PrimeHub
  • Introduction
  • Installation
  • Tiers and Licenses
  • End-to-End Tutorial
    • 1 - MLOps Introduction and Scoping the Project
    • 2 - Train and Manage the Model
    • 3 - Compare, Register and Deploy the Model
    • 4 - Build the Web Application
    • 5 - Summary
  • User Guide
    • User Portal
    • Notebook
      • Notebook Tips
      • Advanced Settings
      • PrimeHub Notebook Extension
      • Submit Notebook as Job
    • Jobs
      • Job Artifacts
      • Tutorial
        • (Part1) MNIST classifier training
        • (Part2) MNIST classifier training
        • (Advanced) Use Job Submission to Tune Hyperparameters
        • (Advanced) Model Serving by Seldon
        • Job Artifacts Simple Usecase
    • Models
      • Manage and Deploy Model
      • Model Management Configuration
    • Deployments
      • Pre-packaged servers
        • TensorFlow server
        • PyTorch server
        • SKLearn server
        • Customize Pre-packaged Server
        • Run Pre-packaged Server Locally
      • Package from Language Wrapper
        • Model Image for Python
        • Model Image for R
        • Reusable Base Image
      • Prediction APIs
      • Model URI
      • Tutorial
        • Model by Pre-packaged Server
        • Model by Pre-packaged Server (PHFS)
        • Model by Image built from Language Wrapper
    • Shared Files
    • Datasets
    • Apps
      • Label Studio
      • MATLAB
      • MLflow
      • Streamlit
      • Tutorial
        • Create Your Own App
        • Create an MLflow server
        • Label Dataset by Label Studio
        • Code Server
    • Group Admin
      • Images
      • Settings
    • Generate an PrimeHub API Token
    • Python SDK
    • SSH Server Feature
      • VSCode SSH Notebook Remotely
      • Generate SSH Key Pair
      • Permission Denied
      • Connection Refused
    • Advanced Tutorial
      • Labeling the data
      • Notebook as a Job
      • Custom build the Seldon server
      • PrimeHub SDK/CLI Tools
  • Administrator Guide
    • Admin Portal
      • Create User
      • Create Group
      • Assign Group Admin
      • Create/Plan Instance Type
      • Add InfuseAI Image
      • Add Image
      • Build Image
      • Gitsync Secret for GitHub
      • Pull Secret for GitLab
    • System Settings
    • User Management
    • Group Management
    • Instance Type Management
      • NodeSelector
      • Toleration
    • Image Management
      • Custom Image Guideline
    • Volume Management
      • Upload Server
    • Secret Management
    • App Settings
    • Notebooks Admin
    • Usage Reports
  • Reference
    • Jupyter Images
      • repo2docker image
      • RStudio image
    • InfuseAI Images List
    • Roadmap
  • Developer Guide
    • GitHub
    • Design
      • PrimeHub File System (PHFS)
      • PrimeHub Store
      • Log Persistence
      • PrimeHub Apps
      • Admission
      • Notebook with kernel process
      • JupyterHub
      • Image Builder
      • Volume Upload
      • Job Scheduler
      • Job Submission
      • Job Monitoring
      • Install Helper
      • User Portal
      • Meta Chart
      • PrimeHub Usage
      • Job Artifact
      • PrimeHub Apps
    • Concept
      • Architecture
      • Data Model
      • CRDs
      • GraphQL
      • Persistence Storages
      • Persistence
      • Resources Quota
      • Privilege
    • Configuration
      • How to configure PrimeHub
      • Multiple Jupyter Notebook Kernels
      • Configure SSH Server
      • Configure Job Submission
      • Configure Custom Image Build
      • Configure Model Deployment
      • Setup Self-Signed Certificate for PrimeHub
      • Chart Configuration
      • Configure PrimeHub Store
    • Environment Variables
Powered by GitBook
On this page
  • Components
  • Data Model
  • Design Principles
  1. Developer Guide
  2. Concept

Architecture

PreviousConceptNextData Model

Last updated 2 years ago

PrimeHub is a kubernetes-based multi-user machine learning platform. For multi-user requirements, we fully integrate with as the identity provider (IdP) solution.

Here is a high-level diagram of PrimeHub

  • Keycloak: Identity provider. Provide user databases and authentication/authorization services.

  • Console: User interface to use and manage PrimeHub platform. It is a rich web application (by react) and sends the user command to graphql server.

  • GraphQL: API Server to manage PrimeHub. The API may create/update the resources in kubernetes by or update users/groups by .

  • Controllers: Controllers are a group of components to watch and reconcile the state of the kubernetes and keycloak resources. The basic concept is described in the kubernetes

  • Custom Resources: Kubernetes provide powerful extensibility for API. We can define the and allow us to store these resources in kubernetes.

  • UI Components: For some features, we integrate existing third-party solutions (e.g. jupyterhub). We would customize them and integrate our PrimeHub graphql API and configure the client in our keycloak.

Components

Name
Type
Description

keycloak

Identity Provider

Identify server for PrimeHub. It is responsible for managing users, groups, authentication.

primehub console

UI

PrimeHub UI for users and administrators.

jupyterhub

UI Components

Third-party multiple users jupyter project. We integrate it to spawn the jupyter servers.

admin notebook

UI Components

A special jupyter server for operation purposes.

graphql

API Server

The primary API Server for PrimeHub.

groupvolume

Controlers

gitsync

Controllers

A metacontroller-based controller. It is responsible to manage the gitsync volume.

volume-upload

Controllers

A metacontroller-based controller. It is responsible to manage the volume upload server.

primehub controller

Controllers

The single process controller to manage jobs, image builder, license, etc. This component is relatively new and we hope to include all metacontroller-based controllers to this component in the future.

admission webhook

Controllers

watcher

Controllers

It monitors images, instance types, volumes custom resources and generates corresponding keycloak roles.

Data Model

PrimeHub in the core does not have its database. The persistence state is stored in the keycloak and the kubernetes cluster.

The data respectively are

  • Keycloak: Store the users, groups, user/group binding (member), roles, and group/role binding.

  • Kubernetes: Store the common resources among groups, like image, instance type, volumes, imagespecs, and secrets. Or user-created items, like phjobs.

In PrimeHub design, the common resources (e.g. image) can be associated with groups. There is a corresponding role of this resource defined in keycloak. And the relationship between resource and group is implemented by role binding. The following diagram depicts the relationship.

For more information, please refer to data model documentation

Design Principles

  • Graphql is the primary API server. We use it to control the resources in keycloak and cluster.

  • For server-to-server requests, graphql requires a shared secret to access the graphql endpoint with full permission.

  • Controllers watch the cluster/keycloak states and reconcile the current state to the desired state.

  • Controllers may call GraphQL to get the user/group configuration. However, graphql should not know the controllers' existence.

A metacontroller-based controller. It is responsible for provisioning an NFS server for a shared volume. ( is a general-purpose controller to implement a controller.)

It implements the to intercept the request the creation of resources. Currently, we use it to guarantee a pod does not request more resources than the quota.

For end-users request, graphql requires an id-token () to access the graphql endpoint.

defined in OpenID Connect
metacontroller
admission controller
keycloak
kubernetes api
keycloak admin api
official document
custom resources
OIDC