Run Commands


Learn how to set up and manage Role-Based Access Control (RBAC).

May 30, 2023

You can use Pachyderm’s Role-Based Access Control (RBAC) model to configure authorization for your users. Users can be assigned roles that grant certain permissions for interacting with Pachyderm’s resources.

Before You Start #

Activate User Access Management #

  1. Activate authentication using the following command:
pachctl auth activate 

# Pachyderm root token:
# 54778a770c554d0fb84563033c9cb808
  1. Save the root token value in a secure place.

You can use this token in the future to log in to the initial root admin user by entering the following comand:

pachctl auth use-auth-token

# Please paste your Pachyderm auth token:

As a Root User (or initial admin), you can now configure Pachyderm to work with the identity management provider (IdP) of your choice.

License Expiration #

When an Enterprise License expires, a Pachyderm cluster with enabled User Access Management goes into an admin-only state. In this state, only ClusterAdmins have access to the data stored in Pachyderm. This safety measure keeps sensitive data protected, even when an enterprise subscription becomes stale. To return the cluster to its previous state, run pachctl license activate and submit your new code.

Users Types #

Pachyderm has 5 user types:

User TypeDescription
IdP UserAny user or group of users authenticated by your Identity Provider to access Pachyderm.
Robot UserA Service account used for third party applications/systems integrating with Pachyderm APIs/Clients.
Pipeline UserAn internal Service Account used for Pipelines when interacting with Pachyderm resources.
All Cluster UsersA general subject that represents everyone who has logged in to a cluster.

Pachyderm defines 4 prefixes depending on the type of user:

Aditionnally, the “everyone” user allClusterUsers has no specific prefix. See the example below to learn how to assign repoReader access to allClusterUsers on a repo.

Resource Types #

Pachyderm has 3 resource types:

Resource TypeDescription
ClusterA set of nodes for running containerized applications. Containers allow users to run repeatable and standardized code.
ProjectA project is a container of 1 or more DAGs that allows for users to organize their repos. Projects allow multiple teams to work in a cluster.
RepoA repository is where data is stored and contains both files and folders. Repos tracks all changes to the data and creates a history of data changes.

Role Types #

Pachyderm has 3 role types:

Role TypeDescription
Cluster RolesGranted at the cluster level.
Project RolesGranted at the project level.
Repo RolesGranted at the repo level or at the cluster level.