Skip to main content

Authorization

Authorization rules differ depending on the role of a user, distinguishing between users with "full access", visitors (users without "full access"), and admins.

App authorization for users with full access

Access to apps is governed by the following rules:

  • ALL_USERS apps are visible to all signed-in users with "full access"; they are also visible on the "App Store" page; these are typically created via h2o bundle import
  • ALL_USERS apps with the ON_DEMAND instance lifecycle are runnable by all signed-in users with "full access"
  • In all other cases the app owner is the only authorized user to perform a particular action, including:
    • PRIVATE apps are only visible to/runnable by the owner; these are only visible on the "My Apps" page and are typically experimental versions created via h2o bundle deploy
    • ALL_USERS apps with the MANAGED instance lifecycle are only runnable by the app owner.
    • The app owner can manage (view, run, update, delete, download) their apps via h2o app ... or via the "My Apps" page
  • Any user with "full access" can import new apps into the platform via h2o ...
  • PUBLIC apps are visible to all users; even if they are not logged in. However, the user must be logged in to use the app.
    • Administrators must enable config.publicModeEnabled. If it is not enabled, authentication will be required and the behavior will be the same as ALL_USERS apps.

See CLI for details on managing apps.

Instance authorization for users with full access

Access to app instances is governed by the following rules:

  • PRIVATE instances are only visible to the owner (and to an extent to the owner of the corresponding app, see below for details)
  • ALL_USERS instances are visible to all signed-in users with "full access"
  • PUBLIC instances are visible to anyone on the Internet
  • The instance owner can manage (view, update, terminate, see status/logs of) her instances via h2o instance or via the "My Instances" page
  • App owner can see metadata, status, and logs of her app's instances via h2o instance or via the app detail page regardless of instance visibility; this is to facilitate troubleshooting; note that this does not include access to the app UI itself or any write access

Note that app/instance visibility can be modified by the owner, e.g., using h2o (app|instance) update <id> -v <visibility> or via the "My Apps"/"My Instances" page.

See CLI for details on managing app instances.

Tag authorization for users with full access

Access to tags is governed by the following rules:

  • All users with "full access" can see all tags and tag assignments
  • A tag can only be assigned/removed/updated by users having a role (as determined by the auth provider) that is present in the tag's Admin Roles list; empty means any user with "full access" is allowed
  • Currently, tags can only be created by admins

See CLI for details on managing tags.

Secret authorization for users with full access

Access to secrets is governed by the following rules:

  • All users with "full access" can see all ALL_USERS secrets and their own PRIVATE secrets, but not secrets with visibility APP (see App-scoped Secrets)
  • A PRIVATE secret can be created, updated, deleted by the user who created the secret
  • Currently, ALL_USERS and APP secrets can only be created, updated or deleted by admins

See CLI for details on managing secrets.

Authorization for visitors

Visitors, a.k.a., users without "full access", have limited permissions within the platform:

  • Visitors can only ever see their own instances, regardless of instance visibility (technically, they can also access UI of the PUBLIC instances, if given the URL)
  • Visitors cannot see app logs, not even for their own instances
  • Visitors cannot import apps into the platform
  • Visitors can only see/run ALL_USERS apps that have a tag which includes one of the visitor's roles (as determined by the auth provider) in the tag's Visitor Roles; empty means no visitors are allowed
    • Example: Visitor UA has role RA, visitor UB has role RB, tag TA has Visitor Roles RA, RC, tag TB has Visitor Roles RB, app A1 has no tags, app A2 has tag TA, app A3 has tags TA, TB but is PRIVATE. In this case, user UA can see and run app A2, while UB cannot see or run any apps.
  • Visitors cannot see tags or tag assignments
  • Visitors cannot see secrets

Authorization for admins

The admin API gives admins read/write access to all apps/instances/tags. Note that the admin API does not allow access to the app UI itself, meaning admins cannot access UI of PRIVATE instances. Similarly, admins cannot impersonate another user, e.g., for the purposes of importing/running an app.

Feedback