Skip to content

Setup Project-based Researcher Access Control

Introduction

By default, Run:AI is configured to allow all Researchers access to all Jobs and Projects. This document provides step-by-step instructions on how to enable access control. Run:AI access control is at the Project level. When you assign Users to Projects - only these users are allowed to submit Jobs and access Jobs details.

Configuration Options

This document relates to several separate configuration flows:

  1. Classic (SaaS) installation of Run:AI
  2. Self-hosted installation of Run:AI
  3. Single sign-on (or SSO). Both SaaS and Self-hosted are covered under this flow. To enable SSO you should start by following the single-sign on instructions.

Additional notes are available below for Rancher Kubernetes Engine (RKE)

How it works

The Run:AI command-line interface uses a Kubernetes configuration file residing on a client machine. The configuration file contains information on how to access the Kubernetes cluster and hence the Run:AI

Authentication setup works as follows:

  • Administration User Interface Setup. Enable the feature.
  • Assign Users to Projects using the Run:AI Administration UI. See here
  • Client-side: Modify the Kubernetes configuration file to prompt for credentials.
  • Server-side: Modify the Kubernetes cluster to validate credentials against the Run:AI Authentication authority.

Administration User Interface Setup

Enable Researcher Authentication

Go to runai.<company-name>/general-settings.

  • Enable the flag Researcher Authentication.
  • Copy the values for Client ID and Realm which appear on the screen. Use them as below.

Enable Researcher Authentication on Researcher Service

The researcher service is used for the Run:AI Researcher User interface and Researcher REST API. To enable, you must edit the cluster installation values file:

  • When installing the Run:AI cluster, edit the values file.
  • On an existing installation, use the upgrade cluster instructions to modify the values file.

Update:

runai-operator:
   config:
      researcher-service:
        args:
          authEnabled : true

Assign Users to Projects

Assign Researchers to Projects:

  • Under Users add a Researcher and assign it with a Researcher role.
  • Under Projects, edit or create a Project. Use the Users tab to assign the Researcher to the Project.
  • Under runai.<company-name>/users add a Researcher and assign it with a Researcher role.
  • Under runai.<company-name>/projects, edit or create a Project. Use the Users tab to assign the Researcher to the Project.

Client-Side

To control access to Run:AI (and Kubernetes) resources, you must modify the Kubernetes configuration file. The file is distributed to users as part of the Command-line interface installation.

When making changes to the file, keep a copy of the original file to be used for cluster administration. After making the modifications, distribute the modified file to Researchers.

Under the ~/.kube directory edit the config file, remove the administrative user and replace with the following:

- name: runai-authenticated-user
  user:
    auth-provider:
      config:
        auth-flow: cli
        realm: <REALM>
        client-id: <CLIENT_ID>
        idp-issuer-url: https://runai-prod.auth0.com/
      name: oidc
- name: runai-authenticated-user
  user:
    auth-provider:
      config:
        airgapped: "true"
        auth-flow: cli
        realm: runai
        client-id: runai
        idp-issuer-url: https://<COMPANY-URL>/auth/realms/runai
      name: oidc
- name: runai-authenticated-user
  user:
    auth-provider:
      config:
        airgapped: "true"
        auth-flow: remote-browser
        realm: <REALM>
        client-id: runai-cli-sso
        subject-claim-field: email
        idp-issuer-url: https://app.run.ai/auth/realms/<REALM>
        redirect-uri: https://app.run.ai/oauth-code
      name: oidc
- name: runai-authenticated-user
  user:
    auth-provider:
      config:
        airgapped: "true"
        auth-flow: remote-browser
        realm: <REALM>
        client-id: runai-cli-sso
        subject-claim-field: email
        idp-issuer-url: https://<COMPANY-URL>/auth/realms/runai
        redirect-uri: https://<COMPANY-URL>/oauth-code
      name: oidc

Under contexts | context | user change the user to runai-authenticated-user

Server-Side

Locate the Kubernetes API Server configuration file. The file's location may defer between different Kubernetes distributions. The default location is /etc/kubernetes/manifests/kube-apiserver.yaml

Edit the document to add the following parameters at the end of the existing command list:

spec:
  containers:
  - command:
    ... 
    - --oidc-client-id=<CLIENT_ID>
    - --oidc-issuer-url=https://runai-prod.auth0.com/
    - --oidc-username-prefix=-
spec:
    containers:
    - command:
    ... 
    - --oidc-client-id=runai
    - --oidc-issuer-url=https://<COMPANY-URL>/auth/realms/runai
    - --oidc-username-prefix=-
spec:
  containers:
  - command:
    ... 
    - --oidc-client-id=runai-cli-sso
    - --oidc-issuer-url=https://app.run.ai/auth/realms/<REALM>
    - --oidc-username-prefix=-
    - --oidc-username-claim=email
spec:
  containers:
  - command:
    ... 
    - --oidc-client-id=runai-cli-sso
    - --oidc-issuer-url=https://<COMPANY-URL>/auth/realms/runai
    - --oidc-username-prefix=-
    - --oidc-username-claim=email

Verify that the kube-apiserver-<master-node-name> pod in the kube-system namespace has been restarted and that changes have been incorporated. Run:

kubectl get pods -n kube-system kube-apiserver-<master-node-name> -o yaml

And search for the above oidc flags.

Rancher-specific instructions:

Edit Rancher cluster.yml (with Rancher UI, follow this). Add the following:

    kube-api:
        always_pull_images: false
        extra_args:
        oidc-client-id: <CLIENT_ID>
        oidc-groups-claim: email
        oidc-issuer-url: 'https://runai-prod.auth0.com/'
        oidc-username-prefix: '-'

These flags relate to the SaaS installation. For SSO or Self-hosted, adapt the flags from the relevant option above.

You can verify that the flags have been incorporated into the RKE cluster by following the instructions here and running docker inspect <kube-api-server-container-id>, where <kube-api-server-container-id> is the container ID of api-server via obtained in the Rancher document.

Test

  • Run: runai login (in OpenShift enviroments use oc login rather than runai login)
  • You will be prompted for a username and password. In an SSO flow, you will be asked to copy a link to a browser, log in and return a code.
  • Once login is successful, submit a Job.
  • If the Job was submitted with a Project for which you have no access, your access will be denied.
  • If the Job was submitted with a Project for which you have access, your access will be granted.

Last update: November 22, 2021