Proxy Only Authentication

In various deployment scenarios - for example when using Sparkling Water on IBM Spectrum Conductor, it might be required to make the H2O-3 interface and Flow UI accessible only to the cluster owner, without specifying the password in the configuration beforehand. For those cases we expose a special parameter: spark.ext.h2o.proxy.login.only that should be used together with the “standard” authentication method property like spark.ext.h2o.ldap.login. With “Proxy only” mode Sparkling Water will communicate with H2O-3 cluster using internally generated hash-based credentials, and use the requested authentication method only for authenticating the user trying to access the proxy port (Flow UI).

For the examples below, we’ll use LDAP authentication method, described in more detail here: Enabling LDAP

Configuring “Proxy Only” mode

To enable LDAP with “Proxy only authentication”, the following properties need to be set:

  • spark.ext.h2o.ldap.login=true

  • spark.ext.h2o.proxy.login.only=true

  • spark.ext.h2o.login.conf=ldap.conf

  • spark.ext.h2o.user.name=username

where ldap.conf is the configuration file for the LDAP connection and username is a username of the LDAP account that will be used for authentication to the H2O-3 cluster.

For example those required properties can be set directly as Spark properties, such as:

Scala

./bin/sparkling-shell \
--conf spark.ext.h2o.ldap.login=true \
--conf spark.ext.h2o.proxy.login.only=true \
--conf spark.ext.h2o.login.conf=ldap.conf \
--conf spark.ext.h2o.user.name=username

Python

./bin/pysparkling \
--conf spark.ext.h2o.ldap.login=true \
--conf spark.ext.h2o.proxy.login.only=true \
--conf spark.ext.h2o.login.conf=ldap.conf \
--conf spark.ext.h2o.user.name=username

There are also H2OConf setter methods available:

Scala

import ai.h2o.sparkling._
val conf = new H2OConf().setLoginConf("ldap.conf").setLdapLoginEnabled().setProxyLoginOnlyEnabled().setUserName("username")
val hc = H2OContext.getOrCreate(conf)

Python

from pysparkling import *
conf = H2OConf().setLoginConf("ldap.conf").setLdapLoginEnabled().setProxyLoginOnlyEnabled().setUserName("username").setPassword("password")
hc = H2OContext.getOrCreate(conf)

Later when accessing Flow, the user will be asked for the username and password of the user specified in the configuration property spark.ext.h2o.user.name.