Setup Project-based Researcher Access Control¶
By default, Run:AI is configured to allow all Researchers access to all Jobs and Projects. This document provides step-by-step instructions on how to enable access-control. Run:AI access control is at the Project level. When you assign Users to Projects - only these users are allowed to submit Jobs and access Jobs details.
How it works¶
The Run:AI command-line interface uses a Kubernetes configuration file residing on a client machine. The configuration file contains information on how to access the Kubernetes cluster and hence the Run:AI
Authentication setup works as follows:
- Client-side: Modify the Kubernetes configuration file to prompt for credentials.
- Server-side: Modify the Kubernetes cluster to validate credentials against the Run:AI Authentication authority.
- Assign Users to Projects using the Run:AI Administration UI.
Administration User Interface Setup¶
Enable Researcher Authentication¶
Under app.run.ai settings:
- Enable the flag Researcher Authentication.
- Copy the values for
Realmwhich appear on screen.
Assign Users to Projects¶
Assign Researchers to Projects:
- Under Users add a Researcher and assign it with a Researcher role.
- Under Projects, edit or create a Project. Use the Users tab to assign the Researcher to the Project.
To control access to Run:AI (and Kubernetes) resources, you must modify the Kubernetes certificate. The certificate is distributed to users as part of the Comnand-line interface installation.
When making changes to the certificate, keep a copy of the original certificate to be used for cluster administration. After making the modifications, distribute the modified certificate to Researchers.
~/.kube directory edit the
config file, and add the following:
- name: <USER_NAME> user: auth-provider: config: auth-flow: cli realm: <REALM> client-id: <CLIENT_ID> idp-issuer-url: https://runai-prod.auth0.com/ name: oidc
<USER_NAME> is an arbitrary name which is also referred to under
contexts | context | user in the same file.
You must distribute the modified certificate to Researchers.
Locate the Kubernetes API Server configuration file. The file's location may defer between different Kubernetes distributions. The default location is
Edit the document to add the following parameters at the end of the existing command list:
spec: containers: - command: ... - --oidc-client-id=<CLIENT_ID> - --oidc-issuer-url=https://runai-prod.auth0.com/ - --oidc-username-prefix=- - --oidc-groups-claim=email
Verify that the
kube-apiserver-<master-node-name> pod in the
kube-system namespace has been restarted and that changes have been incorporated. Run:
kubectl get pods -n kube-system kube-apiserver-<master-node-name> -o yaml
And search for the above oidc flags.
- Submit a Job.
- You will be redirected to a browser page that requires authentication. If you are using a machine without a browser, you will be prompted with a URL to run elsewhere and return a resulting token.
- If the Job was submitted with a Project for which you have no access, your access will be denied.
- If the Job was submitted with a Project for which you have access, your access will be granted.
- Existing Jobs in Projects you do not have access to, will show when you run
runai job list -p <project-name>but you will not be able to view logs, get further info, bash into or delete.