Skip to content

Setup Project-based Researcher Access Control


By default, Run:AI is configured to allow all Researchers access to all Jobs and Projects. This document provides step-by-step instructions on how to enable access-control. Run:AI access control is at the Project level. When you assign Users to Projects - only these users are allowed to submit Jobs and access Jobs details.

How it works

The Run:AI command-line interface uses a Kubernetes configuration file residing on a client machine. The configuration file contains information on how to access the Kubernetes cluster and hence the Run:AI

Authentication setup works as follows:

  • Client-side: Modify the Kubernetes configuration file to prompt for credentials.
  • Server-side: Modify the Kubernetes cluster to validate credentials against the Run:AI Authentication authority.
  • Assign Users to Projects using the Run:AI Administration UI.

Administration User Interface Setup

Enable Researcher Authentication

Under settings:

  • Enable the flag Researcher Authentication.
  • Copy the values for Client ID and Realm which appear on screen.

Assign Users to Projects

Assign Researchers to Projects:

  • Under Users add a Researcher and assign it with a Researcher role.
  • Under Projects, edit or create a Project. Use the Users tab to assign the Researcher to the Project.


To control access to Run:AI (and Kubernetes) resources, you must modify the Kubernetes certificate. The certificate is distributed to users as part of the Comnand-line interface installation.

When making changes to the certificate, keep a copy of the original certificate to be used for cluster administration. After making the modifications, distribute the modified certificate to Researchers.

Under the ~/.kube directory edit the config file, and add the following:

- name: <USER_NAME>
        auth-flow: cli
        realm: <REALM>
        client-id: <CLIENT_ID>
      name: oidc

Where <USER_NAME> is an arbitrary name which is also referred to under contexts | context | user in the same file.

You must distribute the modified certificate to Researchers.


Locate the Kubernetes API Server configuration file. The file's location may defer between different Kubernetes distributions. The default location is /etc/kubernetes/manifests/kube-apiserver.yaml

Edit the document to add the following parameters at the end of the existing command list:

   - command:
     - --oidc-client-id=<CLIENT_ID>
     - --oidc-issuer-url=
     - --oidc-username-prefix=-
     - --oidc-groups-claim=email

Verify that the kube-apiserver-<master-node-name> pod in the kube-system namespace has been restarted and that changes have been incorporated. Run:

kubectl get pods -n kube-system kube-apiserver-<master-node-name> -o yaml

And search for the above oidc flags.


  • Submit a Job.
  • You will be redirected to a browser page that requires authentication. If you are using a machine without a browser, you will be prompted with a URL to run elsewhere and return a resulting token.
  • If the Job was submitted with a Project for which you have no access, your access will be denied.
  • If the Job was submitted with a Project for which you have access, your access will be granted.
  • Existing Jobs in Projects you do not have access to, will show when you run runai job list -p <project-name> but you will not be able to view logs, get further info, bash into or delete.

Last update: January 11, 2021