PAM Authentication Example¶
The following sections describe how to enable Pluggable Authentication Modules (PAM) in Driverless AI. You can do this by specifying environment variables in the Docker image or by updating the config.toml file.
Note: This assumes that the user has an understanding of how to grant permissions in their own environment in order for PAM to work. Specifically for Driverless AI, be sure that the Driverless AI processes owner has access to /etc/shadow (without root); otherwise authentication will fail.
Note: The following instructions are only applicable with a CentOS 7 host.
In this example, the host Linux system has PAM enabled for authentication and Docker running on that Linux system. The goal is to enable PAM for Driverless AI authentication while the Linux system hosts the user information.
Verify that the username (“eric” in this case) is defined in the Linux system.
[root@Linux-Server]# cat /etc/shadow | grep eric eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
Start Docker on the Linux Server and enable PAM in Driverless AI.
[root@Linux-Server]# docker run \ --rm \ --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \ -u `id -u`:`id -g` \ -p 12345:12345 \ -v `pwd`/config:/config \ -v `pwd`/data:/data \ -v `pwd`/log:/log \ -v `pwd`/license:/license \ -v `pwd`/tmp:/tmp \ -v /etc/passwd:/etc/passwd \ -v /etc/shadow:/etc/shadow \ -v /etc/pam.d/:/etc/pam.d/ \ -e DRIVERLESS_AI_AUTHENTICATION_METHOD="pam" \ h2oai/dai-ubi8-x86_64:1.11.1.1-cuda11.8.0.xx
Obtain the Driverless AI container ID. This ID is required for the next step and will be different every time Driverless AI is started.
[root@Linux-Server]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8e333475ffd8 opsh2oai/h2oai-runtime "./run.sh" 36 seconds ago Up 35 seconds 192.168.0.1:9090->9090/tcp, 192.168.0.1:12345->12345/tcp, 192.168.0.1:12348->12348/tcp clever_swirles
From the Linux Server, verify that the Docker Driverless AI instance can see the shadow file. The example below references
8e333475ffd8
, which is the container ID obtained in the previous step.
[root@Linux-Server]# docker exec 8e333475ffd8 cat /etc/shadow|grep eric eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
Open a Web browser and navigate to port 12345 on the Linux system that is running the Driverless AI Docker Image. Log in with credentials known to the Linux system. The login information will now be validated using PAM.
In this example, the host Linux system has PAM enabled for authentication. The goal is to enable PAM for Driverless AI authentication while the Linux system hosts the user information.
This example shows how to edit the config.toml file to enable PAM. The config.toml file is available in the etc/dai folder after the RPM or DEB is installed. Edit the authentication_method variable in this file to enable PAM authentication, and then restart Driverless AI.
Verify that the username (“eric” in this case) is defined in the Linux system.
[root@Linux-Server]# cat /etc/shadow | grep eric eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:
# DEB and RPM export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml" # TAR SH export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"
Edit the
authentication_method
variable in the config.toml file so that PAM is enabled.
# authentication_method # unvalidated : Accepts user id and password, does not validate password # none : Does not ask for user id or password, authenticated as admin # pam : Accepts user id and password, Validates user with operating system # ldap : Accepts user id and password, Validates against an ldap server, look # local: Accepts a user id and password, Validated against a htpasswd file provided in local_htpasswd_file # for additional settings under LDAP settings authentication_method = "pam"
Start Driverless AI. Note that the command used to start Driverless AI varies depending on your install type.
# Linux RPM or DEB with systemd [root@Linux-Server]# sudo systemctl start dai # Linux RPM or DEB without systemd [root@Linux-Server]# sudo -H -u dai /opt/h2oai/dai/run-dai.sh # Linux TAR SH [root@Linux-Server]# ./run-dai.sh
Open a Web browser and navigate to port 12345 on the Linux system that is running Driverless AI. Log in with credentials known to the Linux system (as verified in the first step). The login information will now be validated using PAM.