Skip to content

Setup Project-based Researcher Access Control

Introduction

By default, Run:AI is configured to allow all Researchers access to all Jobs and Projects. This document provides step-by-step instructions on how to enable access-control. Run:AI access control is at the Project level. When you assign Users to Projects - only these users are allowed to submit Jobs and access Jobs details.

How it works

The Run:AI command-line interface uses a Kubernetes configuration file residing on a client machine. The configuration file contains information on how to access the Kubernetes cluster and hence the Run:AI

Authentication setup works as follows:

  • Client-side: Modify the Kubernetes configuration file to prompt for credentials.
  • Server-side: Modify the Kubernetes cluster to validate credentials against the Run:AI Authentication authority.
  • Assign Users to Projects using the Run:AI Administration UI.

Administration User Interface Setup

Enable Researcher Authentication

Under app.run.ai settings:

  • Enable the flag Researcher Authentication.
  • Copy the values for Client ID and Realm which appear on screen.

Assign Users to Projects

Assign Researchers to Projects:

  • Under Users add a Researcher and assign it with a Researcher role.
  • Under Projects, edit or create a Project. Use the Users tab to assign the Researcher to the Project.

Client-Side

To control access to Run:AI (and Kubernetes) resources, you must modify the Kubernetes certificate. The certificate is distributed to users as part of the Comnand-line interface installation.

When making changes to the certificate, keep a copy of the original certificate to be used for cluster administration. After making the modifications, distribute the modified certificate to Researchers.

Under the ~/.kube directory edit the config file, and add the following:

- name: <USER_NAME>
  user:
    auth-provider:
      config:
        auth-flow: cli
        realm: <REALM>
        client-id: <CLIENT_ID>
        idp-issuer-url: https://runai-prod.auth0.com/
      name: oidc

Where <USER_NAME> is an arbitrary name which is also referred to under contexts | context | user in the same file.

You must distribute the modified certificate to Researchers.

Server-Side

Locate the Kubernetes API Server configuration file. The file's location may defer between different Kubernetes distributions. The default location is /etc/kubernetes/manifests/kube-apiserver.yaml

Edit the document to add the following parameters at the end of the existing command list:

 spec:
   containers:
   - command:
     ... 
     - --oidc-client-id=<CLIENT_ID>
     - --oidc-issuer-url=https://runai-prod.auth0.com/
     - --oidc-username-prefix=-
     - --oidc-groups-claim=email

Verify that the kube-apiserver-<master-node-name> pod in the kube-system namespace has been restarted and that changes have been incorporated. Run:

kubectl get pods -n kube-system kube-apiserver-<master-node-name> -o yaml

And search for the above oidc flags.

Test

  • Submit a Job.
  • You will be redirected to a browser page that requires authentication. If you are using a machine without a browser, you will be prompted with a URL to run elsewhere and return a resulting token.
  • If the Job was submitted with a Project for which you have no access, your access will be denied.
  • If the Job was submitted with a Project for which you have access, your access will be granted.
  • Existing Jobs in Projects you do not have access to, will show when you run runai job list -p <project-name> but you will not be able to view logs, get further info, bash into or delete.

Last update: January 11, 2021