Auth configuration¶
authentication_method
¶
authentication_method (String)
Default value 'unvalidated'
- authentication_method
unvalidated : Accepts user id and password. Does not validate password. none: Does not ask for user id or password. Authenticated as admin. openid: Users OpenID Connect provider for authentication. See additional OpenID settings below. oidc: Renewed OpenID Connect authentication using authorization code flow. See additional OpenID settings below. pam: Accepts user id and password. Validates user with operating system. ldap: Accepts user id and password. Validates against an ldap server. Look
for additional settings under LDAP settings.
local: Accepts a user id and password. Validated against an htpasswd file provided in local_htpasswd_file. ibm_spectrum_conductor: Authenticate with IBM conductor auth api. tls_certificate: Authenticate with Driverless by providing a TLS certificate. jwt: Authenticate by JWT obtained from the request metadata.
additional_authentication_methods
¶
additional_authentication_methods (List)
Default value []
Additional authentication methods that will be enabled for for the clients.Login forms for each method will be available on the``/login/<authentication_method>`` path.Comma separated list.
authentication_default_timeout_hours
¶
authentication_default_timeout_hours (Float)
Default value 72.0
The default amount of time in hours before a user is signed out and must log in again. This setting is used when a default timeout value is not provided by authentication_method
.
authentication_gui_polling_prolongs_session
¶
authentication_gui_polling_prolongs_session (Boolean)
Default value False
When enabled, the user’s session is automatically prolonged, even when they are not interacting directly with the application.
auth_openid_provider_base_uri
¶
auth_openid_provider_base_uri (String)
Default value ''
- OpenID Connect Settings:
Refer to the OpenID Connect Basic Client Implementation Guide for details on how OpenID authentication flow works https://openid.net/specs/openid-connect-basic-1_0.html base server URI to the OpenID Provider server (ex: https://oidp.ourdomain.com
auth_openid_configuration_uri
¶
auth_openid_configuration_uri (String)
Default value ''
- URI to pull OpenID config data from (you can extract most of required OpenID config from this url)
usually located at: /auth/realms/master/.well-known/openid-configuration
auth_openid_auth_uri
¶
auth_openid_auth_uri (String)
Default value ''
URI to start authentication flow
auth_openid_token_uri
¶
auth_openid_token_uri (String)
Default value ''
URI to make request for token after callback from OpenID server was received
auth_openid_userinfo_uri
¶
auth_openid_userinfo_uri (String)
Default value ''
URI to get user information once access_token has been acquired (ex: list of groups user belongs to will be provided here)
auth_openid_logout_uri
¶
auth_openid_logout_uri (String)
Default value ''
URI to logout user
auth_openid_redirect_uri
¶
auth_openid_redirect_uri (String)
Default value ''
- callback URI that OpenID provide will use to send ‘authentication_code’
This is OpenID callback endpoint in Driverless AI. Most OpenID providers need this to be HTTPs. (ex. https://driverless.ourdomin.com/openid/callback)
auth_openid_grant_type
¶
auth_openid_grant_type (String)
Default value ''
OAuth2 grant type (usually authorization_code for OpenID, can be access_token also)
auth_openid_response_type
¶
auth_openid_response_type (String)
Default value ''
OAuth2 response type (usually code)
auth_openid_client_id
¶
auth_openid_client_id (String)
Default value ''
Client ID registered with OpenID provider
auth_openid_client_secret
¶
auth_openid_client_secret (String)
Default value ''
Client secret provided by OpenID provider when registering Client ID
auth_openid_scope
¶
auth_openid_scope (String)
Default value ''
- Scope of info (usually openid). Can be list of more than one, space delimited, possible
values listed at https://openid.net/specs/openid-connect-basic-1_0.html#Scopes
auth_openid_userinfo_auth_key
¶
auth_openid_userinfo_auth_key (String)
Default value ''
What key in user_info JSON should we check to authorize user
auth_openid_userinfo_auth_value
¶
auth_openid_userinfo_auth_value (String)
Default value ''
What value should the key have in user_info JSON in order to authorize user
auth_openid_userinfo_username_key
¶
auth_openid_userinfo_username_key (String)
Default value ''
Key that specifies username in user_info JSON (we will use the value of this key as username in Driverless AI)
auth_openid_urlencode_quote_via
¶
auth_openid_urlencode_quote_via (String)
Default value 'quote'
Quote method from urllib.parse used to encode payload dict in Authentication Request
auth_openid_access_token_expiry_key
¶
auth_openid_access_token_expiry_key (String)
Default value 'expires_in'
Key in Token Response JSON that holds the value for access token expiry
auth_openid_refresh_token_expiry_key
¶
auth_openid_refresh_token_expiry_key (String)
Default value 'refresh_expires_in'
Key in Token Response JSON that holds the value for access token expiry
auth_openid_token_expiration_secs
¶
auth_openid_token_expiration_secs (Number)
Default value 3600
Expiration time in seconds for access token
auth_openid_use_objectpath_match
¶
auth_openid_use_objectpath_match (Boolean)
Default value False
Enables advanced matching for OpenID Connect authentication.
When enabled ObjectPath (<http://objectpath.org/>) expression is used to evaluate the user identity.
auth_openid_use_objectpath_expression
¶
auth_openid_use_objectpath_expression (String)
Default value ''
- ObjectPath (<http://objectpath.org/>) expression that will be used
to evaluate whether user is allowed to login into Driverless.
Any expression that evaluates to True means user is allowed to log in.
Examples:
Simple claim equality: $.our_claim is “our_value” List of claims contains required value: “expected_role” in @.roles
auth_openid_token_introspection_url
¶
auth_openid_token_introspection_url (String)
Default value ''
Sets token introspection URL for OpenID Connect authentication. (needs to be an absolute URL) Needs to be set when API token introspection is enabled. Is used to get the token TTL when set and IDP does not provide expires_in field in the token endpoint response.
auth_openid_end_session_endpoint_url
¶
auth_openid_end_session_endpoint_url (String)
Default value ''
Sets an URL where the user is being redirected after being logged out when set. (needs to be an absolute URL)
auth_openid_default_scopes
¶
auth_openid_default_scopes (String)
Default value ''
If set, server will use these scopes when it asks for the token on the login. (space separated list)
auth_oidc_identity_source
¶
auth_oidc_identity_source (String)
Default value 'userinfo'
Specifies the source from which user identity and username is retrieved.
- Currently supported sources are:
user_info: Retrieves username from UserInfo endpoint response id_token: Retrieves username from ID Token using
auth_openid_id_token_username_key claim
auth_oidc_username_claim
¶
auth_oidc_username_claim (String)
Default value ''
Claim of preferred username in a message holding the user identity, which will be used as a username in application. The user identity source is specified by auth_oidc_identity_source, and can be e.g. UserInfo endpoint response or ID Token
auth_oidc_issuer_url
¶
auth_oidc_issuer_url (String)
Default value ''
OpenID-Connect Issuer URL, which is used for automatic provider infodiscovery. E.g. https://login.microsoftonline.com/<client-id>/v2.0
auth_oidc_token_endpoint_url
¶
auth_oidc_token_endpoint_url (String)
Default value ''
OpenID-Connect Token endpoint URL. Setting this is optional and if it’s empty, it’ll be automatically set by provider info discovery.
auth_oidc_introspection_endpoint_url
¶
auth_oidc_introspection_endpoint_url (String)
Default value ''
OpenID-Connect Token introspection endpoint URL. Setting this is optional and if it’s empty, it’ll be automatically set by provider info discovery.
auth_oidc_post_logout_url
¶
auth_oidc_post_logout_url (String)
Default value ''
Absolute URL to which user is redirected, after they log out from the application, in case OIDC authentication is used. Usually this is absolute URL of DriverlessAI Login page e.g. https://1.2.3.4:12345/login
auth_oidc_authorization_query_params
¶
auth_oidc_authorization_query_params (Dict)
Default value {}
Key-value mapping of extra HTTP query parameters in an OIDC authorization request.
auth_oidc_skip_cert_verification
¶
auth_oidc_skip_cert_verification (Boolean)
Default value False
When set to True, will skip cert verification.
auth_oidc_ca_cert_location
¶
auth_oidc_ca_cert_location (String)
Default value ''
When set will use this value as the location for the CA cert, this takes precedence over auth_oidc_skip_cert_verification.
api_token_introspection_enabled
¶
api_token_introspection_enabled (Boolean)
Default value False
Enables option to use Bearer token for authentication with the RPC endpoint.
api_token_introspection_method
¶
api_token_introspection_method (String)
Default value 'OAUTH2_TOKEN_INTROSPECTION'
Sets the method that is used to introspect the bearer token.
- OAUTH2_TOKEN_INTROSPECTION: Uses OAuth 2.0 Token Introspection (RPC 7662)
endpoint to introspect the bearer token. This useful when ‘openid’ is used as the authentication method. Uses ‘auth_openid_client_id’ and ‘auth_openid_client_secret’ and to authenticate with the authorization server and auth_openid_token_introspection_url to perform the introspection.
api_token_oauth2_scopes
¶
api_token_oauth2_scopes (String)
Default value ''
- Sets the minimum of the scopes that the access token needs to have
in order to pass the introspection. Space separated./ This is passed to the introspection endpoint and also verified after response for the servers that don’t enforce scopes. Keeping this empty turns any the verification off.
api_token_oauth2_username_field_name
¶
api_token_oauth2_username_field_name (String)
Default value 'username'
Which field of the response returned by the token introspection endpoint should be used as a username.
oauth2_client_tokens_client_id
¶
oauth2_client_tokens_client_id (String)
Default value ''
Sets up client id that will be used in the OAuth 2.0 Authorization Code Flow to obtain the tokens. Client needs to be public and be able to use PKCE with S256 code challenge.
oauth2_client_tokens_authorize_url
¶
oauth2_client_tokens_authorize_url (String)
Default value ''
Sets up the absolute url to the authorize endpoint.
oauth2_client_tokens_token_url
¶
oauth2_client_tokens_token_url (String)
Default value ''
Sets up the absolute url to the token endpoint.
oauth2_client_tokens_introspection_url
¶
oauth2_client_tokens_introspection_url (String)
Default value ''
Sets up the absolute url to the token introspection endpoint.It’s displayed in the UI so that clients can inspect the token expiration.
oauth2_client_tokens_redirect_url
¶
oauth2_client_tokens_redirect_url (String)
Default value ''
Sets up the absolute to the redirect url where Driverless handles the redirect part of the Authorization Code Flow. this <Driverless base url>/oauth2/client_token
oauth2_client_tokens_scope
¶
oauth2_client_tokens_scope (String)
Default value 'openid profile ai.h2o.storage'
Sets up the scope for the requested tokens. Space seprated list.
ldap_server
¶
ldap_server (String)
Default value ''
ldap server domain or ip
ldap_port
¶
ldap_port (String)
Default value ''
ldap server port
ldap_bind_dn
¶
ldap_bind_dn (String)
Default value ''
Complete DN of the LDAP bind user
ldap_bind_password
¶
ldap_bind_password (String)
Default value ''
Password for the LDAP bind
ldap_tls_file
¶
ldap_tls_file (String)
Default value ''
Provide Cert file location
ldap_use_ssl
¶
ldap_use_ssl (Boolean)
Default value False
use true to use ssl or false
ldap_search_base
¶
ldap_search_base (String)
Default value ''
the location in the DIT where the search will start
ldap_search_filter
¶
ldap_search_filter (String)
Default value ''
A string that describes what you are searching for. You can use Pythonsubstitution to have this constructed dynamically.(only {{DAI_USERNAME}} is supported)
ldap_search_attributes
¶
ldap_search_attributes (String)
Default value ''
ldap attributes to return from search
ldap_user_name_attribute
¶
ldap_user_name_attribute (String)
Default value ''
specify key to find user name
ldap_recipe
¶
ldap_recipe (String)
Default value '0'
When using this recipe, needs to be set to “1”
ldap_user_prefix
¶
ldap_user_prefix (String)
Default value ''
Deprecated do not use
ldap_search_user_id
¶
ldap_search_user_id (String)
Default value ''
Deprecated, Use ldap_bind_dn
ldap_search_password
¶
ldap_search_password (String)
Default value ''
Deprecated, ldap_bind_password
ldap_ou_dn
¶
ldap_ou_dn (String)
Default value ''
Deprecated, use ldap_search_base instead
ldap_dc
¶
ldap_dc (String)
Default value ''
Deprecated, use ldap_base_dn
ldap_base_dn
¶
ldap_base_dn (String)
Default value ''
Deprecated, use ldap_search_base
ldap_base_filter
¶
ldap_base_filter (String)
Default value ''
Deprecated, use ldap_search_filter
auth_tls_crl_file
¶
auth_tls_crl_file (String)
Default value ''
Path to the CRL file that will be used to verify client certificate.
auth_tls_subject_field
¶
auth_tls_subject_field (String)
Default value 'CN'
What field of the subject would used as source for username or other values used for further validation.
auth_tls_field_parse_regexp
¶
auth_tls_field_parse_regexp (String)
Default value '(?P<username>.*)'
Regular expression that will be used to parse subject field to obtain the username or other values used for further validation.
auth_tls_user_lookup
¶
auth_tls_user_lookup (String)
Default value 'REGEXP_ONLY'
- Sets up the way how user identity would be obtained
- REGEXP_ONLY: Will use ‘auth_tls_subject_field’ and ‘auth_tls_field_parse_regexp’
to extract the username from the client certificate.
- LDAP_LOOKUP: Will use LDAP server to lookup for the username.
‘auth_tls_ldap_server’, ‘auth_tls_ldap_port’, ‘auth_tls_ldap_use_ssl’, ‘auth_tls_ldap_tls_file’, ‘auth_tls_ldap_bind_dn’, ‘auth_tls_ldap_bind_password’ options are used to establish the connection with the LDAP server. ‘auth_tls_subject_field’ and ‘auth_tls_field_parse_regexp’ options are used to parse the certificate. ‘auth_tls_ldap_search_base’, ‘auth_tls_ldap_search_filter’, and ‘auth_tls_ldap_username_attribute’ options are used to do the lookup.
auth_tls_ldap_server
¶
auth_tls_ldap_server (String)
Default value ''
Hostname or IP address of the LDAP server used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_port
¶
auth_tls_ldap_port (String)
Default value ''
Port of the LDAP server used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_use_ssl
¶
auth_tls_ldap_use_ssl (Boolean)
Default value False
Whether to SSL to when connecting to the LDAP server used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_tls_file
¶
auth_tls_ldap_tls_file (String)
Default value ''
Path to the SSL certificate used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_bind_dn
¶
auth_tls_ldap_bind_dn (String)
Default value ''
Complete DN of the LDAP bind user used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_bind_password
¶
auth_tls_ldap_bind_password (String)
Default value ''
Password for the LDAP bind used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_search_base
¶
auth_tls_ldap_search_base (String)
Default value ''
Location in the DIT where the search will start used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_search_filter
¶
auth_tls_ldap_search_filter (String)
Default value ''
- LDAP filter that will be used to lookup for the user
with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
Can be built dynamically using the named capturing groups from the ‘auth_tls_field_parse_regexp’ for substitution.
- Example:
auth_tls_field_parse_regexp="\w+ (?P<id>\d+)"
auth_tls_ldap_search_filter="(&(objectClass=person)(id={{id}}))"
auth_tls_ldap_username_attribute
¶
auth_tls_ldap_username_attribute (String)
Default value ''
Specified what LDAP record attribute will be used as username with LDAP_LOOKUP with ‘tls_certificate’ authentication method.
auth_tls_ldap_authorization_lookup_filter
¶
auth_tls_ldap_authorization_lookup_filter (String)
Default value ''
- Sets optional additional lookup filter that is performed after the
user is found. This can be used for example to check whether the is member of particular group. Filter can be built dynamically from the attributes returned by the lookup. Authorization fails when search does not return any entry. If one ore more entries are returned authorization succeeds. Example:
auth_tls_field_parse_regexp="\w+ (?P<id>\d+)"
ldap_search_filter="(&(objectClass=person)(id={{id}}))"
auth_tls_ldap_authorization_lookup_filter="(&(objectClass=group)(member=uid={{uid}},dc=example,dc=com))"
If this option is empty no additional lookup is done and just a successful user lookup is enough to authorize the user.
auth_tls_ldap_authorization_search_base
¶
auth_tls_ldap_authorization_search_base (String)
Default value ''
Base DN where to start the Authorization lookup. Used when ‘auth_tls_ldap_authorization_lookup_filter’ is set.
auth_jwt_token_source
¶
auth_jwt_token_source (String)
Default value 'HEADER'
- Sets up the way how the token will picked from the request
- COOKIE: Will use ‘auth_jwt_cookie_name’ cookie content parsed with
‘auth_jwt_source_parse_regexp’ to obtain the token content.
- HEADER: Will use ‘auth_jwt_header_name’ header value parsed with
‘auth_jwt_source_parse_regexp’ to obtain the token content.
auth_jwt_cookie_name
¶
auth_jwt_cookie_name (String)
Default value ''
Specifies name of the cookie that will be used to obtain JWT.
auth_jwt_header_name
¶
auth_jwt_header_name (String)
Default value ''
Specifies name http header that will be used to obtain JWT
auth_jwt_source_parse_regexp
¶
auth_jwt_source_parse_regexp (String)
Default value '(?P<token>.*)'
Regular expression that will be used to parse JWT source. Expression is in Python syntax and must contain named group ‘token’ with capturing the token value.
auth_jwt_username_claim_name
¶
auth_jwt_username_claim_name (String)
Default value 'sub'
Which JWT claim will be used as username for Driverless.
auth_jwt_verify
¶
auth_jwt_verify (Boolean)
Default value True
Whether to verify the signature of the JWT.
auth_jwt_algorithm
¶
auth_jwt_algorithm (String)
Default value 'HS256'
Signature algorithm that will be used to verify the signature according to RFC 7518.
auth_jwt_secret
¶
auth_jwt_secret (String)
Default value ''
Specifies the secret content for HMAC or public key for RSA and DSA signature algorithms.
auth_jwt_exp_leeway_seconds
¶
auth_jwt_exp_leeway_seconds (Number)
Default value 0
Number of seconds after JWT still can be accepted if when already expired
auth_jwt_required_audience
¶
auth_jwt_required_audience (List)
Default value []
List of accepted ‘aud’ claims for the JWTs. When empty, anyaudience is accepted
auth_jwt_required_issuer
¶
auth_jwt_required_issuer (String)
Default value ''
Value of the ‘iss’ claim that JWTs need to have in order to be accepted.
local_htpasswd_file
¶
local_htpasswd_file (String)
Default value ''
Local password file
Generating a htpasswd file: see syntax below
htpasswd -B '<location_to_place_htpasswd_file>' '<username>'
note: -B forces use of brcypt, a secure encryption method
authorization_service
¶
Authorization service name (String)
Default value 'local'
Authorization service name: * local: Authorization is based on config.toml settings such as local_administrator_list
local_administrator_list
¶
List of usernames with admin rights (List)
Default value []