github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.9.x/enterprise/auth/auth.md

github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.9.x/enterprise/auth/auth.md (about)

1 # Configure Access Controls
2
3 If access controls are activated, each data repository, or repo,
4 in Pachyderm has an Access Control List (ACL) associated with it.
5 The ACL includes:
6
7 - `READERs` - users who can read the data versioned in the repo.
8 - `WRITERs` - users with `READER` access who can also submit
9 additions, deletions, or modifications of data into the repo.
10 - `OWNERs` - users with READER and WRITER access who can also
11 modify the repo's ACL.
12
13 Pachyderm defines the following account types:
14
15 * **GitHub user** is a user account that is associated with
16 a GitHub account and logs in through the GitHub OAuth flow. If you do not
17 use any third-party identity provider, you use this option. When a user tries
18 to log in with a GitHub account, Pachyderm verifies the identity and
19 sends a Pachyderm token for that account.
20 * **Robot user** is a user account that logs in with a pach-generated authentication
21 token. Typically, you create a user in simplified workflow scenarios, such
22 as initial SAML configuration.
23 * **Pipeline** is an account that Pachyderm creates for
24 data pipelines. Pipelines inherit access control from its creator.
25 * **SAML user** is a user account that is associated with a Security Assertion
26 Markup Language (SAML) identity provider.
27 When a user tries to log in through a SAML ID provider, the system
28 confirms the identity, associates
29 that identity with a SAML identity provider account, and responds with
30 the SAML identity provider token for that user. Pachyderm verifies the token,
31 drops it, and creates a new internal token that encapsulates the information
32 about the user.
33
34 By default, Pachyderm defines one hardcoded group called `admin`.
35 Users in the `admin` group can perform any
36 action on the cluster including appointing other admins.
37 Furthermore, only the cluster admins can manage a repository
38 without ACLs.
39
40 ## Enable Access Control
41
42 Before you enable access controls, make sure that
43 you have activated Pachyderm Enterprise Edition
44 as described in [Deploy Enterprise Edition](../deployment.md).
45
46 To enable access controls, complete the following steps:
47
48 1. Verify the status of the Enterprise
49 features by opening the Pachyderm dashboard in your browser or
50 by running the following `pachctl` command:
51
52 ```shell
53 $ pachctl enterprise get-state
54 ACTIVE
55 ```
56
57 1. Activate the Enterprise access control features by completing
58 the steps in one of these sections:
59
60 * [Activate Access Control by Using the Dashboard](#activate-access-controls-by-using-the-dashboard)
61 * [Activate Access Control with pachctl](#activate-access-controls-with-pachctl)
62
63 ### Activate Access Controls by Using the Dashboard
64
65 To activate access controls in the Pachyderm dashboard,
66 complete the following steps:
67
68 1. Go to the **Settings** page.
69 1. Click the **Activate Access Controls** button.
70
71 After you click the button, Pachyderm enables you to add GitHub users
72 as cluster admins and activate access control:
73
74 ![alt tag](../../assets/images/auth_dash1.png)
75
76 After activating access controls, you should see the following screen
77 that asks you to log in to Pachyderm:
78
79 ![alt tag](../../assets/images/auth_dash2.png)
80
81 ### Activate Access Controls with `pachctl`
82
83 To activate access controls with `pachctl`, choose one of these options:
84
85 1. Activate access controls by specifying an initial admin user:
86
87 ```shell
88 $ pachctl auth activate --initial-admin=<prefix>:<user>
89 ```
90
91 You must prefix the username with the appropriate account
92 type, either `github:<user>` or `robot:<user>`. If you select the
93 latter, Pachyderm generates and returns a Pachyderm auth token
94 that might be used to authenticate as the initial robot admin by using
95 `pachctl auth use-auth-token`. You can use this option when
96 you cannot use GitHub as an identity provider.
97
98
99 1. Activate access controls with a GitHub account:
100
101 ```shell
102 $ pachctl auth activate
103 ```
104
105 Pachyderm prompts you to log in with your GitHub account. The
106 GitHub account that you sign in with is the only admin until
107 you add more by running `pachctl auth modify-admins`.
108
109 ## Log in to Pachyderm
110
111 After you activate access controls, log in to your cluster either
112 through the dashboard or CLI. The CLI and the dashboard have
113 independent login workflows:
114
115 - [Log in to the dashboard](#log-in-to-the-dashboard).
116 - [Log in to the CLI](#log-in-to-the-cli).
117
118 ### Log in to the Dashboard
119
120 After you have activated access controls for Pachyderm, you
121 need to log in to use the Pachyderm dashboard as shown above
122 in [Activate Access Controls by Using the Dashboard](#activate-access-controls-by-using-the-dashboard).
123
124 To log in to the dashboard, complete the following steps:
125
126 1. Click the **Get GitHub token** button. If you
127 have not previously authorized Pachyderm on GitHub, an option
128 to **Authorize Pachyderm** appears. After you authorize
129 Pachyderm, a Pachyderm user token appears:
130
131 ![alt tag](../../assets/images/auth.png)
132
133 1. Copy and paste this token back into the Pachyderm login
134 screen and press **Enter**. You are now logged in to Pachyderm,
135 and you should see your GitHub avatar and an indication of your
136 user in the upper left-hand corner of the dashboard:
137
138 ![alt tag](../../assets/images/auth_dash3.png)
139
140
141 ### Log in to the CLI
142
143 To log in to `pachctl`, complete the following steps:
144
145 1. Type the following command:
146
147 ```shell
148 $ pachctl auth login
149 ```
150
151 When you run this command, `pachctl` provides
152 you with a GitHub link to authenticate as a
153 GitHub user.
154
155 If you have not previously authorized Pachyderm on GitHub, an option
156 to **Authorize Pachyderm** appears. After you authorize Pachyderm,
157 a Pachyderm user token appears:
158
159 ![alt tag](../../assets/images/auth.png)
160
161 1. Copy and paste this token back into the terminal and press enter.
162
163 You are now logged in to Pachyderm!
164
165 1. Alternatively, you can run the command:
166
167 ```shell
168 $ pachctl auth use-auth-token
169 ```
170
171 1. Paste an authentication token recieved from
172 `pachctl auth activate --initial-admin=robot:<user>` or
173 `pachctl auth get-auth-token`.
174
175 ## Manage and update user access
176
177 You can manage user access in the UI and CLI.
178 For example, you are logged in to Pachyderm as the user `dwhitena`
179 and have a repository called `test`. Because the user `dwhitena` created
180 this repository, `dwhitena` has full `OWNER`-level access to the repo.
181 You can confirm this in the dashboard by navigating to or clicking on
182 the repo `test`:
183
184 ![alt tag](../../assets/images/auth_dash4.png)
185
186
187 Alternatively, you can confirm your access by running the
188 `pachctl auth get ...` command.
189
190 !!! example
191
192 ```
193 $ pachctl auth get dwhitena test`
194 OWNER
195 ```
196
197 An OWNER of `test` or a cluster admin can then set other user’s
198 level of access to the repo by using
199 the `pachctl auth set ...` command or through the dashboard.
200
201 For example, to give the GitHub users `JoeyZwicker` and
202 `msteffen` `READER`, but not `WRITER` or `OWNER`, access to
203 `test` and `jdoliner` `WRITER`, but not `OWNER`, access,
204 click on **Modify access controls** under the repo details
205 in the dashboard. This functionality allows you to add
206 the users easily one by one:
207
208 ![alt tag](../../assets/images/auth_dash5.png)
209
210 ## Behavior of Pipelines as Related to Access Control
211
212 In Pachyderm, you do not explicitly grant users access to
213 pipelines. Instead, pipelines infer access from their input
214 and output repositories. To update a pipeline, you must have
215 at least `READER`-level access to all pipeline inputs and at
216 least `WRITER`-level access to the pipeline output. This is
217 because pipelines read from their input repos and write
218 to their output repos, and you cannot grant a pipeline
219 more access than you have yourself.
220
221 - An `OWNER`, `WRITER`, or `READER` of a repo can subscribe a
222 pipeline to that repo.
223 - When a user subscribes a pipeline to a repo, Pachyderm sets
224 that user as an `OWNER` of that pipeline's output repo.
225 - If additional users need access to the output repository,
226 the initial `OWNER` of a pipeline's output repo, or an admin,
227 needs to configure these access rules.
228 - To update a pipeline, you must have `WRITER` access to the
229 pipeline's output repos and `READER` access to the
230 pipeline's input repos.
231
232
233 ## Manage the Activation Code
234
235 When an enterprise activation code expires, an auth-activated
236 Pachyderm cluster goes into an `admin-only` state. In this
237 state, only admins have access to data that is in Pachyderm.
238 This safety measure keeps sensitive data protected, even when
239 an enterprise subscription becomes stale. As soon as the enterprise
240 activation code is updated by using the dashboard or CLI, the
241 Pachyderm cluster returns to its previous state.
242
243 When you deactivate access controls on a Pachyderm cluster
244 by running `pachctl auth deactivate`, the cluster returns
245 its original state that including the
246 following changes:
247
248 - All ACLs are deleted.
249 - The cluster returns to being a blank slate in regards to
250 access control. Everyone that can connect to Pachyderm can access
251 and modify the data in all repos.
252 - No users are present in Pachyderm, and no one can log in to Pachyderm.