github.com/pachyderm/pachyderm@v1.13.4/doc/docs/master/enterprise/auth/saml/saml_usage.md

github.com/pachyderm/pachyderm@v1.13.4/doc/docs/master/enterprise/auth/saml/saml_usage.md (about)

     1  ## Use SAML
     2  
     3  This section walks you through an example of using Pachyderm's experimental SAML
     4  support. We'll describe:
     5  
     6  1. Authenticating via a SAML ID Provider
     7  1. Authenticating in the CLI
     8  1. Authorizing a user or group to access data
     9  
    10  ## Setup
    11  
    12  Follow the instructions in [Configure SAML](saml_setup.md) to enable auth in a
    13  Pachyderm cluster and connect it to a SAML ID provider. Then, we'll authenticate
    14  as a cluster admin in one console and set up our [open CV
    15  demo](https://github.com/pachyderm/pachyderm/blob/master/examples/opencv/README.md).
    16  
    17  In the CLI, that would look like:
    18  
    19  ```
    20  (admin)$ pachctl auth use-auth-token
    21  ```
    22  
    23  **System response:**
    24  
    25  ```shell
    26  Please paste your Pachyderm auth token:
    27  <auth token>
    28  ```
    29  
    30  ```shell
    31  (admin)$ pachctl auth whoami
    32  ```
    33  
    34  **System response:**
    35  
    36  ```shell
    37  You are "robot:admin"
    38  You are an administrator of this Pachyderm cluster
    39  ```
    40  
    41  Create a repository, pipelines, and put files into the
    42  repository.
    43  
    44  ```shell
    45  (admin)$ pachctl create repo images
    46  (admin)$ pachctl create pipeline -f examples/opencv/edges.json
    47  (admin)$ pachctl create pipeline -f examples/opencv/montage.json
    48  (admin)$ pachctl put file images@master -i examples/opencv/images.txt
    49  (admin)$ pachctl put file images@master -i examples/opencv/images2.txt
    50  ```
    51  
    52  View the list of existing repositories:
    53  
    54  ```shell
    55  (admin)$ pachctl list repo
    56  ```
    57  
    58  **System response:**
    59  
    60  ```shell
    61  NAME    CREATED       SIZE (MASTER) ACCESS LEVEL
    62  montage 2 minutes ago 1.653MiB      OWNER
    63  edges   2 minutes ago 133.6KiB      OWNER
    64  images  2 minutes ago 238.3KiB      OWNER
    65  ```
    66  
    67  View the list of jobs:
    68  
    69  ```shell
    70  (admin)$ pachctl list job
    71  ```
    72  
    73  **System response:**
    74  
    75  ```shell
    76  ID                               OUTPUT COMMIT                            STARTED       DURATION  RESTART PROGRESS  DL       UL       STATE
    77  023a478b16e849b4996c19632fee6782 montage/e3dd7e9cacc5450c92e0e62ab844bd26 2 minutes ago 8 seconds 0       1 + 0 / 1 371.9KiB 1.283MiB success
    78  fe8b409e0db54f96bbb757d4d0679186 edges/9cc634a63f794a14a78e931bea47fa73   2 minutes ago 5 seconds 0       2 + 1 / 3 181.1KiB 111.4KiB success
    79  152cb8a0b0854d44affb4bf4bd57228f montage/82a49260595246fe8f6a7d381e092650 2 minutes ago 5 seconds 0       1 + 0 / 1 79.49KiB 378.6KiB success
    80  86e6eb4ae1e74745b993c2e47eba05e9 edges/ee7ebdddd31d46d1af10cee25f17870b   2 minutes ago 4 seconds 0       1 + 0 / 1 57.27KiB 22.22KiB success
    81  ```
    82  
    83  ## Authenticating via a SAML ID Provider (in the dashboard)
    84  Before authenticating, navigating to the dash will yield a blank screen:
    85  
    86  ![Blocked-out dash](../../../assets/images/saml_log_in.png)
    87  
    88  Even through the dash suggests logging in via GitHub, we will log in using a
    89  SAML IdP (which has hopefully already been configured). To see your Pachyderm
    90  DAG, navigate to your SAML ID provider and sign in to your Pachyderm cluster
    91  there (currently Pachyderm only supports IdP-initiate SAML authentication).
    92  
    93  ![SSO image](../../../assets/images/saml_okta_with_app.png)
    94  
    95  Once you've authenticated, you'll be redirected to the Pachyderm dash (the
    96  redirect URL is configured in the Pachyderm auth system). You'll be given the
    97  opportunity to generate a one-time password (OTP), though you can always do this
    98  later from the settings panel.
    99  
   100  ![Dash logged in](../../../assets/images/saml_successfully_logged_in.png)
   101  
   102  After closing the OTP panel, you'll be able to see the Pachyderm DAG, but you
   103  may not have access to any of the repos inside (a repo that you cannot read is
   104  indicated by a lock symbol):
   105  
   106  ![Dash with locked repos](../../../assets/images/saml_dag.png)
   107  
   108  ## Authenticating in the CLI
   109  After authenticating in the dash, you'll be given the opportunity to generate a
   110  one-time password (OTP) and sign in on the CLI. You can also generate an OTP
   111  from the settings panel:
   112  
   113  ![OTP Image](../../../assets/images/saml_display_otp.png)
   114  
   115  ```
   116  (user)$ pachctl auth login --code auth_code:73db4686e3e142508fa74aae920cc58b
   117  (user)$ pachctl auth whoami
   118  ```
   119  
   120  **System response:**
   121  
   122  ```shell
   123  You are "saml:msteffen@pachyderm.io"
   124  session expires: 14 Sep 18 20:55 PDT
   125  ```
   126  
   127  Note that this session expires after 8 hours. The duration of sessions is
   128  configurable in the Pachyderm auth config, but it's important that they be
   129  relatively short, as SAML group memberships are only updated when users sign in.
   130  If a user is removed from a group, they'll still be able to access the group's
   131  resources until their session expires.
   132  
   133  ## Authorizing a user or group to access data
   134  
   135  First, we'll give the example of an admin granting a user access. This can be
   136  accomplished on the CLI like so:
   137  
   138  ```
   139  (admin)$ pachctl auth set saml:msteffen@pachyderm.io reader images
   140  ```
   141  
   142  Now, the `images` repo is no longer locked when that user views the DAG:
   143  
   144  ![Unlocked images repo image](../../../assets/images/saml_dag_images_readable.png)
   145  
   146  At this point, you can click on the `images` repo and preview data inside:
   147  
   148  ![Unlocked images repo image](../../../assets/images/saml_dag_reading_from_images.png)
   149  
   150  Likewise, you can grant access to repos via groups. You'll need a SAML ID
   151  provider that supports group attributes, and you'll need to put the name of that
   152  attribute in the Pachyderm auth config. Here, we'll grant access to the Everyone
   153  group:
   154  
   155  ```
   156  (admin)$ pachctl auth set group/saml:Everyone owner edges
   157  ```
   158  
   159  Now, the edges repo is also not locked:
   160  
   161  ![Unlocked edges repo](../../../assets/images/saml_dag_images_and_edges_readable.png)
   162  
   163  Also, becase `msteffen@pachyderm.io` has OWNER provileges in the `edges` repo
   164  (via the Everyone group), the ACL for `edges` can be edited.
   165  `msteffen@pachyderm.io` will use OWNER privileges gained via the Everyone group
   166  to add `msteffen@pachyderm.io` (the user principal) directly to that ACL:
   167  
   168  ![Adding user to ACL image](../../../assets/images/saml_editing_acl.png)
   169  
   170  this change is reflected in the CLI as well:
   171  
   172  ```shell
   173  (admin)$ pachctl auth get edges
   174  ```
   175  
   176  **System response:**
   177  
   178  ```shell
   179  pipeline:edges: WRITER
   180  pipeline:montage: READER
   181  group/saml:Everyone: OWNER
   182  saml:msteffen@pachyderm.io: READER
   183  robot:admin: OWNER
   184  ```
   185  
   186  ## Conclusion
   187  
   188  This is just an example of Pachyderm's auth system, meant to illustrate the
   189  general nature of available features. Hopefully, it clarifies whether Pachyderm
   190  can meet your requirements.