Setup Researcher Access Control¶
Introduction¶
The following instructions explain how to complete the configuration of access control for Researchers. Run:ai access control is at the Project level. When you assign Users to Projects - only these users are allowed to submit Jobs and access Jobs details.
This requires several steps:
- Assign users to their Projects
- (Mandatory) Modify the Kubernetes entry point (called the
Kubernetes API server
) to validate credentials of incoming requests against the Run:ai Authentication authority. - (Command-line Interface usage only) Modify the Kubernetes profile to prompt the Researcher for credentials when running
runai login
(oroc login
for OpenShift).
Administration User Interface Setup¶
Enable Researcher Authentication¶
- Open the Run:ai user interface and navigate to
General | Settings
. - Enable the flag Researcher Authentication (should be enabled by default for new tenants).
- There are values for
Realm
,client configuration
, andserver configuration
which appear on the screen. Use them as below.
Assign Users to Projects¶
Assign Researchers to Projects:
- Open the Run:ai user interface and navigate to
Users
. Add a Researcher and assign it with a Researcher role. - Navigate to
Projects
. Edit or create a Project. Use theAccess Control
tab to assign the Researcher to the Project. - If you are using Single Sign-on, you can also assign Groups. For more information see the Single Sign-on documentation.
(Mandatory) Kubernetes Configuration¶
As described in authentication overview, you must direct the Kubernetes API server to authenticate via Run:ai. This requires adding flags to the Kubernetes API Server. Modfiying the API Server configuration differs between Kubernetes distributions:
- Locate the Kubernetes API Server configuration file. The file's location may defer between different Kubernetes distributions. The location for vanilla Kubernetes is
/etc/kubernetes/manifests/kube-apiserver.yaml
- Edit the document, under the
command
tag, add the server configuration text fromGeneral | Settings | Researcher Authentication
described above. - Verify that the
kube-apiserver-<master-node-name>
pod in thekube-system
namespace has been restarted and that changes have been incorporated. Run the below and verify that the oidc flags you have added:
kubectl get pods -n kube-system kube-apiserver-<master-node-name> -o yaml
No configuration is needed. Instead, Run:ai assumes that an Identity Provider has been defined at the OpenShift level and that the Run:ai Cluster installation has set the OpenshiftIdp
flag to true. For more information see the Run:ai OpenShift control-plane setup.
Edit Rancher cluster.yml
(with Rancher UI, follow this). Add the following:
kube-api:
always_pull_images: false
extra_args:
<parameters copied from server configuration section>
You can verify that the flags have been incorporated into the RKE cluster by following the instructions here and running docker inspect <kube-api-server-container-id>
, where <kube-api-server-container-id>
is the container ID of api-server via obtained in the Rancher document.
See Enable Identity Service for GKE. Use the parameters provided in the server configuration section as described above.
See specific instructions in the documenation of the Kubernetes distribution.
Command-line Interface Access¶
To control access to Run:ai (and Kubernetes) resources, you must modify the Kubernetes configuration file. The file is distributed to users as part of the Command-line interface installation.
When making changes to the file, keep a copy of the original file to be used for cluster administration. After making the modifications, distribute the modified file to Researchers.
- Under the
~/.kube
directory edit theconfig
file, remove the administrative user, and replace it with the client configuration text fromGeneral | Settings | Researcher Authentication
described above. - Under
contexts | context | user
change the user torunai-authenticated-user
Test via Command-line interface¶
- Run:
runai login
(in OpenShift enviroments useoc login
rather thanrunai login
) - You will be prompted for a username and password. In a single sign-on flow, you will be asked to copy a link to a browser, log in and return a code.
- Once login is successful, submit a Job.
- If the Job was submitted with a Project for which you have no access, your access will be denied.
- If the Job was submitted with a Project for which you have access, your access will be granted.
You can also submit a Job from the Run:ai User interface and verify that the new job shows on the job list with your user name.
Test via User Interface¶
- Open the Run:ai user interface. Go to
Jobs
- On the top-right, select
Submit Job
.
Tip
If you do not see the button or it is disabled, then you either do not have Researcher
access or the cluster has not been set up correctly. For more information, refer to user interface overview.