Skip to content

Configure OpenID Connect with Okta

If Okta® access management software is your preferred choice of IdP, you can configure Pachyderm to use Okta as an OpenID Connect (OIDC) identity provider using the following steps.

Prerequisites

Before you can configure Pachyderm to work with Okta, you need:

  • Pachyderm Enterprise 1.11.x or later. The enterprise token must be activated by running echo <your-activation-token> | pachctl enterprise activate. Check the status of your license by running:

    pachctl enterprise get-state
    

    For more information, see Activate Pachyderm Enterprise Edition.

  • An account at https://www.okta.com/login/.

Register Pachyderm with Okta

For more detailed step by step instructions, follow this documentation.

  1. Sign in to your Okta organization with your administrator account.
  2. From the Admin Console side navigation, click Applications > Applications.
  3. Click Add Application.
  4. Click Create New App (or search for your existing app).
  5. Select Platform: Web and sign-on method OpenID Connect.
  6. Click Create.
  7. Type the name of your application, such as Pachyderm.
  8. Add the following Login redirect URI.

    http://<ip>:657/authorization-code/callback
    
    Note: Your port number should be whatever is routing to pachd:657.

    The IP address is the address of your Pachyderm host. For example, if you are running Pachyderm in Minikube, you can find the IP address by running minikube ip.

  9. Click Save

  10. Click Edit to change the General Settings pane. In the Allowed grant types section, enable Implicit, Authorization Code, Refresh Token, and Client Credentials.
  11. Click Save
  12. On the Assignments tab, click Assign to assign the app integration to any user or group in your org. Click Done when the assignments are complete.

Configure Pachyderm Auth

After you have configured a Pachyderm application in Okta, you need to create a Pachyderm OIDC config with the Okta parameters. All the required parameters, such as client_id, client_secret, and others, are located on the App General tab.

To configure Pachyderm Auth, complete the following steps:

  1. Check the status of your license by running:

    pachctl enterprise get-state
    

    You must have an active enterprise token to proceed.

  2. Go to the terminal and forward the pachd pod to the OIDC port:

  3. Get the pachd pod ID:

    kubectl get pod
    

    Example system response:

    dash-5768cb7d98-j6cgt       2/2     Running   0          4h2m
    etcd-56d897697-xzsqr        1/1     Running   0          4h2m
    pachd-79f7f68c65-9qs8g      1/1     Running   0          4h2m
    
  4. Forward the pachd pod to the OIDC port:

    Example:

    kubectl port-forward pachd-79f7f68c65-9qs8g 30657
    
  5. Enable Pachyderm authentication:

    pachctl auth activate --initial-admin=robot:admin
    

    Pachyderm returns a token.

    WARNING! You must save the token to a secure location to avoid being locked out of your cluster.

  6. Log in as the admin user with the token you received in the previous step:

    pachctl auth use-auth-token
    
  7. Set up the authentication config:

    pachctl auth set-config <<EOF
      {
      "live_config_version": 2,
      "id_providers": [{
      "name": "okta",
      "description": "oidc-based authentication with Okta",
      "oidc":{
      "issuer": "https://",
      "client_id": "",
      "client_secret": "",
      "redirect_uri": "your redirect URI",
      ignore_email_verified: true
      }
      }]
      }
      EOF
    

    You need to replace the following placeholders with relevant values:

    • issuer — The domain of your application in Okta. For example, {yourOktaDomain}/. Note the trailing slash.

    • client_id — The Pachyderm Client ID in Okta.

    • client_secret - The Pachyderm client secret in Okta.

    • redirect_uri - This parameter should match what you have added to redirect URI in the previous step.

  8. Log in as the user you have created in the Pachyderm application or sign in with Google:

  9. Run:

    pachctl auth login
    

    You should be prompted to a web-browser. Log in as the user you have previously created in Okta or sign in with Google.

    You should see the following message printed out in your browser:

    You are now logged in. Go back to the terminal to use Pachyderm!
    
  10. In the terminal, check that you are logged in as the Okta user:

    pachctl auth whoami
    

    Example of System Response:

    You are "okta:test@pachyderm.com"
    session expires: 07 Aug 20 14:04 PDT
    

Last update: August 31, 2021
Does this page need fixing? Edit me on GitHub