Skip to content

Setup Project-based Researcher Access Control


By default, Run:AI is configured to allow all Researchers access to all Jobs and Projects. This document provides step-by-step instructions on how to enable access control. Run:AI access control is at the Project level. When you assign Users to Projects - only these users are allowed to submit Jobs and access Jobs details.

How it works

The Run:AI command-line interface uses a Kubernetes configuration file residing on a client machine. The configuration file contains information on how to access the Kubernetes cluster and hence the Run:AI

Authentication setup works as follows:

  • Administration User Interface Setup. Enable the feature.
  • Client-side: Modify the Kubernetes configuration file to prompt for credentials.
  • Server-side: Modify the Kubernetes cluster to validate credentials against the Run:AI Authentication authority.
  • Assign Users to Projects using the Run:AI Administration UI. See here

Administration User Interface Setup

Enable Researcher Authentication

Under settings:

  • Enable the flag Researcher Authentication.
  • Copy the values for Client ID and Realm which appear on the screen.

Enable Researcher Authentication on Researcher Service

The researcher service is used for the Run:AI Researcher User interface and Researcher REST API. To enable run:

kubectl patch runaiconfig runai -n runai --type='json' \
  -p='[{"op": "replace", "path" : "/spec/researcher-service/args", "value": {"authEnabled" : true}}]'
kubectl rollout restart deployment -n runai researcher-service

Assign Users to Projects

Assign Researchers to Projects:

  • Under Users add a Researcher and assign it with a Researcher role.
  • Under Projects, edit or create a Project. Use the Users tab to assign the Researcher to the Project.


To control access to Run:AI (and Kubernetes) resources, you must modify the Kubernetes configuration file. The file is distributed to users as part of the Command-line interface installation.

When making changes to the file, keep a copy of the original file to be used for cluster administration. After making the modifications, distribute the modified file to Researchers.

Under the ~/.kube directory edit the config file, and add the following:

- name: runai-authenticated-user
        auth-flow: cli
        realm: <REALM>
        client-id: <CLIENT_ID>
      name: oidc

Under contexts | context | user change the user to runai-authenticated-user

You must distribute the modified certificate to Researchers.


Locate the Kubernetes API Server configuration file. The file's location may defer between different Kubernetes distributions. The default location is /etc/kubernetes/manifests/kube-apiserver.yaml

Edit the document to add the following parameters at the end of the existing command list:

  - command:
    - --oidc-client-id=<CLIENT_ID>
    - --oidc-issuer-url=
    - --oidc-username-prefix=-
    - --oidc-groups-claim=email

Verify that the kube-apiserver-<master-node-name> pod in the kube-system namespace has been restarted and that changes have been incorporated. Run:

kubectl get pods -n kube-system kube-apiserver-<master-node-name> -o yaml

And search for the above oidc flags.

Edit Rancher cluster.yml (with Rancher UI, follow this). Add the following:

      always_pull_images: false
        oidc-client-id: <CLIENT_ID>
        oidc-groups-claim: email
        oidc-issuer-url: ''
        oidc-username-prefix: '-'

You can verify that the flags have been incorporated into the RKE cluster by following the instructions here and running docker inspect <kube-api-server-container-id>, where <kube-api-server-container-id> is the container ID of api-server via obtained in the Rancher document.


  • Run: runai login
  • You will be prompted for a username and password.
  • Once login is successful, submit a Job.
  • If the Job was submitted with a Project for which you have no access, your access will be denied.
  • If the Job was submitted with a Project for which you have access, your access will be granted.

Last update: October 6, 2021