Skip to main content

Integrations

The AI App Store provides tight integration with the rest of the H2O AI Hybrid Cloud, especially ML Engine management and Model management.

The key principles of these integrations are:

  • Shared user identity (via OIDC) - all APIs/UIs within the H2O AI Hybrid Cloud support OIDC-based authentication and authorization. This allows users to use a single identity across all the pieces of the H2O AI Hybrid Cloud. More importantly, when configured, this also allows Wave apps running within the App Store platform to use the users' identity do make API calls to the individual components on behalf of the end user. Technically this is achieved by leveraging OIDC support in each of the components and configuring their respective OIDC clients in such a way that their OIDC access tokens are accepted by the other parties as necessary.

  • Shared storage API - apps running within the App Store platform can use that same storage API as the other components of the H2O AI Hybrid Cloud, including access authorization. Combined with the shared user identity mentioned above this means that a user can import data via a Wave app (using the API and her identity), utilize it transparently from a Driverless AI engine (which again uses the same API and identity to read the data), and process/display the results in another app; all without having to configure connectors, storage resources, or shared workspaces.

  • Dependency injection - apps running within the App Store platform have the references to the other H2O AI Hybrid Cloud components injected via their environment from a secret. This allows for loose coupling of apps and H2O AI Hybrid Cloud components.

Note that these principles can be easily applied to other dependencies, esp. in existing environments, as long as they support OIDC (access token) authentication.

H2O AI Hybrid Cloud Integrations

Model management

The App Store relies on H2O MLOps for management of model deployments.

To configure this integration, it is necessary to:

  1. Configure MLOps with an OIDC client in the same user pool/realm as the App Store. The client must be able to obtain the ai.h2o.storage and ai.h2o.deploy scopes for its tokens.

  2. Configure the Wave app OIDC client in such a way that it by default obtains the ai.h2o.storage and ai.h2o.deploy scopes for its tokens

  3. Configure a shared (ALL_USERS) secret with the MLOPs API URL

After this, OIDC-enabled Wave apps can make API calls to MLOPs on behalf of the end user via the MLOps Python library.

ML Engine management

The App Store relies on H2O AI Engines for management of ML engines, e.g, Driverless AI.

To configure this integration, it is necessary to:

  • Configure AI Engine Manager (AIEM), with the OIDC platform public client. The client must be able to obtain the ai.h2o.storage scope for its tokens. Also, make sure that App Store user roles are mapped to a token claim.

    Example:

    auth:
     oidcIssuer: "https://auth.cloud-dev.h2o.ai/auth/realms/hac-dev"
     oidcClientID: "hac-platform-public"
     oidcRoleClaim: "realm_access.roles"
     oidcAdminRole: "admin"
     oidcUserDisplayNameClaim: "preferred_username"
     oidcClientScopes: "openid, offline_access, profile, email"

After this, OIDC-enabled Wave apps can make API calls to AI Engines/DAI on behalf of the end user via the AI Engines/DAI Python client library.

Feedback