Auth configuration

authentication_method

authentication_method (String)

Default value 'unvalidated'

authentication_method

unvalidated : Accepts user id and password. Does not validate password. none: Does not ask for user id or password. Authenticated as admin. openid: Users OpenID Connect provider for authentication. See additional OpenID settings below. oidc: Renewed OpenID Connect authentication using authorization code flow. See additional OpenID settings below. pam: Accepts user id and password. Validates user with operating system. ldap: Accepts user id and password. Validates against an ldap server. Look

for additional settings under LDAP settings.

local: Accepts a user id and password. Validated against an htpasswd file provided in local_htpasswd_file. ibm_spectrum_conductor: Authenticate with IBM conductor auth api. tls_certificate: Authenticate with Driverless by providing a TLS certificate. jwt: Authenticate by JWT obtained from the request metadata.

additional_authentication_methods

additional_authentication_methods (List)

Default value []

Additional authentication methods that will be enabled for for the clients.Login forms for each method will be available on the``/login/<authentication_method>`` path.Comma separated list.

authentication_default_timeout_hours

authentication_default_timeout_hours (Float)

Default value 72.0

The default amount of time in hours before a user is signed out and must log in again. This setting is used when a default timeout value is not provided by authentication_method.

authentication_gui_polling_prolongs_session

authentication_gui_polling_prolongs_session (Boolean)

Default value False

When enabled, the user’s session is automatically prolonged, even when they are not interacting directly with the application.

auth_openid_provider_base_uri

auth_openid_provider_base_uri (String)

Default value ''

OpenID Connect Settings:

Refer to the OpenID Connect Basic Client Implementation Guide for details on how OpenID authentication flow works https://openid.net/specs/openid-connect-basic-1_0.html base server URI to the OpenID Provider server (ex: https://oidp.ourdomain.com

auth_openid_configuration_uri

auth_openid_configuration_uri (String)

Default value ''

URI to pull OpenID config data from (you can extract most of required OpenID config from this url)

usually located at: /auth/realms/master/.well-known/openid-configuration

auth_openid_auth_uri

auth_openid_auth_uri (String)

Default value ''

URI to start authentication flow

auth_openid_token_uri

auth_openid_token_uri (String)

Default value ''

URI to make request for token after callback from OpenID server was received

auth_openid_userinfo_uri

auth_openid_userinfo_uri (String)

Default value ''

URI to get user information once access_token has been acquired (ex: list of groups user belongs to will be provided here)

auth_openid_logout_uri

auth_openid_logout_uri (String)

Default value ''

URI to logout user

auth_openid_redirect_uri

auth_openid_redirect_uri (String)

Default value ''

callback URI that OpenID provide will use to send ‘authentication_code’

This is OpenID callback endpoint in Driverless AI. Most OpenID providers need this to be HTTPs. (ex. https://driverless.ourdomin.com/openid/callback)

auth_openid_grant_type

auth_openid_grant_type (String)

Default value ''

OAuth2 grant type (usually authorization_code for OpenID, can be access_token also)

auth_openid_response_type

auth_openid_response_type (String)

Default value ''

OAuth2 response type (usually code)

auth_openid_client_id

auth_openid_client_id (String)

Default value ''

Client ID registered with OpenID provider

auth_openid_client_secret

auth_openid_client_secret (String)

Default value ''

Client secret provided by OpenID provider when registering Client ID

auth_openid_scope

auth_openid_scope (String)

Default value ''

Scope of info (usually openid). Can be list of more than one, space delimited, possible

values listed at https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

auth_openid_userinfo_auth_key

auth_openid_userinfo_auth_key (String)

Default value ''

What key in user_info JSON should we check to authorize user

auth_openid_userinfo_auth_value

auth_openid_userinfo_auth_value (String)

Default value ''

What value should the key have in user_info JSON in order to authorize user

auth_openid_userinfo_username_key

auth_openid_userinfo_username_key (String)

Default value ''

Key that specifies username in user_info JSON (we will use the value of this key as username in Driverless AI)

auth_openid_urlencode_quote_via

auth_openid_urlencode_quote_via (String)

Default value 'quote'

Quote method from urllib.parse used to encode payload dict in Authentication Request

auth_openid_access_token_expiry_key

auth_openid_access_token_expiry_key (String)

Default value 'expires_in'

Key in Token Response JSON that holds the value for access token expiry

auth_openid_refresh_token_expiry_key

auth_openid_refresh_token_expiry_key (String)

Default value 'refresh_expires_in'

Key in Token Response JSON that holds the value for access token expiry

auth_openid_token_expiration_secs

auth_openid_token_expiration_secs (Number)

Default value 3600

Expiration time in seconds for access token

auth_openid_use_objectpath_match

auth_openid_use_objectpath_match (Boolean)

Default value False

Enables advanced matching for OpenID Connect authentication.

When enabled ObjectPath (<http://objectpath.org/>) expression is used to evaluate the user identity.

auth_openid_use_objectpath_expression

auth_openid_use_objectpath_expression (String)

Default value ''

ObjectPath (<http://objectpath.org/>) expression that will be used

to evaluate whether user is allowed to login into Driverless.

Any expression that evaluates to True means user is allowed to log in.

Examples:

Simple claim equality: $.our_claim is “our_value” List of claims contains required value: “expected_role” in @.roles

auth_openid_token_introspection_url

auth_openid_token_introspection_url (String)

Default value ''

Sets token introspection URL for OpenID Connect authentication. (needs to be an absolute URL) Needs to be set when API token introspection is enabled. Is used to get the token TTL when set and IDP does not provide expires_in field in the token endpoint response.

auth_openid_end_session_endpoint_url

auth_openid_end_session_endpoint_url (String)

Default value ''

Sets an URL where the user is being redirected after being logged out when set. (needs to be an absolute URL)

auth_openid_default_scopes

auth_openid_default_scopes (String)

Default value ''

If set, server will use these scopes when it asks for the token on the login. (space separated list)

auth_oidc_identity_source

auth_oidc_identity_source (String)

Default value 'userinfo'

Specifies the source from which user identity and username is retrieved.

Currently supported sources are:

user_info: Retrieves username from UserInfo endpoint response id_token: Retrieves username from ID Token using

auth_openid_id_token_username_key claim

auth_oidc_username_claim

auth_oidc_username_claim (String)

Default value ''

Claim of preferred username in a message holding the user identity, which will be used as a username in application. The user identity source is specified by auth_oidc_identity_source, and can be e.g. UserInfo endpoint response or ID Token

auth_oidc_issuer_url

auth_oidc_issuer_url (String)

Default value ''

OpenID-Connect Issuer URL, which is used for automatic provider infodiscovery. E.g. https://login.microsoftonline.com/<client-id>/v2.0

auth_oidc_token_endpoint_url

auth_oidc_token_endpoint_url (String)

Default value ''

OpenID-Connect Token endpoint URL. Setting this is optional and if it’s empty, it’ll be automatically set by provider info discovery.

auth_oidc_introspection_endpoint_url

auth_oidc_introspection_endpoint_url (String)

Default value ''

OpenID-Connect Token introspection endpoint URL. Setting this is optional and if it’s empty, it’ll be automatically set by provider info discovery.

auth_oidc_post_logout_url

auth_oidc_post_logout_url (String)

Default value ''

Absolute URL to which user is redirected, after they log out from the application, in case OIDC authentication is used. Usually this is absolute URL of DriverlessAI Login page e.g. https://1.2.3.4:12345/login

auth_oidc_authorization_query_params

auth_oidc_authorization_query_params (Dict)

Default value {}

Key-value mapping of extra HTTP query parameters in an OIDC authorization request.

auth_oidc_skip_cert_verification

auth_oidc_skip_cert_verification (Boolean)

Default value False

When set to True, will skip cert verification.

auth_oidc_ca_cert_location

auth_oidc_ca_cert_location (String)

Default value ''

When set will use this value as the location for the CA cert, this takes precedence over auth_oidc_skip_cert_verification.

api_token_introspection_enabled

api_token_introspection_enabled (Boolean)

Default value False

Enables option to use Bearer token for authentication with the RPC endpoint.

api_token_introspection_method

api_token_introspection_method (String)

Default value 'OAUTH2_TOKEN_INTROSPECTION'

Sets the method that is used to introspect the bearer token.

OAUTH2_TOKEN_INTROSPECTION: Uses OAuth 2.0 Token Introspection (RPC 7662)

endpoint to introspect the bearer token. This useful when ‘openid’ is used as the authentication method. Uses ‘auth_openid_client_id’ and ‘auth_openid_client_secret’ and to authenticate with the authorization server and auth_openid_token_introspection_url to perform the introspection.

api_token_oauth2_scopes

api_token_oauth2_scopes (String)

Default value ''

Sets the minimum of the scopes that the access token needs to have

in order to pass the introspection. Space separated./ This is passed to the introspection endpoint and also verified after response for the servers that don’t enforce scopes. Keeping this empty turns any the verification off.

api_token_oauth2_username_field_name

api_token_oauth2_username_field_name (String)

Default value 'username'

Which field of the response returned by the token introspection endpoint should be used as a username.

oauth2_client_tokens_client_id

oauth2_client_tokens_client_id (String)

Default value ''

Sets up client id that will be used in the OAuth 2.0 Authorization Code Flow to obtain the tokens. Client needs to be public and be able to use PKCE with S256 code challenge.

oauth2_client_tokens_authorize_url

oauth2_client_tokens_authorize_url (String)

Default value ''

Sets up the absolute url to the authorize endpoint.

oauth2_client_tokens_token_url

oauth2_client_tokens_token_url (String)

Default value ''

Sets up the absolute url to the token endpoint.

oauth2_client_tokens_introspection_url

oauth2_client_tokens_introspection_url (String)

Default value ''

Sets up the absolute url to the token introspection endpoint.It’s displayed in the UI so that clients can inspect the token expiration.

oauth2_client_tokens_redirect_url

oauth2_client_tokens_redirect_url (String)

Default value ''

Sets up the absolute to the redirect url where Driverless handles the redirect part of the Authorization Code Flow. this <Driverless base url>/oauth2/client_token

oauth2_client_tokens_scope

oauth2_client_tokens_scope (String)

Default value 'openid profile ai.h2o.storage'

Sets up the scope for the requested tokens. Space seprated list.

ldap_server

ldap_server (String)

Default value ''

ldap server domain or ip

ldap_port

ldap_port (String)

Default value ''

ldap server port

ldap_bind_dn

ldap_bind_dn (String)

Default value ''

Complete DN of the LDAP bind user

ldap_bind_password

ldap_bind_password (String)

Default value ''

Password for the LDAP bind

ldap_tls_file

ldap_tls_file (String)

Default value ''

Provide Cert file location

ldap_use_ssl

ldap_use_ssl (Boolean)

Default value False

use true to use ssl or false

ldap_search_base

ldap_search_base (String)

Default value ''

the location in the DIT where the search will start

ldap_search_filter

ldap_search_filter (String)

Default value ''

A string that describes what you are searching for. You can use Pythonsubstitution to have this constructed dynamically.(only {{DAI_USERNAME}} is supported)

ldap_search_attributes

ldap_search_attributes (String)

Default value ''

ldap attributes to return from search

ldap_user_name_attribute

ldap_user_name_attribute (String)

Default value ''

specify key to find user name

ldap_recipe

ldap_recipe (String)

Default value '0'

When using this recipe, needs to be set to “1”

ldap_user_prefix

ldap_user_prefix (String)

Default value ''

Deprecated do not use

ldap_search_user_id

ldap_search_user_id (String)

Default value ''

Deprecated, Use ldap_bind_dn

ldap_search_password

ldap_search_password (String)

Default value ''

Deprecated, ldap_bind_password

ldap_ou_dn

ldap_ou_dn (String)

Default value ''

Deprecated, use ldap_search_base instead

ldap_dc

ldap_dc (String)

Default value ''

Deprecated, use ldap_base_dn

ldap_base_dn

ldap_base_dn (String)

Default value ''

Deprecated, use ldap_search_base

ldap_base_filter

ldap_base_filter (String)

Default value ''

Deprecated, use ldap_search_filter

auth_tls_crl_file

auth_tls_crl_file (String)

Default value ''

Path to the CRL file that will be used to verify client certificate.

auth_tls_subject_field

auth_tls_subject_field (String)

Default value 'CN'

What field of the subject would used as source for username or other values used for further validation.

auth_tls_field_parse_regexp

auth_tls_field_parse_regexp (String)

Default value '(?P<username>.*)'

Regular expression that will be used to parse subject field to obtain the username or other values used for further validation.

auth_tls_user_lookup

auth_tls_user_lookup (String)

Default value 'REGEXP_ONLY'

Sets up the way how user identity would be obtained

REGEXP_ONLY: Will use ‘auth_tls_subject_field’ and ‘auth_tls_field_parse_regexp’

to extract the username from the client certificate.

LDAP_LOOKUP: Will use LDAP server to lookup for the username.

‘auth_tls_ldap_server’, ‘auth_tls_ldap_port’, ‘auth_tls_ldap_use_ssl’, ‘auth_tls_ldap_tls_file’, ‘auth_tls_ldap_bind_dn’, ‘auth_tls_ldap_bind_password’ options are used to establish the connection with the LDAP server. ‘auth_tls_subject_field’ and ‘auth_tls_field_parse_regexp’ options are used to parse the certificate. ‘auth_tls_ldap_search_base’, ‘auth_tls_ldap_search_filter’, and ‘auth_tls_ldap_username_attribute’ options are used to do the lookup.

auth_tls_ldap_server

auth_tls_ldap_server (String)

Default value ''

Hostname or IP address of the LDAP server used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_port

auth_tls_ldap_port (String)

Default value ''

Port of the LDAP server used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_use_ssl

auth_tls_ldap_use_ssl (Boolean)

Default value False

Whether to SSL to when connecting to the LDAP server used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_tls_file

auth_tls_ldap_tls_file (String)

Default value ''

Path to the SSL certificate used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_bind_dn

auth_tls_ldap_bind_dn (String)

Default value ''

Complete DN of the LDAP bind user used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_bind_password

auth_tls_ldap_bind_password (String)

Default value ''

Password for the LDAP bind used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_search_base

auth_tls_ldap_search_base (String)

Default value ''

Location in the DIT where the search will start used with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_search_filter

auth_tls_ldap_search_filter (String)

Default value ''

LDAP filter that will be used to lookup for the user

with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

Can be built dynamically using the named capturing groups from the ‘auth_tls_field_parse_regexp’ for substitution.

Example:

auth_tls_field_parse_regexp="\w+ (?P<id>\d+)" auth_tls_ldap_search_filter="(&(objectClass=person)(id={{id}}))"

auth_tls_ldap_username_attribute

auth_tls_ldap_username_attribute (String)

Default value ''

Specified what LDAP record attribute will be used as username with LDAP_LOOKUP with ‘tls_certificate’ authentication method.

auth_tls_ldap_authorization_lookup_filter

auth_tls_ldap_authorization_lookup_filter (String)

Default value ''

Sets optional additional lookup filter that is performed after the

user is found. This can be used for example to check whether the is member of particular group. Filter can be built dynamically from the attributes returned by the lookup. Authorization fails when search does not return any entry. If one ore more entries are returned authorization succeeds. Example:

auth_tls_field_parse_regexp="\w+ (?P<id>\d+)" ldap_search_filter="(&(objectClass=person)(id={{id}}))" auth_tls_ldap_authorization_lookup_filter="(&(objectClass=group)(member=uid={{uid}},dc=example,dc=com))"

If this option is empty no additional lookup is done and just a successful user lookup is enough to authorize the user.

auth_tls_ldap_authorization_search_base

auth_tls_ldap_authorization_search_base (String)

Default value ''

Base DN where to start the Authorization lookup. Used when ‘auth_tls_ldap_authorization_lookup_filter’ is set.

auth_jwt_token_source

auth_jwt_token_source (String)

Default value 'HEADER'

Sets up the way how the token will picked from the request

COOKIE: Will use ‘auth_jwt_cookie_name’ cookie content parsed with

‘auth_jwt_source_parse_regexp’ to obtain the token content.

HEADER: Will use ‘auth_jwt_header_name’ header value parsed with

‘auth_jwt_source_parse_regexp’ to obtain the token content.

auth_jwt_cookie_name

auth_jwt_cookie_name (String)

Default value ''

Specifies name of the cookie that will be used to obtain JWT.

auth_jwt_header_name

auth_jwt_header_name (String)

Default value ''

Specifies name http header that will be used to obtain JWT

auth_jwt_source_parse_regexp

auth_jwt_source_parse_regexp (String)

Default value '(?P<token>.*)'

Regular expression that will be used to parse JWT source. Expression is in Python syntax and must contain named group ‘token’ with capturing the token value.

auth_jwt_username_claim_name

auth_jwt_username_claim_name (String)

Default value 'sub'

Which JWT claim will be used as username for Driverless.

auth_jwt_verify

auth_jwt_verify (Boolean)

Default value True

Whether to verify the signature of the JWT.

auth_jwt_algorithm

auth_jwt_algorithm (String)

Default value 'HS256'

Signature algorithm that will be used to verify the signature according to RFC 7518.

auth_jwt_secret

auth_jwt_secret (String)

Default value ''

Specifies the secret content for HMAC or public key for RSA and DSA signature algorithms.

auth_jwt_exp_leeway_seconds

auth_jwt_exp_leeway_seconds (Number)

Default value 0

Number of seconds after JWT still can be accepted if when already expired

auth_jwt_required_audience

auth_jwt_required_audience (List)

Default value []

List of accepted ‘aud’ claims for the JWTs. When empty, anyaudience is accepted

auth_jwt_required_issuer

auth_jwt_required_issuer (String)

Default value ''

Value of the ‘iss’ claim that JWTs need to have in order to be accepted.

local_htpasswd_file

local_htpasswd_file (String)

Default value ''

Local password file Generating a htpasswd file: see syntax below htpasswd -B '<location_to_place_htpasswd_file>' '<username>' note: -B forces use of brcypt, a secure encryption method

authorization_service

Authorization service name (String)

Default value 'local'

Authorization service name: * local: Authorization is based on config.toml settings such as local_administrator_list

local_administrator_list

List of usernames with admin rights (List)

Default value []