate users and to control access to the FEDn API.
There are two types of JWT tokens used in the FEDn RBAC system:
- Access tokens: Used to authenticate users and to control access to the FEDn API.
- Refresh tokens: Used to obtain new access tokens when the old ones expire.

.. note:: Please note that the FEDn RBAC system is not enabled by default and does not issue JWT tokens. It is used to integrate with external authentication and authorization systems such as FEDn Studio.

FEDn RBAC system is by default configured with four types of roles:
- `admin`: Has full access to the FEDn API. This role is used to manage the FEDn network using the API client or the FEDn CLI.
- `combiner`: Has access to the /add_combiner endpoint in the API.
- `client`: Has access to the /add_client endpoint in the API and various gRPC endpoint to participate in federated learning sessions.

A full list of the "roles to endpoint" mappings for gRPC can be found in the `fedn/network/grpc/auth.py`. For the API, the mappings are defined using custom decorators defined in `fedn/network/api/auth.py`.

.. note:: The roles are handled by a custom claim in the JWT token called `role`. The claim is used to control access to the FEDn API and gRPC endpoints.

To enable the FEDn RBAC system, you need to set the following environment variables in the controller and combiner:

Authentication Environment Variables
-------------------------------------

.. line-block::

**FEDN_JWT_SECRET_KEY**
- **Type:** str
- **Required:** yes
- **Default:** None
- **Description:** The secret key used for JWT token encryption.

**FEDN_JWT_ALGORITHM**
- **Type:** str
- **Required:** no
- **Default:** "HS256"
- **Description:** The algorithm used for JWT token encryption.

**FEDN_AUTH_SCHEME**
- **Type:** str
- **Required:** no
- **Default:** "Token"
- **Description:** The authentication scheme used in the FEDn API and gRPC interceptors.

Additional Environment Variables
--------------------------------

For further flexibility, you can also set the following environment variables:

.. line-block::

**FEDN_CUSTOM_URL_PREFIX**
- **Type:** str
- **Required:** no
- **Default:** None
- **Description:** Add a custom URL prefix used in the FEDn API, such as /internal or /v1.

**FEDN_AUTH_WHITELIST_URL**
- **Type:** str
- **Required:** no
- **Default:** None
- **Description:** A URL pattern to the API that should be excluded from the FEDn RBAC system. For example, /internal (to enable internal API calls).

**FEDN_JWT_CUSTOM_CLAIM_KEY**
- **Type:** str
- **Required:** no
- **Default:** None
- **Description:** The custom claim key used in the JWT token.

**FEDN_JWT_CUSTOM_CLAIM_VALUE**
- **Type:** str
- **Required:** no
- **Default:** None
- **Description:** The custom claim value used in the JWT token.

Client Environment Variables
-----------------------------

For the client, you need to set the following environment variables:

.. line-block::

**FEDN_AUTH_REFRESH_TOKEN_URI**
- **Type:** str
- **Required:** no
- **Default:** None
- **Description:** The URI used to obtain new access tokens when the old ones expire.

**FEDN_AUTH_REFRESH_TOKEN**
- **Type:** str
- **Required:** no
- **Default:** None
- **Description:** The refresh token used to obtain new access tokens when the old ones expire.

**FEDN_AUTH_SCHEME**
- **Type:** str
- **Required:** no
- **Default:** "Token"
- **Description:** The authentication scheme used in the FEDn API and gRPC interceptors.

You can use `--token` flags in the FEDn CLI to set the access token.
2 changes: 1 addition & 1 deletion docs/helpers.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
.. _helper-label:

Model Serialization/Deserialization
Model marshalling
===================================

In federated learning, model updates need to be serialized and deserialized in order to be
Expand Down
4 changes: 1 addition & 3 deletions docs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,15 @@
introduction
quickstart
projects
apiclient

.. toctree::
:maxdepth: 1
:caption: Documentation

apiclient
architecture
aggregators
helpers
auth
developer

.. toctree::
Expand All @@ -24,7 +23,6 @@
faq
modules


Indices and tables
==================

Expand Down
Loading

0 comments on commit baf11ec

Please sign in to comment.