Skip to content

Manage Authentication Configuration

The Pachyderm authentication configuration file includes information about the identity provider (IdP) configured in Pachyderm. The file is stored in the Pachyderm etcd container, and you can access it by using the following commands:

  • To view the auth configuration, run:

    pachctl auth get-config
    
  • To edit the auth configuration, run:

    pachctl auth set-config -f <config.json>
    

    or:

    pachctl auth set-config <<EOF
    {
      "live_config_version": ${live_config_version},
    
      "id_providers": [
        {
         ...
        }
      ]
      ...
    }
    EOF
    
  • To delete Pachyderm auth configuration, run:

    pachctl auth deactivate
    

SAML Authentication Parameters

You can specify the following parameters for your SAML provider in the authentication file:

Parameter Description
name The name of the SAML provider. For example, okta.
This name is used as a prefix for all usernames derived
from the identity provider. For example,
okta:test@pachyderm.com.
description An optional description of the identity provider.
saml A list of parameters related to the SAML provider
configuration.
metadata_url A URL of the SAML provider metadata service.
metada_xml The XML metadata of SAML IdP. You can use this
parameter if the IdP is located in another network to which
users have access, but pachd does not. It can
also be used for testing when the IdP is not yet
configured.
group_attribute A group configured on the IdP. The parameters enable
you to grant permissions on at a group level rather
than on an individual level.
saml_svc_options A list of options for SAML services
acs_url The URL of the pachd's Assertion Consumer Service
and Metadata Service (ACS). If Pachyderm runs in a
private cluster, the cluster admin must set up
the domain name and proxy to resolve to
pachd:654/acs. For example,
http://localhost:30654/saml/acs.
meatadata_url The public URL of Pachd's SAML metadata service.
This parameter under the saml_svc_options is
different from the one under the saml option.
If Pachyderm runs in a private cluster, you must
create this URL, which resolves to
pachd:654/saml/metadata. For example,
http://localhost:30654/saml/metadata.
dash_url The public URL of the Pachyderm dashboard.
For example, https://localhost:30080.
session_duration The length of a user session in hours (h) or
minutes (m). For example, 8h. If left blank 24 hours session is
configured by default.

View a sample config

OIDC Authentication Parameters

You can specify the following parameters for your OIDC provider in the authentication file:

Parameter Description
name The name of the OIDC provider. For example,
keycloak. This name is used as a prefix for all usernames derived
from the identity provider. For example,
keycloak:test@pachyderm.com.
description An optional description of the identity provider.
oidc A list of parameters related to the OIDC provider configuration.
issuer The address of the OIDC provider. For example,
http://keycloak.<ip>.nip.io/auth/realms/<realm-name>.
client_id The Pachyderm ID configured in the IdP. For example,
pachyderm.
client_secret A shared secret with the ID provider. If your OIDC provider
does not use a secret, which is not recommended, the
parameter can be omitted for testing.
redirect_uri The URI on which the OIDC IdP can access Pachyderm.
Depends on your network configuration and must have the following
format: http://<ip>:30657/authorization-code/callback.

View a sample config


Last update: July 16, 2020