Authorization

Identity provider

H2O AI Hybrid Cloud (H2OAIC) utilizes a compatible OpenID Connect (OIDC) provider, such as Keycloak, to authenticate and authorize users in both the App Store and Wave apps. This allows for easy integration and federation with other services like SAML and LDAP.

User roles

The actions a user may perform within the H2O AI Hybrid Cloud depends on the user's role, as documented in the Authorization section of the user guide.

The user's role is based on the OIDC access token claims returned by the identity provider. This is configurable via RoleClaim, AdminRoleName, and FullAccessRoleName in App Store configuration.

App Store server OIDC configuration

The following chart describes the various configuration options which may be either set within the [OIDC] section of the server configuration ConfigMap TOML, or set via environment variables.

The environment variable names in the table below need to be prefixed with H2O_CLOUD_OIDC_:

TOML Key / Environment variable	Description	Default
ClientID `CLIENT_ID`	Confidential client ID for authenticating browser requests	(empty)
ClientSecret `CLIENT_SECRET`	Confidential client secret for authenticating browser requests	(empty)
CLIClientID `CLI_CLIENT_ID`	Public client ID for authenticating CLI requests	(empty)
WaveClientID `WAVE_CLIENT_ID`	Confidential client ID used by Apps to authenticate users. If empty, OIDC authentication is disabled for apps.	(empty)
WaveClientSecret `WAVE_CLIENT_SECRET`	Confidential client secret used by Apps to authenticate users. If empty, OIDC authentication is disabled for apps.	(empty)
WaveRedirectPath `WAVE_REDIRECT_PATH`	Callback address for the OIDC provider to redirect the user after app authentications	`/_auth/callback`
RedirectURL `REDIRECT_URL`	Callback address for the OIDC provider to redirect the user to after authentication	`http://localhost:8889/oauth2/callback`
ProviderURL `PROVIDER_URL`	URL of OIDC provider	`http://localhost:8080/auth/realms/master`
EndSessionURL `END_SESSION_URL`	URL to redirect the user to terminate their OIDC session	`http://localhost:8080/auth/realms/master/protocol/openid-connect/logout`
RoleClaim `ROLE_CLAIM`	Access token claim containing the user's roles	`realm_access.roles`
AdminRoleName `ADMIN_ROLE_NAME`	Role name assigned to administrators within the OIDC provider	`admin`
FullAccessRoleName `FULL_ACCESS_ROLE_NAME`	Role assigned to users with "full access". If empty, all users have full access.	(empty)
Scopes `SCOPES`	OIDC scopes to be granted	(empty)

CLI authentication

All users have access to use the CLI, however, what they can do depends on the category of the user. An offline Open ID Connect (OIDC) refresh token, generated by the user by visiting /auth/get-token, is used to generate access tokens to authenticate each request from the CLI to the App Store server. The CLI stores the refresh token, in addition to its other configuration, on the user's machine at ~/.h2oai/h2o-cli-config.toml.

To configure the CLI, users will need four pieces of information:

The address of the server that the CLI will connect to
The OpenID Connect (OIDC) provider URL to obtain access tokens
The public OpenID Client ID designated for CLI access
A refresh token, generated by the user by visiting /auth/get-token while logged in to the AI App Store web interface

Visitors

Visitors, a.k.a., users without "full access", have limited permissions within the platform. Users without full access privileges are considered to be visitors, and tags are used to manually assign specific app versions to OIDC roles. See the Authorization section in the user guide for details.

Visitor functionality requires that FullAccessRoleName in the App Store configuration be properly configured.

When creating a new tag, the administrator can specify an admin role and a visitor role to the tag. Users assigned the OIDC role that matches the admin role for the tag have the ability to assign that tag to specific apps. Users who are visitors but assigned an OIDC role that matches the visitor role on the tag can see all app versions that tag is assigned to. See Tag section of the CLI documentation on using the CLI to manipulate tags.

Administrators

Users who log in with the OIDC role matching the server configured AdminRoleName are granted administrator access to the AI App Store. Administrators access to the administrator views within the App Store and the admin subcommand of the CLI.

Within the App Store, the "Admin Apps" view provides administrators with a list of every app imported into the App Store, regardless of its visibility, and allows administrators to delete specific versions of apps. The "Admin Instances" view provides administrators with a list of every running instance known to H2O AI Hybrid Cloud, and allows administrators to terminate specific instances of apps.

The h2o admin command in the CLI provides administrators with several commands, such as:

h2o admin app <get|list|delete> - Manage apps owned by all users
h2o admin instance <get|list|status|terminate> - Manage and inspect running app instances for all users
h2o admin secret <create|delete|get|list|update> - Manage application secrets including global secrets
h2o admin tag <assign|create|delete|get|list|remove|update> - Manage application tags
h2o admin iam <delete|export|get|import|list> - Manage IAM policies

Identity and Access Management (IAM) policies

Note: IAM policies are currently in beta and aren't enabled by default.

Exceptions to normal authorization rules can be granted by leveraging IAM policies, which can be authored in JSON and imported or exported from the platform by using the admin iam CLI subcommand.

IAM policies apply to one or more resources and contain one or more statements. The policy resource limits the scope of the statements being evaluated. Statements may have the effect of either allowing or denying the request. If any one statement in any policy denies the action, then the entire request is denied.

The following is a sample IAM policy that grants users with the OIDC role SUPPORT the ability to list and view logs for all instances regardless of instance owner and visibility setting:

{
  "resources": ["*"],
  "statements": [
    {
      "subjects": ["role:SUPPORT"],
      "actions": ["instance:view_log", "instance:read"],
      "attributes": [],
      "effect": "allow"
    }
  ]
}

Wave application instance access controls

The App Store server enforces access restrictions on which users can access running applications. See the Authorization section in the user guide for details.

Wave application user authentication

Wave applications can run as both single user instances and as multi-user instances. Multi-user instances requires users to first authenticate with a supported OpenID Connect (OIDC) provider. The OIDC session created with the Wave application is independent to the App Store user session (including the relevant OIDC client settings and tokens). The App Store provides an opt-in mechanism to pass OpenID Connect (OIDC) endpoint, client, and client secret to Wave applications upon start up.
The WaveClientID and WaveClientSecret values in the App Store configuration must be set to enable OIDC integration. See Wave's documentation for more.

Feedback

Submit and view feedback for this page
Send feedback about AI App Store to cloud-feedback@h2o.ai

Authorization

Identity provider​

User roles​

App Store server OIDC configuration​

CLI authentication​

Visitors​

Administrators​

Identity and Access Management (IAM) policies​

Wave application instance access controls​

Wave application user authentication​