OpenID Connect 身份验证示例

本节介绍如何在 Driverless AI 中启用 OpenID Connect 身份验证。本节共提供两个示例。第一个示例介绍了如何启用 OpenID Connect 身份验证并登录至 Driverless AI UI。第二个示例介绍了其他允许您运行 Driverless AI Python 客户端的基于令牌的身份验证设置。(请注意,Driverless AI R 客户端暂不支持基于令牌的身份验证。)本节假设您已对 OpenID Connect 有所了解。

OpenID Connect 协议

OpenID Connect 在身份验证过程中遵循独特的协议:

  1. 请求从客户端 (RP) 发送至 OpenID 提供者 (OP)。

  2. OP 对终端用户进行身份验证并获取授权。

  3. OP 回复一个 ID 令牌。(通常还会提供访问令牌。)

  4. 信赖方 (RP) 可通过访问令牌将请求发送至 UserInfo 端点。

  5. UserInfo 端点将返回终端用户的声明。

请参阅 OpenID Connect 基础客户端实现者指南,了解更多信息︰https://openid.net/specs/openid-connect-basic-1_0.html

了解已知端点

为了开始为基于 OpenID 的身份验证配置 Driverless Ai,终端用户必须通过从 已知端点 请求信息来检索关于其授权服务器的 OpenID Connect 元数据。这些信息随后将用于配置与提供者的进一步交互。

已知端点通常配置如下:

https://yourOpenIDProviderHostname/.well-known/openid-configuration

配置选项

OpenID 配置选项

config.toml 文件中的以下选项用于启用基于 OpenID 的身份验证。设置以下选项让您能使用 OpenID 登录至 Driverless AI UI。

# The OpenID server URL. (Ex: https://oidp.ourdomain.com) Do not end with a "/"
auth_openid_provider_base_uri= "https://yourOpenIDProviderHostname"

# The uri to pull OpenID config data from. (You can extract most of required OpenID config from this URL.)
# Usually located at: /auth/realms/master/.well-known/openid-configuration

# Quote method from urllib.parse used to encode payload dict in Authentication Request
auth_openid_urlencode_quote_via="quote"

# These endpoints are made available by the well-known endpoint of the OpenID provider
# All endpoints should start with a "/"
auth_openid_auth_uri=""
auth_openid_token_uri=""
auth_openid_userinfo_uri=""
auth_openid_logout_uri=""

# In most cases, these values are usually 'code' and 'authorization_code' (as shown below)
# Supported values for response_type and grant_type are listed in the response of well-known endpoint
auth_openid_response_type="code"
auth_openid_grant_type="authorization_code"

# Scope values—supported values are available in the response from the well-known endpoint
# 'openid' is required
# Additional scopes may be necessary if the response to the userinfo request
# does not include enough information to use for authentication
# Separate additional scopes with a blank space.
# See https://openid.net/specs/openid-connect-basic-1_0.html#Scopes for more info
auth_openid_scope="openid"

# The OpenID client details that are available from the provider
# A new client for Driverless AI in your OpenID provider must be created if one does not already exist
auth_openid_client_id=""
auth_openid_client_secret=""

# Sample redirect value: http[s]://driverlessai-server-address:port/openid/callback
# Ensure that the client configuration in the OpenID provider (see previous step) includes
# this exact URL as one of the possible redirect URLs for the client
# If these do not match, the OpenID connection will fail
auth_openid_redirect_uri=""

# Token endpoint response key configs
auth_openid_access_token_expiry_key="expires_in"
auth_openid_refresh_token_expiry_key="refresh_expires_in"

# UserInfo response key configs for all users who log in to Driverless AI
# The userinfo_auth_key and userinfi_auth_value are
# a key value combination in the userinfo response that remain static for everyone
# If this key value pair does not exist in the user_info response,
# then the Authentication is considered failed
auth_openid_userinfo_auth_key=""
auth_openid_userinfo_auth_value=""

# Key that specifies username in user_info json (we will use value of this key as username in Driverless AI)
auth_openid_userinfo_username_key=""

# Enable advanced matching for OpenID authentication
# When enabled, the ObjectPath expression is used to evaluate the user's identity
# Disabled by default
# For more information, refer to http://objectpath.org/
auth_openid_use_objectpath_match=false

# Set the ObjectPath expression
# Used to evaluate whether a user is allowed to login to Driverless AI
# The user is allowed to log in when the expression evaluates to True
# Examples:
# $.our_claim is "our_value" (simple claim equality)
# "expected_role" in @.roles (list of claims contains required value)
auth_openid_use_objectpath_expression=""

基于令牌的身份验证配置选项

config.toml 文件中的以下其他选项用于启用基于令牌的身份验证。基于令牌的身份验证允许客户端为每项请求提供令牌,从而通过 Driverless AI 服务器进行身份验证。这主要针对(但不限于)使用 OpenID Connect 身份验证的环境。如果未设置以下选项,则在 OpenID Connect 配置为身份验证方式时,客户端将不能通过服务器进行身份验证。

# Sets token introspection URL for OpenID Connect authentication.(needs to be an absolute URL)
auth_openid_token_introspection_url = ""

# Enables option to use Bearer token for authentication with the RPC endpoint.
api_token_introspection_enabled = false

# Sets the method that is used to introspect the bearer token.
# OAUTH2_TOKEN_INTROSPECTION: Uses  OAuth 2.0 Token Introspection (RPC 7662)
# endpoint to introspect the bearer token.
# This useful when 'openid' is used as the authentication method.
# Uses 'auth_openid_client_id' and 'auth_openid_client_secret' and to
# authenticate with the authorization server and
# `auth_openid_token_introspection_url` to perform the introspection.
#
api_token_introspection_method = "OAUTH2_TOKEN_INTROSPECTION"

# Sets the minimun of the scopes that the access token needs to have
# in order to pass the introspection. Space separated./
# This is passed to the introspection endpoint and also verified after response
# for the servers that don't enforce scopes.
# Keeping this empty turns any the verification off.
#
api_token_oauth2_scopes = ""

# Which field of the response returned by the token introspection endpoint should be used as a username.
api_token_oauth2_username_field_name = "username"

# Enables the option to initiate a PKCE flow from the UI in order to obtain tokens usable with Driverless clients
oauth2_client_tokens_enabled = false

# Sets up client id that will be used in the OAuth 2.0 Authorization Code Flow to obtain the tokens. Client needs to be public and be able to use PKCE with S256 code challenge.
oauth2_client_tokens_client_id = ""

# Sets up the absolute url to the authorize endpoint.
oauth2_client_tokens_authorize_url = ""

# Sets up the absolute url to the token endpoint.
oauth2_client_tokens_token_url = ""

# Sets up the absolute url to the token introspection endpoint.It's displayed in the UI so that clients can inspect the token expiration.
oauth2_client_tokens_introspection_url = ""

# Sets up the absolute to the redirect url where Driverless handles the redirect part of the Authorization Code Flow. this <Driverless base url>/oauth2/client_token
oauth2_client_tokens_redirect_url = ""

# Sets up the scope for the requested tokens. Space seprated list.
oauth2_client_tokens_scope = "openid profile ai.h2o.storage"

示例 1:启用 OpenID Connect

本示例介绍了如何在 OpenID 配置完成后,在 Docker 映像中或通过本机安装启动 Driverless AI。请注意,此示例未启用令牌,因此,Driverless AI Python 客户端将与此安装不兼容。

  1. 配置选项 一节所述,在 config.toml 文件中编辑 OpenID 配置选项。

  2. 将编辑好的 config.toml 文件挂载至 Docker 容器。

  nvidia-docker run \
    --net=openid-network \
    --name="dai-with-openid" \
    --pid=host \
    --init \
    --rm \
    --shm-size=256m \
    -u `id -u`:`id -g` \
    -p 12345:12345 \
    -v "`pwd`/DAI_DATA/data":/data \
    -v "`pwd`/DAI_DATA/log":/log \
    -v "`pwd`/DAI_DATA/license":/license \
    -v "`pwd`/DAI_DATA/tmp":/tmp \
    -v "`pwd`/DAI_DATA/config":/config \
    -e DRIVERLESS_AI_CONFIG_FILE="/config/config.toml" \
    h2oai/dai-centos7-x86_64:1.10.1-cuda11.2.2.xx

下一步是启动并登录至 Driverless Ai。请参阅 登录至 Driverless AI.

示例 2:通过 OpenID Connect 启用基于令牌的身份验证

与示例 1 相似,本示例介绍了如何在 OpenID 配置完成后,在 Docker 映像中或通过本机安装启动 Driverless AI。此外,还启用了令牌,以使其与 Driverless AI Python 客户端兼容。

  1. 配置选项 一节所述,在 config.toml 文件中编辑 OpenID 配置选项。确保还如 基于令牌的身份验证配置选项 一节所述,启用了基于令牌的身份验证选项。

  2. 将编辑好的 config.toml 文件挂载至 Docker 容器。

  nvidia-docker run \
    --net=openid-network \
    --name="dai-with-openid" \
    --pid=host \
    --init \
    --rm \
    --shm-size=256m \
    -u `id -u`:`id -g` \
    -p 12345:12345 \
    -v "`pwd`/DAI_DATA/data":/data \
    -v "`pwd`/DAI_DATA/log":/log \
    -v "`pwd`/DAI_DATA/license":/license \
    -v "`pwd`/DAI_DATA/tmp":/tmp \
    -v "`pwd`/DAI_DATA/config":/config \
    -e DRIVERLESS_AI_CONFIG_FILE="/config/config.toml" \
    h2oai/dai-centos7-x86_64:1.10.1-cuda11.2.2.xx

下一步是启动并登录至 Driverless Ai。请参阅 登录至 Driverless AI.

登录至 Driverless AI

打开浏览器并启动 Driverless AI。请注意,系统将提示您使用 OpenID 登录。

_images/auth_openid_launchdai.png