Authentication & Authorization

Learn how user access management works.


User Access Management is an enterprise feature that requires an active enterprise token.

Pachyderm delegates its authentication to third party Identity Providers.

We embed an Open ID Connect identity service based on Dex allowing for a vendor-neutral authentication (i.e., a pluggable authentication against many different identity providers).

As a result, users can authenticate using their existing credentials from various back-ends, including LDAP, other OIDC providers, or SAML.

Setting up Pachyderm’s User Access Management (also referred to as “Authentication and Authorization” or “Auth” in this documentation) requires to follow those 3 simple steps:

  1. Activate the feature.

Helm users, setting up your License Key in Helm will activate Auth by default. SKIP THIS STEP.

If you enable the enterprise features through Helm, auth will be activated by default.

In this case, a pachyderm-auth k8s secret is automatically created containing an entry for your rootToken in the key rootToken. Use the following to retrieve it and save it where you see fit:

{{"kubectl get secret pachyderm-auth -o go-template='{{.data.rootToken | base64decode }}'"}}
  1. Create a connector and connect the IdP of your choice to Pachyderm (Dex).
  2. Optional: Manage your Authorization. i.e.,assign specific Roles to IdP users on given Pachyderm resources.

Any registered IdP user will then be able to log into their IdP and access Pachyderm resources according to the privileges they were granted.

See the Identity Provider High Level Diagram below:

IdP - Dex diagram

Activate User Access Management #


Verify the status of your Enterprise License before activating the User Access Management feature by running pachctl enterprise get-state. The command should return an ACTIVE status along with the expiration date of the Enterprise License.

To activate Pachyderm’s authentication and authorization features, run the following command in your terminal:

pachctl auth activate 

The enablement of the User Access Management creates an initial Root user and returns a Root token. This Root user (or initial admin) has irrevokable clusterAdmin privileges on Pachyderm’s cluster. More on the various types of Users, Roles, and resources here.

System Response

Pachyderm root token:

You must save the token to a secure location to avoid being locked out of your cluster.

When needed, use this token to log back in as this initial admin user:

pachctl auth use-auth-token

As a Root User (or initial admin), you can now configure Pachyderm to work with the identity management provider (IdP) of your choice.

Next: Connect the IdP of your choice to Pachyderm (Dex)

Deactivating User Access Management #

The deactivation of the User Access Management on a Pachyderm cluster (as a clusterAdmin, run pachctl auth deactivate), returns the cluster to being a blank slate with regards to access control.

This implies that all permissions granted to users on Pachyderm resources are removed. Everyone that can connect to Pachyderm is back to being a clusterAdmin (can access and modify all data in all repos).

User Access Management and Enterprise License expiration #

When an Enterprise License expires, a Pachyderm cluster with enabled User Access Management goes into an admin-only state. In this state, only ClusterAdmins have access to the data stored in Pachyderm.

This safety measure keeps sensitive data protected, even when an enterprise subscription becomes stale.

As soon as the enterprise activation code is updated (As a ‘clusterAdmin’, run pachctl license activate and submit your new code), the Pachyderm cluster returns to its previous state.

Auth Token Duration #

Pachd auth tokens duration is set to a 30 days default in pachd environment variable SESSION_DURATION_MINUTES.