Setup Project-based Researcher Access Control¶
By default, Run:AI is configured to allow all Researchers access to all Jobs and Projects. This document provides step-by-step instructions on how to enable access control. Run:AI access control is at the Project level. When you assign Users to Projects - only these users are allowed to submit Jobs and access Jobs details.
How it works¶
The Run:AI command-line interface uses a Kubernetes configuration file residing on a client machine. The configuration file contains information on how to access the Kubernetes cluster and hence the Run:AI
Authentication setup works as follows:
- Administration User Interface Setup. Enable the feature.
- Client-side: Modify the Kubernetes configuration file to prompt for credentials.
- Server-side: Modify the Kubernetes cluster to validate credentials against the Run:AI Authentication authority.
- Assign Users to Projects using the Run:AI Administration UI. See here
Administration User Interface Setup¶
Enable Researcher Authentication¶
Under app.run.ai settings:
- Enable the flag Researcher Authentication.
- Copy the values for
Realmwhich appear on the screen.
Assign Users to Projects¶
Assign Researchers to Projects:
- Under Users add a Researcher and assign it with a Researcher role.
- Under Projects, edit or create a Project. Use the Users tab to assign the Researcher to the Project.
To control access to Run:AI (and Kubernetes) resources, you must modify the Kubernetes certificate. The certificate is distributed to users as part of the Comnand-line interface installation.
When making changes to the certificate, keep a copy of the original certificate to be used for cluster administration. After making the modifications, distribute the modified certificate to Researchers.
~/.kube directory edit the
config file, and add the following:
- name: runai-authenticated-user user: auth-provider: config: auth-flow: cli realm: <REALM> client-id: <CLIENT_ID> idp-issuer-url: https://runai-prod.auth0.com/ name: oidc
contexts | context | user change the user to
You must distribute the modified certificate to Researchers.
Locate the Kubernetes API Server configuration file. The file's location may defer between different Kubernetes distributions. The default location is
Edit the document to add the following parameters at the end of the existing command list:
spec: containers: - command: ... - --oidc-client-id=<CLIENT_ID> - --oidc-issuer-url=https://runai-prod.auth0.com/ - --oidc-username-prefix=- - --oidc-groups-claim=email
Verify that the
kube-apiserver-<master-node-name> pod in the
kube-system namespace has been restarted and that changes have been incorporated. Run:
kubectl get pods -n kube-system kube-apiserver-<master-node-name> -o yaml
And search for the above oidc flags.
cluster.yml (with Rancher UI, follow this). Add the following:
kube-api: always_pull_images: false extra_args: oidc-client-id: <CLIENT_ID> oidc-groups-claim: email oidc-issuer-url: 'https://runai-prod.auth0.com/' oidc-username-prefix: '-'
You can verify that the flags have been incorporated into the RKE cluster by following the instructions here and running
docker inspect <kube-api-server-container-id>, where
<kube-api-server-container-id> is the container ID of api-server via obtained in the Rancher document.
- Submit a Job.
- You will be prompted for a username and password.
- If the Job was submitted with a Project for which you have no access, your access will be denied.
- If the Job was submitted with a Project for which you have access, your access will be granted.
- Existing Jobs in Projects you do not have access to, will show when you run
runai job list -p <project-name>but you will not be able to view logs, get further info, bash into or delete.