From 178fbcd5931443eed1c924057e844ef9e5eba8b8 Mon Sep 17 00:00:00 2001 From: numerology Date: Thu, 17 Oct 2019 10:39:20 -0700 Subject: [PATCH 1/8] add tfx permission guide --- samples/contrib/parameterized_tfx_oss/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/samples/contrib/parameterized_tfx_oss/README.md b/samples/contrib/parameterized_tfx_oss/README.md index 21c38f5b1fb..0a09c569e9f 100644 --- a/samples/contrib/parameterized_tfx_oss/README.md +++ b/samples/contrib/parameterized_tfx_oss/README.md @@ -14,8 +14,11 @@ then point the version tag in `tfx/version.py` to TFX's latest nightly build ima `0.15.0dev` (e.g., `0.15.0dev20191007`, list of image available can be found [here](https://hub.docker.com/r/tensorflow/tfx/tags)). Finally, run `python setup.py install` from `tfx/tfx`. After that, running `chicago_taxi_pipeline_simple.py` compiles the TFX pipeline into KFP pipeline package. -This pipeline requires google storage permission to run. +## Permission +This pipeline requires google storage permission to run. +If KFP was deployed through K8S marketplace, please follow instructions in [the guideline](https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/guide.md#gcp-service-account-credentials) +to make sure the service account has `storage.admin` role. ## Caveats From 51c70006ae3b4966331f67fe14b3b2746d61cfb7 Mon Sep 17 00:00:00 2001 From: numerology Date: Thu, 17 Oct 2019 10:42:16 -0700 Subject: [PATCH 2/8] add xgboost guide --- samples/core/xgboost_training_cm/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/samples/core/xgboost_training_cm/README.md b/samples/core/xgboost_training_cm/README.md index 3469fac2afc..1160d9d2efe 100644 --- a/samples/core/xgboost_training_cm/README.md +++ b/samples/core/xgboost_training_cm/README.md @@ -13,6 +13,8 @@ or not. ## Requirements Preprocessing uses Google Cloud DataProc. Therefore, you must enable the [DataProc API](https://cloud.google.com/endpoints/docs/openapi/enable-api) for the given GCP project. +If KFP was deployed through K8S marketplace, please follow instructions in [the guideline](https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/guide.md#gcp-service-account-credentials) +to make sure the service account used has the role `storage.admin` and `dataproc.admin`. ## Compile From f3063c5c26050af7adac5d39f7d6e51d8dc73c72 Mon Sep 17 00:00:00 2001 From: numerology Date: Fri, 18 Oct 2019 16:09:02 -0700 Subject: [PATCH 3/8] add a direct link to dataproc API --- samples/core/xgboost_training_cm/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/samples/core/xgboost_training_cm/README.md b/samples/core/xgboost_training_cm/README.md index 1160d9d2efe..f7a1f89f529 100644 --- a/samples/core/xgboost_training_cm/README.md +++ b/samples/core/xgboost_training_cm/README.md @@ -14,7 +14,8 @@ or not. Preprocessing uses Google Cloud DataProc. Therefore, you must enable the [DataProc API](https://cloud.google.com/endpoints/docs/openapi/enable-api) for the given GCP project. If KFP was deployed through K8S marketplace, please follow instructions in [the guideline](https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/guide.md#gcp-service-account-credentials) -to make sure the service account used has the role `storage.admin` and `dataproc.admin`. +to make sure the service account used has the role `storage.admin` and `dataproc.admin`. Also, please make sure [Cloud Dataproc API](https://pantheon.corp.google.com/apis/library/dataproc.googleapis.com?q=dataproc) +is enabled for the given GCP project. ## Compile From 24d3718c1485ea170048dd3879861c8482227bbd Mon Sep 17 00:00:00 2001 From: numerology Date: Thu, 24 Oct 2019 15:45:56 -0700 Subject: [PATCH 4/8] Add tip --- manifests/gcp_marketplace/guide.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/gcp_marketplace/guide.md b/manifests/gcp_marketplace/guide.md index 20c5ec527fa..f44e5996d6f 100644 --- a/manifests/gcp_marketplace/guide.md +++ b/manifests/gcp_marketplace/guide.md @@ -89,3 +89,6 @@ Reason: Please ask admin to give your account `Project Editor` permission. It can be set from [IAM](https://console.cloud.google.com/iam-admin/iam). + +### Pipeline steps got insufficient permission +Make sure following the procedure in [credential setup](#gcp-service-account-credentials). IAM configuration might take up to 5 mins to propagate. From 73aa49aa3d009e21f9d43067bf13532e5b843af1 Mon Sep 17 00:00:00 2001 From: Jiaxiao Zheng Date: Sun, 27 Oct 2019 20:51:34 -0700 Subject: [PATCH 5/8] Update README.md --- samples/core/xgboost_training_cm/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/core/xgboost_training_cm/README.md b/samples/core/xgboost_training_cm/README.md index 7cb6e3dbf34..7246859341f 100644 --- a/samples/core/xgboost_training_cm/README.md +++ b/samples/core/xgboost_training_cm/README.md @@ -10,7 +10,7 @@ Finally, a delete cluster operation runs to destroy the cluster it creates in the beginning. The delete cluster operation is used as an exit handler, meaning it will run regardless of whether the pipeline fails or not. -## Requirements +## Permission Preprocessing uses Google Cloud DataProc. Therefore, you must enable the [Cloud Dataproc API](https://pantheon.corp.google.com/apis/library/dataproc.googleapis.com?q=dataproc) for the given GCP project. This is the From 7451fa5e9df2b4522f1e55c22637c12ef3903f48 Mon Sep 17 00:00:00 2001 From: numerology Date: Mon, 28 Oct 2019 10:42:29 -0700 Subject: [PATCH 6/8] Update and apply suggestions --- manifests/gcp_marketplace/guide.md | 21 ++++++++++++++++++- .../contrib/parameterized_tfx_oss/README.md | 4 ++-- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/manifests/gcp_marketplace/guide.md b/manifests/gcp_marketplace/guide.md index 62ffe712bd1..bd8fb372570 100644 --- a/manifests/gcp_marketplace/guide.md +++ b/manifests/gcp_marketplace/guide.md @@ -101,4 +101,23 @@ as `Service Account User`. The Google Service Account is [Compute Engine default For simplicity but not good for security, adding as `Project Editor` also can work. ### Pipeline steps got insufficient permission -Make sure following the procedure in [credential setup](#gcp-service-account-credentials). IAM configuration might take up to 5 mins to propagate. +If you see an error message stating that the pipeline got insufficient +permissions, for example: + +``` + Error executing an HTTP request: HTTP response code 403 with body '{ + "error": { + "errors": [ + { + "domain": "global", + "reason": "insufficientPermissions", + "message": "Insufficient Permission" + } + ], + "code": 403, + "message": "Insufficient Permission" + } +} +``` +please make sure following the procedure in [credential setup](#gcp-service-account-credentials). IAM configuration and/or + API enabling might take up to 5 mins to propagate. diff --git a/samples/contrib/parameterized_tfx_oss/README.md b/samples/contrib/parameterized_tfx_oss/README.md index 2f78e078ebd..573d467910d 100644 --- a/samples/contrib/parameterized_tfx_oss/README.md +++ b/samples/contrib/parameterized_tfx_oss/README.md @@ -17,9 +17,9 @@ List of officially released nightly build image available can be found [here](ht After that, running `python3 chicago_taxi_pipeline_simple.py` compiles the TFX pipeline into KFP pipeline package. -# Requriements +# Requriements -This pipeline requires google storage permission to run. +This pipeline requires Google Cloud Storage permission to run. If KFP was deployed through K8S marketplace, please follow instructions in [the guideline](https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/guide.md#gcp-service-account-credentials) to make sure the service account has `storage.admin` role. From a967c2c1be25a6003d936f1780c55e14e72b8916 Mon Sep 17 00:00:00 2001 From: numerology Date: Mon, 28 Oct 2019 10:46:57 -0700 Subject: [PATCH 7/8] Fix --- samples/contrib/parameterized_tfx_oss/README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/samples/contrib/parameterized_tfx_oss/README.md b/samples/contrib/parameterized_tfx_oss/README.md index 573d467910d..a29d3e563ee 100644 --- a/samples/contrib/parameterized_tfx_oss/README.md +++ b/samples/contrib/parameterized_tfx_oss/README.md @@ -17,7 +17,7 @@ List of officially released nightly build image available can be found [here](ht After that, running `python3 chicago_taxi_pipeline_simple.py` compiles the TFX pipeline into KFP pipeline package. -# Requriements +# Permission This pipeline requires Google Cloud Storage permission to run. If KFP was deployed through K8S marketplace, please follow instructions in [the guideline](https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/guide.md#gcp-service-account-credentials) @@ -32,8 +32,7 @@ objects `dsl.PipelineParam` and appending them to the `KubeflowDagRunner._params KubeflowDagRunner can correctly identify those pipeline parameters and interpret them as Argo placeholder correctly when compilation. However, this parameterization approach is a hack and we do not have plan for long-term support. Instead we're working with TFX team to support -pipeline parameterization using their [RuntimeParameter](https://github.com/tensorflow/tfx/blob/46bb4f975c36ea1defde4b3c33553e088b3dc5b8/tfx/orchestration/data_types.py#L108). - +pipeline parameterization using their [RuntimeParameter](https://github.com/tensorflow/tfx/blob/46bb4f975c36ea1defde4b3c33553e088b3dc5b8/tfx/orchestration/data_types.py#L108). ### Known issues * This approach only works for string-typed quantities. For example, you cannot parameterize `num_steps` of `Trainer` in this way. From 89ad614e3038da752c866342591420b9b97fba85 Mon Sep 17 00:00:00 2001 From: IronPan Date: Tue, 29 Oct 2019 10:36:03 -0700 Subject: [PATCH 8/8] Update README.md --- samples/core/xgboost_training_cm/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/core/xgboost_training_cm/README.md b/samples/core/xgboost_training_cm/README.md index 7246859341f..7cb6e3dbf34 100644 --- a/samples/core/xgboost_training_cm/README.md +++ b/samples/core/xgboost_training_cm/README.md @@ -10,7 +10,7 @@ Finally, a delete cluster operation runs to destroy the cluster it creates in the beginning. The delete cluster operation is used as an exit handler, meaning it will run regardless of whether the pipeline fails or not. -## Permission +## Requirements Preprocessing uses Google Cloud DataProc. Therefore, you must enable the [Cloud Dataproc API](https://pantheon.corp.google.com/apis/library/dataproc.googleapis.com?q=dataproc) for the given GCP project. This is the