github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.10.x/enterprise/auth/auth.md

github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.10.x/enterprise/auth/auth.md (about)

1 # Configure Access Controls
2
3 If access controls are activated, each data repository, or repo,
4 in Pachyderm has an Access Control List (ACL) associated with it.
5 The ACL includes:
6
7 - `READERs` - users who can read the data versioned in the repo.
8 - `WRITERs` - users with `READER` access who can also submit
9 additions, deletions, or modifications of data into the repo.
10 - `OWNERs` - users with READER and WRITER access who can also
11 modify the repo's ACL.
12
13 Pachyderm defines the following account types:
14
15 * **GitHub user** is a user account that is associated with
16 a GitHub account and logs in through the GitHub OAuth flow. If you do not
17 use any third-party identity provider, you use this option. When a user tries
18 to log in with a GitHub account, Pachyderm verifies the identity and
19 sends a Pachyderm token for that account.
20 * **Robot user** is a user account that logs in with a pach-generated authentication
21 token. Typically, you create a user in simplified workflow scenarios, such
22 as initial SAML configuration.
23 * **Pipeline** is an account that Pachyderm creates for
24 data pipelines. Pipelines inherit access control from its creator.
25 * **SAML user** is a user account that is associated with a Security Assertion
26 Markup Language (SAML) identity provider.
27 When a user tries to log in through a SAML ID provider, the system
28 confirms the identity, associates
29 that identity with a SAML identity provider account, and responds with
30 the SAML identity provider token for that user. Pachyderm verifies the token,
31 drops it, and creates a new internal token that encapsulates the information
32 about the user.
33
34 By default, Pachyderm defines one hardcoded group called `admin`.
35 Users in the `admin` group can perform any
36 action on the cluster including appointing other admins.
37 Furthermore, only the cluster admins can manage a repository
38 without ACLs.
39
40 ## Enable Access Control
41
42 Before you enable access controls, make sure that
43 you have activated Pachyderm Enterprise Edition
44 as described in [Deploy Enterprise Edition](../deployment.md).
45
46 To enable access controls, complete the following steps:
47
48 1. Verify the status of the Enterprise
49 features by opening the Pachyderm dashboard in your browser or
50 by running the following `pachctl` command:
51
52 ```shell
53 pachctl enterprise get-stat
54 ```
55
56 **System response:**
57
58 ```shelle
59 ACTIVE
60 ```
61
62 1. Activate the Enterprise access control features by completing
63 the steps in one of these sections:
64
65 * [Activate Access Control by Using the Dashboard](#activate-access-controls-by-using-the-dashboard)
66 * [Activate Access Control with pachctl](#activate-access-controls-with-pachctl)
67
68 ### Activate Access Controls by Using the Dashboard
69
70 To activate access controls in the Pachyderm dashboard,
71 complete the following steps:
72
73 1. Go to the **Settings** page.
74 1. Click the **Activate Access Controls** button.
75
76 After you click the button, Pachyderm enables you to add GitHub users
77 as cluster admins and activate access control:
78
79 ![alt tag](../../assets/images/auth_dash1.png)
80
81 After activating access controls, you should see the following screen
82 that asks you to log in to Pachyderm:
83
84 ![alt tag](../../assets/images/auth_dash2.png)
85
86 ### Activate Access Controls with `pachctl`
87
88 To activate access controls with `pachctl`, choose one of these options:
89
90 1. Activate access controls by specifying an initial admin user:
91
92 ```shell
93 pachctl auth activate --initial-admin=<prefix>:<user>
94 ```
95
96 You must prefix the username with the appropriate account
97 type, either `github:<user>` or `robot:<user>`. If you select the
98 latter, Pachyderm generates and returns a Pachyderm auth token
99 that might be used to authenticate as the initial robot admin by using
100 `pachctl auth use-auth-token`. You can use this option when
101 you cannot use GitHub as an identity provider.
102
103
104 1. Activate access controls with a GitHub account:
105
106 ```shell
107 pachctl auth activate
108 ```
109
110 Pachyderm prompts you to log in with your GitHub account. The
111 GitHub account that you sign in with is the only admin until
112 you add more by running `pachctl auth modify-admins`.
113
114 ## Log in to Pachyderm
115
116 After you activate access controls, log in to your cluster either
117 through the dashboard or CLI. The CLI and the dashboard have
118 independent login workflows:
119
120 - [Log in to the dashboard](#log-in-to-the-dashboard).
121 - [Log in to the CLI](#log-in-to-the-cli).
122
123 ### Log in to the Dashboard
124
125 After you have activated access controls for Pachyderm, you
126 need to log in to use the Pachyderm dashboard as shown above
127 in [Activate Access Controls by Using the Dashboard](#activate-access-controls-by-using-the-dashboard).
128
129 To log in to the dashboard, complete the following steps:
130
131 1. Click the **Get GitHub token** button. If you
132 have not previously authorized Pachyderm on GitHub, an option
133 to **Authorize Pachyderm** appears. After you authorize
134 Pachyderm, a Pachyderm user token appears:
135
136 ![alt tag](../../assets/images/auth.png)
137
138 1. Copy and paste this token back into the Pachyderm login
139 screen and press **Enter**. You are now logged in to Pachyderm,
140 and you should see your GitHub avatar and an indication of your
141 user in the upper left-hand corner of the dashboard:
142
143 ![alt tag](../../assets/images/auth_dash3.png)
144
145
146 ### Log in to the CLI
147
148 To log in to `pachctl`, complete the following steps:
149
150 1. Type the following command:
151
152 ```shell
153 pachctl auth login
154 ```
155
156 When you run this command, `pachctl` provides
157 you with a GitHub link to authenticate as a
158 GitHub user.
159
160 If you have not previously authorized Pachyderm on GitHub, an option
161 to **Authorize Pachyderm** appears. After you authorize Pachyderm,
162 a Pachyderm user token appears:
163
164 ![alt tag](../../assets/images/auth.png)
165
166 1. Copy and paste this token back into the terminal and press enter.
167
168 You are now logged in to Pachyderm!
169
170 1. Alternatively, you can run the command:
171
172 ```shell
173 pachctl auth use-auth-token
174 ```
175
176 1. Paste an authentication token recieved from
177 `pachctl auth activate --initial-admin=robot:<user>` or
178 `pachctl auth get-auth-token`.
179
180 ## Manage and update user access
181
182 You can manage user access in the UI and CLI.
183 For example, you are logged in to Pachyderm as the user `dwhitena`
184 and have a repository called `test`. Because the user `dwhitena` created
185 this repository, `dwhitena` has full `OWNER`-level access to the repo.
186 You can confirm this in the dashboard by navigating to or clicking on
187 the repo `test`:
188
189 ![alt tag](../../assets/images/auth_dash4.png)
190
191
192 Alternatively, you can confirm your access by running the
193 `pachctl auth get ...` command.
194
195 !!! example
196
197 ```
198 pachctl auth get dwhitena test
199 ```
200
201 **System response:**
202
203 ```shell
204 OWNER
205 ```
206
207 An OWNER of `test` or a cluster admin can then set other user’s
208 level of access to the repo by using
209 the `pachctl auth set ...` command or through the dashboard.
210
211 For example, to give the GitHub users `JoeyZwicker` and
212 `msteffen` `READER`, but not `WRITER` or `OWNER`, access to
213 `test` and `jdoliner` `WRITER`, but not `OWNER`, access,
214 click on **Modify access controls** under the repo details
215 in the dashboard. This functionality allows you to add
216 the users easily one by one:
217
218 ![alt tag](../../assets/images/auth_dash5.png)
219
220 ## Behavior of Pipelines as Related to Access Control
221
222 In Pachyderm, you do not explicitly grant users access to
223 pipelines. Instead, pipelines infer access from their input
224 and output repositories. To update a pipeline, you must have
225 at least `READER`-level access to all pipeline inputs and at
226 least `WRITER`-level access to the pipeline output. This is
227 because pipelines read from their input repos and write
228 to their output repos, and you cannot grant a pipeline
229 more access than you have yourself.
230
231 - An `OWNER`, `WRITER`, or `READER` of a repo can subscribe a
232 pipeline to that repo.
233 - When a user subscribes a pipeline to a repo, Pachyderm sets
234 that user as an `OWNER` of that pipeline's output repo.
235 - If additional users need access to the output repository,
236 the initial `OWNER` of a pipeline's output repo, or an admin,
237 needs to configure these access rules.
238 - To update a pipeline, you must have `WRITER` access to the
239 pipeline's output repos and `READER` access to the
240 pipeline's input repos.
241
242
243 ## Manage the Activation Code
244
245 When an enterprise activation code expires, an auth-activated
246 Pachyderm cluster goes into an `admin-only` state. In this
247 state, only admins have access to data that is in Pachyderm.
248 This safety measure keeps sensitive data protected, even when
249 an enterprise subscription becomes stale. As soon as the enterprise
250 activation code is updated by using the dashboard or CLI, the
251 Pachyderm cluster returns to its previous state.
252
253 When you deactivate access controls on a Pachyderm cluster
254 by running `pachctl auth deactivate`, the cluster returns
255 its original state that including the
256 following changes:
257
258 - All ACLs are deleted.
259 - The cluster returns to being a blank slate in regards to
260 access control. Everyone that can connect to Pachyderm can access
261 and modify the data in all repos.
262 - No users are present in Pachyderm, and no one can log in to Pachyderm.