PAM Authentication Example

The following sections describe how to enable Pluggable Authentication Modules (PAM) in Driverless AI. You can do this by specifying environment variables in the Docker image or by updating the config.toml file.

Note: This assumes that the user has an understanding of how to grant permissions in their own environment in order for PAM to work. Specifically for Driverless AI, be sure that the Driverless AI processes owner has access to /etc/shadow (without root); otherwise authentication will fail.

Enabling PAM in Docker Images

Note: The following instructions are only applicable with a CentOS 7 host.

In this example, the host Linux system has PAM enabled for authentication and Docker running on that Linux system. The goal is to enable PAM for Driverless AI authentication while the Linux system hosts the user information.

  1. Verify that the username (“eric” in this case) is defined in the Linux system.

[root@Linux-Server]# cat /etc/shadow | grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::

  1. Start Docker on the Linux Server and enable PAM in Driverless AI. Replace TAG below with the image tag.

[root@Linux-Server]# docker run \
 --rm \
 --shm-size=256m \
 -u `id -u`:`id -g` \
 -p 12345:12345 \
 -v `pwd`/config:/config \
 -v `pwd`/data:/data \
 -v `pwd`/log:/log \
 -v `pwd`/license:/license \
 -v `pwd`/tmp:/tmp \
 -v /etc/passwd:/etc/passwd \
 -v /etc/shadow:/etc/shadow \
 -v /etc/pam.d/:/etc/pam.d/ \
 -e DRIVERLESS_AI_AUTHENTICATION_METHOD="pam" \
 h2oai/dai-centos7-x86_64:TAG

  1. Obtain the Driverless AI container ID. This ID is required for the next step and will be different every time Driverless AI is started.

[root@Linux-Server]# docker ps
CONTAINER ID        IMAGE                    COMMAND             CREATED             STATUS              PORTS                                                                                    NAMES
8e333475ffd8        opsh2oai/h2oai-runtime   "./run.sh"          36 seconds ago      Up 35 seconds       192.168.0.1:9090->9090/tcp, 192.168.0.1:12345->12345/tcp, 192.168.0.1:12348->12348/tcp   clever_swirles

  1. From the Linux Server, verify that the Docker Driverless AI instance can see the shadow file. The example below references 8e333475ffd8, which is the container ID obtained in the previous step.

[root@Linux-Server]# docker exec 8e333475ffd8 cat /etc/shadow|grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::

  1. Open a Web browser and navigate to port 12345 on the Linux system that is running the Driverless AI Docker Image. Log in with credentials known to the Linux system. The login information will now be validated using PAM.

Enabling PAM in the config.toml File for Native Installs

In this example, the host Linux system has PAM enabled for authentication. The goal is to enable PAM for Driverless AI authentication while the Linux system hosts the user information.

This example shows how to edit the config.toml file to enable PAM. The config.toml file is available in the etc/dai folder after the RPM or DEB is installed. Edit the authentication_method variable in this file to enable PAM authentication, and then restart Driverless AI.

  1. Verify that the username (“eric” in this case) is defined in the Linux system.

[root@Linux-Server]# cat /etc/shadow | grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:

# DEB and RPM
export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml"

# TAR SH
export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"

  1. Edit the authentication_method variable in the config.toml file so that PAM is enabled.

# authentication_method
# unvalidated : Accepts user id and password, does not validate password
# none : Does not ask for user id or password, authenticated as admin
# pam :  Accepts user id and password, Validates user with operating system
# ldap : Accepts user id and password, Validates against an ldap server, look
# local: Accepts a user id and password, Validated against a htpasswd file provided in local_htpasswd_file
# for additional settings under LDAP settings
authentication_method = "pam"

  1. Start Driverless AI. Note that the command used to start Driverless AI varies depending on your install type.

# Linux RPM or DEB with systemd
[root@Linux-Server]# sudo systemctl start dai

# Linux RPM or DEB without systemd
[root@Linux-Server]# sudo -H -u dai /opt/h2oai/dai/run-dai.sh

# Linux TAR SH
[root@Linux-Server]# ./run-dai.sh

  1. Open a Web browser and navigate to port 12345 on the Linux system that is running Driverless AI. Log in with credentials known to the Linux system (as verified in the first step). The login information will now be validated using PAM.