Configuring Authentication

Driverless AI supports LDAP, PAM, Local, none, and unvalidated (default) authentication. These can be configured by specifying the environment variables when starting the Driverless AI Docker image or by setting the appropriate environment variables in the config.toml file.

Enabling Authentication in Docker Images

To enable authentication in Docker images, specify the authentication environment variable that you want to use. Each variable must be prepended with DRIVERLESS_AI_. The example below starts Driverless AI with environment variables the enable the following:

  • Local authentication when starting Driverless AI
  • S3 and HDFS access (without authentication)
nvidia-docker run \
  --pid=host \
  --init \
  --rm \
  --shm-size=256m \
  -p 12345:12345 \
  -u `id -u`:`id -g` \
  -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
  -e DRIVERLESS_AI_AUTHENTICATION_METHOD="local" \
  -e DRIVERLESS_AI_LOCAL_HTPASSWD_FILE="<htpasswd_file_location>" \
  -v `pwd`/data:/data \
  -v `pwd`/log:/log \
  -v `pwd`/license:/license \
  -v `pwd`/tmp:/tmp \
  h2oai/dai-centos7-x86_64:1.3.1-9.0

Enabling Authentication in Native Installs

Native installs include DEBs, RPMs, and TAR SH installs. The example below shows the environment variables in the config.toml file to set when enabling the following:

  • Local authentication when starting Driverless AI
  • S3 and HDFS access (without authentication)
  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
export  DRIVERLESS_AI_CONFIG_FILE=“/config/config.toml”
  1. Open the config.toml file and edit the authentication variables. The config.toml file is available in the etc/dai folder after the RPM or DEB is installed.
# File System Support
# file : local file system/server file system
# hdfs : Hadoop file system, remember to configure the hadoop coresite and keytab below
# s3 : Amazon S3, optionally configure secret and access key below
# gcs : Google Cloud Storage, remember to configure gcs_path_to_service_account_json below
# gbq : Google Big Query, remember to configure gcs_path_to_service_account_json below
enabled_file_systems = "file,s3,hdfs"

# authentication_method
# unvalidated : Accepts user id and password, does not validate password
# none : Does not ask for user id or password, authenticated as admin
# pam :  Accepts user id and password, Validates user with operating system
# ldap : Accepts user id and password, Validates against an ldap server, look
# local: Accepts a user id and password, Validated against a htpasswd file provided in local_htpasswd_file
# for additional settings under LDAP settings
authentication_method = "local"

# Local password file
# Generating a htpasswd file: see syntax below
# htpasswd -B "<location_to_place_htpasswd_file>" "<username>"
# note: -B forces use of brcypt, a secure encryption method
local_htpasswd_file = "<htpasswd_file_location>"
  1. Start (or restart) Driverless AI. Note that the command used to start Driverless AI varies depending on your install type.
# Linux RPM or DEB with systemd
sudo systemctl start dai

# Linux RPM or DEB without systemd
sudo -H -u dai /opt/h2oai/dai/run-dai.sh

# Linux TAR SH
./run-dai.sh

LDAP Authentication Example

Driverless AI provides two recipes for enabling LDAP authentication.

LDAP without SSL (Recipe 0)

The examples below show how to enable LDAP in Driverless AI and reference an open LDAP server. These parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Setting Environment Variables in Docker Images

Specify the following LDAP environment variables when starting the Driverless AI Docker image. With recipe=0, these are the only parameters that you will need to set.

nvidia-docker run \
  --pid=host \
  --init \
  --rm \
  --shm-size=256m \
  -p 12345:12345 \
  -u `id -u`:`id -g` \
  -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
  -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
  -e DRIVERLESS_AI_LDAP_RECIPE="0" \
  -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
  -e DRIVERLESS_AI_LDAP_PORT="389" \
  -e DRIVERLESS_AI_LDAP_DC="dc=example,dc=com" \
  -v `pwd`/data:/data \
  -v `pwd`/log:/log \
  -v `pwd`/license:/license \
  -v `pwd`/tmp:/tmp \
  h2oai/dai-centos7-x86_64:1.3.1-9.0

Using the config.toml file with Native Installs

Native installs include DEBs, RPMs, and TAR SH installs.

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
export DRIVERLESS_AI_CONFIG_FILE=“/config/config.toml”
  1. Enable LDAP authentication.
# Enable LDAP authentication
authentication_method = "ldap"

# Specify recipe 0. This value is used internally by Driverless AI.
ldap_recipe = "0"

# Specify the LDAP server to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the LDAP DC
ldap_dc = "dc=example,dc=com"
  1. Start (or restart) Driverless AI.

Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.

LDAP with SSL (Recipe 1)

This example shows how to enable LDAP authentication with additional parameters for Recipe 1. These parameters can be specified as environment variables when starting the Driverless AI Docker image, or they can be set via the config.toml file for native installs. For native installs, this method of LDAP authentication is a three-step process. Upon completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Setting Environment Variables in Docker Images

Specify the following LDAP environment variables when starting the Driverless AI Docker image. This example enables LDAP authentication and shows how to specify additional options that are used when recipe=1.

nvidia-docker run \
 --pid=host \
 --init \
 --rm \
 --shm-size=256m \
 -p 12345:12345 \
 -u `id -u`:`id -g` \
 -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
 -e DRIVERLESS_AI_AUTHENTICATION_METHOD="ldap" \
 -e DRIVERLESS_AI_LDAP_RECIPE="1" \
 -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
 -e DRIVERLESS_AI_LDAP_PORT="389" \
 -e DRIVERLESS_AI_LDAP_DC="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_USE_SSL="1" \
 -e DRIVERLESS_AI_LDAP_TLS_FILE="/tmp/abc-def-root.cer" \
 -e DRIVERLESS_AI_LDAP_SEARCH_USER_ID="gauss" \
 -e DRIVERLESS_AI_LDAP_SEARCH_PASSWORD="password" \
 -e DRIVERLESS_AI_LDAP_USER_PREFIX="uid=" \
 -e DRIVERLESS_AI_LDAP_OU_DN="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_BASE_DN="dc=example,dc=com" \
 -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(objectclass=person)" \
 -v `pwd`/data:/data \
 -v `pwd`/log:/log \
 -v `pwd`/license:/license \
 -v `pwd`/tmp:/tmp \
 h2oai/dai-centos7-x86_64:1.3.1-9.0

Upon successful completion, all the users in the configured LDAP should be able to log in to Driverless AI and run experiments, visualize datasets, interpret models, etc.

Using the config.toml file with Native Installs

Native installs include DEBs, RPMs, and TAR SH installs. For native installs, this method of LDAP authentication is a four-step process.

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
export  DRIVERLESS_AI_CONFIG_FILE=“/config/config.toml”
  1. Enable LDAP authentication.
# Enable LDAP authentication
authentication_method = "ldap"

# Specify recipe=1. This value is used internally by Driverless AI.
ldap_recipe = "1"

# Specify the LDAP server to connect to
ldap_server = "ldap.forumsys.com"

# Specify the LDAP port to connect to
ldap_port = "389"

# Specify the LDAP DC
ldap_dc = "dc=example,dc=com"

Specify additional options that are used when recipe=1. The variables listed below are specific to this method of LDAP authentication.

# If the LDAP connection to the LDAP server needs an SSL certificate,
# then this needs to be specified
ldap_use_ssl = "True"

# Specify the LDAP TLS file location if SSL is set to True above
ldap_tls_file = "/tmp/abc-def-root.cer"

# Specify the LDAP user to be searched for
ldap_search_user_id = "gauss"

# Specify the LDAP password for the above user
ldap_search_password = "password"

# Specify The LDAP prefix to be used for step 1 of the LDAP authentication
# The first step connects to the LDAP server using the user as concatenated
# string of - ldap_user_prefix + ldap_search_user_id + ',' + ldap_ou_dn
ldap_user_prefix = "uid="

# Specify the LDAP OU along with the base DN
ldap_ou_dn = "dc=example,dc=com"
  1. Using the above variables, an attempt to connect to the LDAP server it made. If the connection is successful, the values below will be used. In this case, the user is being searched for in ldap_base_dn in accordance with the search filter.
# Specify the LDAP base DN
ldap_base_dn = "dc=example,dc=com"

# Specify the LDAP search filter
ldap_search_filter = "(objectclass=person)"
  1. Start (or restart) Driverless AI. Users can now launch Driverless AI using their LDAP credentials. If authentication is successful, the user can access Driverless AI and run experiments, visualize datasets, interpret models, etc.

PAM Authentication Example

This section describes how to enable Pluggable Authentication Modules (PAM) in Driverless AI.

Enabling PAM in Docker Images

In this example, the host Linux system has PAM enabled for authentication and Docker running on that Linux system. The goal is to enable PAM for Driverless AI authentication while the Linux system hosts the user information.

  1. Verify that the username (“eric” in this case) is defined in the Linux system.
[root@Linux-Server]# cat /etc/shadow | grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
  1. Start Docker on the Linux Server and enable PAM in Driverless AI.
[root@Linux-Server]# docker run \
 --rm \
 --shm-size=256m \
 -u `id -u`:`id -g` \
 -p 12345:12345 \
 -v `pwd`/config:/config \
 -v `pwd`/data:/data \
 -v `pwd`/log:/log \
 -v `pwd`/license:/license \
 -v `pwd`/tmp:/tmp \
 -v /etc/passwd:/etc/passwd \
 -v /etc/shadow:/etc/shadow \
 -v /etc/pam.d/:/etc/pam.d/ \
 -e DRIVERLESS_AI_AUTHENTICATION_METHOD="pam" \
 h2oai/dai-centos7-x86_64:1.3.1-9.0
  1. Obtain the Driverless AI container ID. This ID is required for the next step and will be different every time Driverless AI is started.
[root@Linux-Server]# docker ps
CONTAINER ID        IMAGE                    COMMAND             CREATED             STATUS              PORTS                                                                                    NAMES
8e333475ffd8        opsh2oai/h2oai-runtime   "./run.sh"          36 seconds ago      Up 35 seconds       192.168.0.1:9090->9090/tcp, 192.168.0.1:12345->12345/tcp, 192.168.0.1:54321->54321/tcp   clever_swirles
  1. From the Linux Server, verify that the Docker Driverless AI instance can see the shadow file. The example below references 8e333475ffd8, which is the container ID obtained in the previous step.
[root@Linux-Server]# docker exec 8e333475ffd8 cat /etc/shadow|grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
  1. Open a Web browser and navigate to port 12345 on the Linux system that is running the Driverless AI Docker Image. Log in with credentials known to the Linux system. The login information will now be validated using PAM.

Enabling PAM in the config.toml File for Native Installs

In this example, the host Linux system has PAM enabled for authentication. The goal is to enable PAM for Driverless AI authentication while the Linux system hosts the user information.

This example shows how to edit the config.toml file to enable PAM. The config.toml file is available in the etc/dai folder after the RPM or DEB is installed. Edit the authentication_method variable in this file to enable PAM authentication, and then restart Driverless AI.

  1. Verify that the username (“eric” in this case) is defined in the Linux system.
[root@Linux-Server]# cat /etc/shadow | grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. This file is available in the etc/dai folder after the RPM or DEB is installed. For example:
[root@Linux-Server]# export DRIVERLESS_AI_CONFIG_FILE=“/config/config.toml”
  1. Edit the authentication_method variable in the config.toml file so that PAM is enabled.
# authentication_method
# unvalidated : Accepts user id and password, does not validate password
# none : Does not ask for user id or password, authenticated as admin
# pam :  Accepts user id and password, Validates user with operating system
# ldap : Accepts user id and password, Validates against an ldap server, look
# local: Accepts a user id and password, Validated against a htpasswd file provided in local_htpasswd_file
# for additional settings under LDAP settings
authentication_method = "pam"
  1. Start Driverless AI. Note that the command used to start Driverless AI varies depending on your install type.
# Linux RPM or DEB with systemd
[root@Linux-Server]# sudo systemctl start dai

# Linux RPM or DEB without systemd
[root@Linux-Server]# sudo -H -u dai /opt/h2oai/dai/run-dai.sh

# Linux TAR SH
[root@Linux-Server]# ./run-dai.sh
  1. Open a Web browser and navigate to port 12345 on the Linux system that is running Driverless AI. Log in with credentials known to the Linux system (as verified in the first step). The login information will now be validated using PAM.