Manage Authentication Configuration¶
The Pachyderm authentication configuration file includes information about the identity provider (IdP) configured in Pachyderm. The file is stored in the Pachyderm etcd container, and you can access it by using the following commands:
- To view the auth configuration, run:
pachctl auth get-config
- To edit the auth configuration, run:
pachctl auth set-config -f <config.json>
or:
pachctl auth set-config <<EOF
{
"live_config_version": ${live_config_version},
"id_providers": [
{
...
}
]
...
}
EOF
- To delete Pachyderm auth configuration, run:
pachctl auth deactivate
SAML Authentication Parameters¶
You can specify the following parameters for your SAML provider in the authentication file:
| Parameter | Description |
|---|---|
name | The name of the SAML provider. For example, okta. This name is used as a prefix for all usernames derived from the identity provider. For example, okta:test@pachyderm.com. |
description | An optional description of the identity provider. |
saml | A list of parameters related to the SAML provider configuration. |
metadata_url | A URL of the SAML provider metadata service. |
metada_xml | The XML metadata of SAML IdP. You can use this parameter if the IdP is located in another network to which users have access, but pachd does not. It can also be used for testing when the IdP is not yet configured. |
group_attribute | A group configured on the IdP. The parameters enable you to grant permissions on at a group level rather than on an individual level. |
saml_svc_options | A list of options for SAML services |
acs_url | The URL of the pachd's Assertion Consumer Service and Metadata Service (ACS). If Pachyderm runs in a private cluster, the cluster admin must set up the domain name and proxy to resolve to pachd:654/acs. For example, http://localhost:30654/saml/acs. |
metadata_url | The public URL of Pachd's SAML metadata service. This parameter under the saml_svc_options is different from the one under the saml option. If Pachyderm runs in a private cluster, you must create this URL, which resolves to pachd:654/saml/metadata. For example, http://localhost:30654/saml/metadata. |
dash_url | The public URL of the Pachyderm dashboard. For example, https://localhost:30080. |
session_duration | The length of a user session in hours (h) or minutes (m). For example, 8h. If left blank 24 hours session is configured by default. |
OIDC Authentication Parameters¶
You can specify the following parameters for your OIDC provider in the authentication file:
| Parameter | Description |
|---|---|
name | The name of the OIDC provider. For example, keycloak. This name is used as a prefix for all usernames derived from the identity provider. For example, keycloak:test@pachyderm.com. |
description | An optional description of the identity provider. |
oidc | A list of parameters related to the OIDC provider configuration. |
issuer | The address of the OIDC provider. For example, http://keycloak.<ip>.nip.io/auth/realms/<realm-name>. |
client_id | The Pachyderm ID configured in the IdP. For example, pachyderm. |
client_secret | A shared secret with the ID provider. If your OIDC provider does not use a secret, which is not recommended, the parameter can be omitted for testing. |
redirect_uri | The URI on which the OIDC IdP can access Pachyderm. Depends on your network configuration and must have the following format: http://<ip>:30657/authorization-code/callback. |
additional_scopes | A list of additional OIDC scopes to request from the provider. If groups is requested, the groups in the ID token will be synced with Pachyderm |
Last update: January 5, 2021
Does this page need fixing? Edit me on GitHub