Driverless AI Authentication

Driverless AI supports LDAP, PAM, and Local authentication. These can be configured by setting the appropriate environment variables in the config.toml file or by specifying the environment variables when starting Driverless AI.

Enabling Authentication in Docker Images

Each property must be prepended with DRIVERLESS_AI_. The example below starts Driverless AI with environment variables the enable the following:

  • Local authentication when starting Driverless AI
  • S3 and HDFS access (without authentication)
nvidia-docker run \
  --pid=host \
  --init \
  --rm \
  -u `id -u`:`id -g` \
  -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
  -e DRIVERLESS_AI_AUTHENTICATION_METHOD="local" \
  -e DRIVERLESS_AI_LOCAL_HTPASSWD_FILE="<htpasswd_file_location>" \
  -v `pwd`/data:/data \
  -v `pwd`/log:/log \
  -v `pwd`/license:/license \
  -v `pwd`/tmp:/tmp \
  opsh2oai/h2oai-runtime

Enabling Authentication in Native Installs

The config.toml file is available in the etc/dai folder after the RPM or DEB is installed. Edit the desired variables in this file, and then restart Driverless AI.

The example below shows the environment variables in the config.toml file to set when enabling the following:

  • Local authentication when starting Driverless AI
  • S3 and HDFS access (without authentication)
# File System Support
# file : local file system/server file system
# hdfs : Hadoop file system, remember to configure the hadoop coresite and keytab below
# s3 : Amazon S3, optionally configure secret and access key below
# gcs : Google Cloud Storage, remember to configure gcs_path_to_service_account_json below
# gbq : Google Big Query, remember to configure gcs_path_to_service_account_json below
enabled_file_systems = "file,s3,hdfs"

# authentication_method
# unvalidated : Accepts user id and password, does not validate password
# none : Does not ask for user id or password, authenticated as admin
# pam :  Accepts user id and password, Validates user with operating system
# ldap : Accepts user id and password, Validates against an ldap server, look
# local: Accepts a user id and password, Validated against a htpasswd file provided in local_htpasswd_file
# for additional settings under LDAP settings
authentication_method = "local"

# Local password file
# Generating a htpasswd file: see syntax below
# htpasswd -B "<location_to_place_htpasswd_file>" "<username>"
# note: -B forces use of brcypt, a secure encryption method
local_htpasswd_file = "<htpasswd_file_location>"

LDAP Authentication Example

Driverless AI provides two recipes for enabling LDAP authentication.

Recipe 0 - LDAP without SSL

The first method for enabling LDAP authentication requires the following parameters to be set. The examples below are for one of the open LDAP servers. These parameters can be set via the config.toml file or as an environment variable when starting Driverless AI.

# Enable LDAP authentication
authentication_method = "ldap"

# Specify recipe 0. This value is used internally by Driverless AI.
ldap_recipe = "0"

# Specify the LDAP server to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the LDAP DC
ldap_dc = "dc=example,dc=com"

With recipe=0, these are the only parameters that you will need to set. Upon successful completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Recipe 1 - LDAP with SSL

This method of LDAP authentication is a three-step process and requires the following set of parameters. These parameters can be set via the config.toml file or as an environment variable when starting Driverless AI.

  1. Enable LDAP authentication.
# Enable LDAP authentication
authentication_method = "ldap"

# Specify recipe=1. This value is used internally by Driverless AI.
ldap_recipe = "1"

# Specify the LDAP server to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the LDAP DC
ldap_dc = "dc=example,dc=com"

Specify additional options that are used when recipe=1. The variables listed below are specific to this method of LDAP authentication.

# If the LDAP connection to the LDAP server needs an SSL certificate,
# then this needs to be specified
ldap_use_ssl = "True"

# Specify the LDAP TLS file location if SSL is set to True above
ldap_tls_file = "/tmp/abc-def-root.cer"

# Specify the LDAP user to be searched for
ldap_search_user_id = "gauss"

# Specify the LDAP password for the above user
ldap_search_password = "password"

# Specify The LDAP prefix to be used for step 1 of the LDAP authentication
# The first step connects to the LDAP server using the user as concatenated
# string of - ldap_user_prefix + ldap_search_user_id + ',' + ldap_ou_dn
ldap_user_prefix = "uid="

# Specify the LDAP OU along with the base DN
ldap_ou_dn = "dc=example,dc=com"
  1. Using the above variables, an attempt to connect to the LDAP server it made. If the connection is successful, the values below will be used. In this case, the user is being searched for in ldap_base_dn in accordance with the search filter.
# Specify the LDAP base DN
ldap_base_dn = "dc=example,dc=com"

# Specify the LDAP search filter
ldap_search_filter = "(objectclass=person)"
  1. If the user is found in the step above, then that user is authenticated with the Driverless AI password. If authentication is successful, the user can access Driverless AI.

All the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.