PAM Authentication Example

The following sections describe how to enable Pluggable Authentication Modules (PAM) in Driverless AI. You can do this by specifying environment variables in the Docker image or by updating the config.toml file.

Note: This assumes that the user has an understanding of how to grant permissions in their own environment in order for PAM to work. Specifically for Driverless AI, be sure that the Driverless AI processes owner has access to /etc/shadow (without root); otherwise authentication will fail.

Note: The following instructions are only applicable with a CentOS 7 host.

In this example, the host Linux system has PAM enabled for authentication and Docker running on that Linux system. The goal is to enable PAM for Driverless AI authentication while the Linux system hosts the user information.

  1. Verify that the username (“eric” in this case) is defined in the Linux system.

[root@Linux-Server]# cat /etc/shadow | grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
  1. Start Docker on the Linux Server and enable PAM in Driverless AI.

  [root@Linux-Server]# docker run \
   --rm \
   --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \
   -u `id -u`:`id -g` \
   -p 12345:12345 \
   -v `pwd`/config:/config \
   -v `pwd`/data:/data \
   -v `pwd`/log:/log \
   -v `pwd`/license:/license \
   -v `pwd`/tmp:/tmp \
   -v /etc/passwd:/etc/passwd \
   -v /etc/shadow:/etc/shadow \
   -v /etc/pam.d/:/etc/pam.d/ \
   -e DRIVERLESS_AI_AUTHENTICATION_METHOD="pam" \
   h2oai/dai-ubi8-x86_64:1.11.1-cuda11.8.0.xx
  1. Obtain the Driverless AI container ID. This ID is required for the next step and will be different every time Driverless AI is started.

[root@Linux-Server]# docker ps
CONTAINER ID        IMAGE                    COMMAND             CREATED             STATUS              PORTS                                                                                    NAMES
8e333475ffd8        opsh2oai/h2oai-runtime   "./run.sh"          36 seconds ago      Up 35 seconds       192.168.0.1:9090->9090/tcp, 192.168.0.1:12345->12345/tcp, 192.168.0.1:12348->12348/tcp   clever_swirles
  1. From the Linux Server, verify that the Docker Driverless AI instance can see the shadow file. The example below references 8e333475ffd8, which is the container ID obtained in the previous step.

[root@Linux-Server]# docker exec 8e333475ffd8 cat /etc/shadow|grep eric
eric:$6$inOv3GsQuRanR1H4$kYgys3oc2dQ3u9it02WTvAYqiGiQgQ/yqOiOs.g4F9DM1UJGpruUVoGl5G6OD3MrX/3uy4gWflYJnbJofaAni/::0:99999:7:::
  1. Open a Web browser and navigate to port 12345 on the Linux system that is running the Driverless AI Docker Image. Log in with credentials known to the Linux system. The login information will now be validated using PAM.