github.com/pachyderm/pachyderm@v1.13.4/doc/docs/master/enterprise/auth/auth-config.md

github.com/pachyderm/pachyderm@v1.13.4/doc/docs/master/enterprise/auth/auth-config.md (about)

     1  # Manage Authentication Configuration
     2  
     3  The Pachyderm authentication configuration file includes 
     4  information about the identity provider (IdP) configured in Pachyderm.
     5  The file is stored in the Pachyderm etcd container, and you
     6  can access it by using the following commands:
     7  
     8  * To view the auth configuration, run:
     9  
    10    ```shell
    11    pachctl auth get-config
    12    ```
    13  
    14  * To edit the auth configuration, run:
    15  
    16    ```shell
    17    pachctl auth set-config -f <config.json>
    18    ```
    19  
    20    or:
    21  
    22    ```shell
    23    pachctl auth set-config <<EOF
    24    {
    25      "live_config_version": ${live_config_version},
    26  
    27      "id_providers": [
    28        {
    29         ...
    30        }
    31      ]
    32      ...
    33    }
    34    EOF
    35    ```
    36  
    37  * To delete Pachyderm auth configuration, run:
    38  
    39    ```shell
    40    pachctl auth deactivate
    41    ```
    42  
    43  ## SAML Authentication Parameters
    44  
    45  You can specify the following parameters for your SAML provider in the
    46  authentication file:
    47  
    48  | Parameter        | Description                          |
    49  | ---------------- | ------------------------------------ |
    50  | `name`           | The name of the SAML provider. For example, `okta`. <br> This name is used as a prefix for all usernames derived <br> from the identity  provider. For example, <br> `okta:test@pachyderm.com`. |
    51  | `description`    | An optional description of the identity provider. |
    52  | `saml`           | A list of parameters related to the SAML provider <br> configuration. |
    53  | `metadata_url`   | A URL of the SAML provider metadata service. |
    54  | `metada_xml`     | The XML metadata of SAML IdP. You can use this <br> parameter if the IdP is located in another network to which <br> users have access, but `pachd` does not. It can <br> also be used for testing when the IdP is not yet <br> configured. |
    55  | `group_attribute` | A group configured on the IdP. The parameters enable <br> you to grant permissions on at a group level rather <br> than on an individual level. |
    56  | `saml_svc_options` | A list of options for SAML services |
    57  | `acs_url`          | The URL of the `pachd`'s Assertion Consumer Service <br> and Metadata Service (ACS). If Pachyderm runs in a <br> private cluster, the cluster admin must set up <br> the domain name and proxy to resolve to <br> `pachd:654/acs`. For example, <br> `http://localhost:30654/saml/acs`. |
    58  | `metadata_url`    | The public URL of Pachd's SAML metadata service. <br> This parameter under the `saml_svc_options` is <br> different from the one under the `saml` option. <br> If Pachyderm runs in a private cluster, you must <br> create this URL, which resolves to <br> `pachd:654/saml/metadata`. For example, <br>`http://localhost:30654/saml/metadata`. |
    59  | `dash_url`         | The public URL of the Pachyderm dashboard. <br> For example, `https://localhost:30080`. |
    60  | `session_duration` | The length of a user session in hours (h) or <br> minutes (m). For example, `8h`. If left blank 24 hours session is <br> configured by default. |
    61  
    62  [View a sample config](../saml/saml_setup/#write-pachyderm-config)
    63  
    64  ## OIDC Authentication Parameters
    65  
    66   You can specify the following parameters for your OIDC provider in the
    67   authentication file:
    68  
    69   | Parameter        | Description                          |
    70   | ---------------- | ------------------------------------ |
    71   | `name`           | The name of the OIDC provider. For example, <br> `keycloak`. This name is used as a prefix for all usernames derived <br> from the identity provider. For example, <br> `keycloak:test@pachyderm.com`. |
    72   | `description`    | An optional description of the identity provider. |
    73   | `oidc`           | A list of parameters related to the OIDC provider configuration. |
    74   | `issuer`         | The address of the OIDC provider. For example, <br> `http://keycloak.<ip>.nip.io/auth/realms/<realm-name>`. | 
    75   | `client_id`      | The Pachyderm ID configured in the IdP. For example, <br> `pachyderm`.
    76   | `client_secret`  | A shared secret with the ID provider. If your OIDC provider <br> does not use a secret, which is not recommended, the <br> parameter can be omitted for testing. |
    77   | `redirect_uri`   | The URI on which the OIDC IdP can access Pachyderm. <br> Depends on your network configuration and must have the following <br> format: `http://<ip>:30657/authorization-code/callback`. |
    78   | `additional_scopes`| A list of additional OIDC scopes to request from the provider. If `groups` is requested, the groups in the ID token will be synced with Pachyderm |
    79  
    80  
    81  [View a sample config](../oidc/configure-keycloak/#configure-keycloak)