github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.9.x/enterprise/saml_setup.md (about) 1 # Configure SAML 2 3 This guide will walk through testing Pachyderm's experimental SAML support. 4 This will describe the process of: 5 6 1. Activating Pachyderm enterprise and Pachyderm auth 7 1. Configuring Pachyderm's auth system and enabling its SAML ACS (Assertion 8 Consumer Service—the HTTP endpoint to which users will forward SAML 9 assertions). 10 1. Logging in to both the dash and CLI 11 1. Enabling debug logging in case anything goes wrong 12 13 ## Activation 14 15 For testing, we **highly** recommend that you run Pachyderm in Minikube. If you 16 accidentally misconfigure your cluster, you might lock yourself out of your 17 cluster, and you will not be able to log in again to fix the configuration 18 error. With Minikube, experimenting with authentication options is easier and 19 safer and will not risk data loss. 20 21 To activate Pachyderm enterprise and Pachyderm auth: 22 23 ``` 24 pachctl enterprise activate <enterprise code> 25 pachctl auth activate --initial-admin=robot:admin 26 ``` 27 28 These commands cause Pachyderm's auth system to start verifying attempts to 29 read and write Pachyderm data and blocking unauthorized users. Whichever user 30 ran this command automatically authenticates as `robot:admin` and has admin 31 privileges in the cluster (run `pachctl auth whoami`, as shown below, to 32 confirm) 33 34 Users will either need to set the `--initial-admin` admin flag or have one 35 GitHub-based user in the system. The reason: 36 1. Pachyderm requires there to be at least one cluster admin if auth is 37 activated 38 1. Pachyderm uses GitHub for authentication by default. Without this flag, 39 Pachyderm asks the caller to go through an OAuth flow with GitHub, and then 40 at the conclusion, makes the caller the cluster admin. Then whoever 41 activated Pachyderm's auth system can assume admin status by 42 re-authenticating via GitHub and performing any necessary actions 43 1. To avoid the OAuth flow, though, it's also possible to make the initial 44 cluster admin a "robot user". Setting `--initial-admin=robot:<something>` 45 does this. 46 1. Pachyderm will print out a Pachyderm token that authenticates the holder as 47 this robot user. At any point, you can authenticate as this robot user by 48 running 49 50 ``` 51 pachctl auth use-auth-token 52 ``` 53 54 **System response:** 55 56 ```shell 57 Please paste your Pachyderm auth token: 58 <paste robot token emitted by "pachctl auth activate --initial-admin=robot:admin"> 59 ``` 60 61 ```shell 62 pachctl auth whoami 63 ``` 64 65 **System response:** 66 67 ```shell 68 You are "robot:admin" 69 You are an administrator of this Pachyderm cluster 70 ``` 71 72 ## Create IdP test app 73 This image shows an example configuration for an Okta test app that 74 authenticates Okta users with Pachyderm: 75 76  77 78 Pachyderm also needs a URL where it can scrape SAML metadata from the ID 79 provider. All SAML ID providers should provide such a URL; the Okta metadata 80 URL, for example, can be retrieved here: 81 82  83 84 ## Write Pachyderm config 85 This enables the Pachyderm ACS. See inline comments: 86 87 ```shell 88 # Lookup current config version--pachyderm config has a barrier to prevent 89 # read-modify-write conflicts between admins 90 live_config_version="$(pachctl auth get-config | jq .live_config_version)" 91 live_config_version="${live_config_version:-0}" 92 ``` 93 94 Set the Pachyderm config: 95 96 ```shell 97 pachctl auth set-config <<EOF 98 { 99 "live_config_version": ${live_config_version}, 100 101 "id_providers": [ 102 { 103 "name": "saml", 104 "description": "Okta test app metadata", 105 "saml": { 106 "metadata_url": <okta app metadata URL>, 107 "group_attribute": "memberOf" 108 } 109 } 110 ], 111 112 "saml_svc_options": { 113 "acs_url": "http://localhost:30654/saml/acs", 114 "metadata_url": "http://localhost:30654/saml/metadata", 115 "dash_url": "http://localhost:30080/auth/autologin?lol=wut", 116 "session_duration": "8h", 117 } 118 } 119 EOF 120 ``` 121 122 ## Logging In 123 Currently Pachyderm only supports IdP-initiated authentication. Configure 124 an Okta app to point to the Pachyderm ACS 125 (`http://localhost:30654/saml/acs` if using `pachctl`'s port forwarding, then 126 sign in via the new Okta app 127 128 This should allow you to log in at the Pachyderm dash. To log in with the 129 Pachyderm CLI, get a One-Time Password from the Pachyderm dash, and then 130 run `pachctl auth login --code=<one-time password>` in your terminal. 131 132 ## Other features 133 ### Debug Logging 134 If we run into issues while deploying this, it may be useful to enable 135 a collection of debug logs that we added during development. To do so, 136 add the option `"debug_logging": true` to `"saml_svc_options"`: 137 138 ``` 139 pachctl auth set-config <<EOF 140 { 141 ... 142 "saml_svc_options": { 143 ... 144 "debug_logging": true 145 } 146 } 147 EOF 148 ``` 149 150 ### Groups 151 Pachyderm has very preliminary, experimental support for groups. While they won't 152 appear in ACLs in the dash (and may have other issues), you can experiment using 153 the CLI by setting `"group_attribute"` in the IDProvider field of the auth config: 154 155 ```shell 156 pachctl auth set-config <<EOF 157 { 158 ... 159 "id_providers": [ 160 { 161 ... 162 "saml": { 163 "group_attribute": "memberOf" 164 } 165 } 166 ], 167 } 168 EOF 169 ``` 170 171 Then, try: 172 173 ```shell 174 pachctl create repo group-test 175 pachctl put file group-test@master -f some-data.txt 176 pachctl auth set group/saml:"Test Group" reader group-test 177 ``` 178 179 Elsewhere: 180 181 ```shell 182 pachctl auth login --code=<auth code> 183 pachctl get file group-test@master:some-data.txt # should work for members of "Test Group" 184 ```