Reference
PachCTL

Role Binding

Learn how to grant and modify permissions on given resources for an IDP or robot user.

May 26, 2023

This chapter will detail how to:

â„šī¸

Default Privileges.

  • Root User: The activation of the Authentication and Authorization feature generates a Root User with unalterable and unrevokable clusterAdmin privileges.
  • Robot User: Robot users do not have any permission by default. They will need to be set by a clusterAdmin.
  • The case of the Pipeline User: In Pachyderm, you do not explicitly grant users access to pipelines, they get set for you when you create or update a pipeline.
âš ī¸

Rules to keep in mind

  • A user or group can have one or more roles on a specific Resource.
  • Roles are inherited: if a user has a role on a cluster, they have that role for all projects and repos in that cluster.
  • The creator of a repo becomes its repoOwner.
  • To update a pipeline, you must have at least repoReader-level access to all pipeline inputs and repoWriter-level access to the pipeline output. This is because pipelines read from their input repos and write to their output repos.
  • When a user subscribes a pipeline to a repo, Pachyderm sets that user as an repoOwner of that pipeline’s output repo. If additional users need access to the output repository, the initial repoOwner of a pipeline’s output repo, or a clusterAdmin, needs to grant that user access to the repo.

Set Roles to Users #

â„šī¸

Alternatively, you have the option to set your cluster roles directly through Helm using the helm value: pachd.pachAuthClusterRoleBindings.

For example, grant reader access to all repos to a specific group:

 pachd:
    pachAuthClusterRoleBindings:
        group:data-scientists:
        - repoReader

Or, give the user paul@company.com the clusterAdmin role, and the robot user wallie logReader rights on the cluster.

 pachd:
    pachAuthClusterRoleBindings:
        user:paul@company.com:
        - clusterAdmin
        robot:wallie:
        - logReader

To keep using our Auth0 example and illustrate the attribution of a given Role to a User, let’s have our Root User (with default clusterAdmin privileges) give repoReader access to a repo to our one-pachyderm-user@gmail.com user.

In particular, we will:

  1. Connect as our Root User again.
  2. Create a repo named testinput containing one text file.
  3. Grant repoReader access on this repo to our user one-pachyderm-user@gmail.com registered with our IdP (Auth0).
  4. See what happens when one-pachyderm-user@gmail.com tries to write in the repo without the proper writing access.
â„šī¸

Note that the user one-pachyderm-user@gmail.com has a prefix user. Pachyderm defines 4 prefixes depending on the type of user:

  • robot
  • user
  • group
  • pipeline (as mentioned above, this prefix will not be used in the context of granting privileges to users. However, it does exist. We are listing it here to give an exhauxtive list of all prefixes.)

Aditionnally, the “everyone” user allClusterUsers has no specific prefix. See the example below to learn how to assign repoReader access to allClusterUsers on a repo.

📖

Use --help to display the list of all available commands, arguments, and flags of the command pachctl auth set.

â„šī¸
  • To alter a user’s privileges, simply re-run the pachctl auth set command above with a different set of Roles. For example,
pachctl auth set repo testinput repoWriter user:one-pachyderm-user@gmail.com

will give one-pachyderm-user@gmail.com repoWriter privileges when they were inially granted repoReader access.

pachctl auth set repo testinput none user:one-pachyderm-user@gmail.com

will remove any previous granted rights on the repo testinput to the user one-pachyderm-user@gmail.com.

pachctl auth set repo testinput repoReader allClusterUsers

Set Roles to Groups #

If your IdP enables group support, you can grant access on Pachyderm resources to a group of users.

Let’s keep using our Auth0 example as an illustration, and:

  1. As a clusterAdmin, create a Group in Auth0.
  2. Assign our user to the newly created group.
  3. Update our connector accordingly.
  4. Grant the group an owner access to a specific repo in Pachyderm.
📖

To enable the Group creation in Auth0, you will need to install an Authorization Extension to Auth0:

  • Go to Auth0 Dashboard > Extensions.
  • Select Auth0 Authorization and answer the prompt to install.
  • Choose where you would like to store your data: Webtask Storage for this example and click Install
  • Additionally, because Auth0 does not include the groups in the ID token when you use the Authorization Extension above, you will have to manually edit the following rule:
    • In the Auth Pipeline menu on the left, in Rules, click on auth0-authorization-extension. This will take you to the Edit Rule page of the extension.
    • Copy the following context.idToken['http://pachyderm.com/groups'] = user.groups; line 35 and Save your changes.

      Authorization Extension Rule Edition

  1. Group creation

    An Authorization link should now show on your Auth0 webpage. In Authorization/Groups, create a group. Here testgroup:

    Group creation

  2. Add your user to your group

    In Authorization/Users, select your user one-pachyderm-user@gmail.com and add them to your testgroup as follow.

    Add User to Group

    In User Mangement/Users, you user should now show the following addition to their app_metadata:

    {
        "authorization": {
            "groups": [
            "testgroup"
            ]
        }
    }
  3. Update your connector

    === “oidc-dex-connector.json”

    ```json
    {
        "type": "oidc",
        "id": "auth0",
        "name": "Auth0",
        "version": 1,
        "config":{
        "issuer": "https://dev-k34x5yjn.us.auth0.com/",
        "clientID": "hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5",
        "clientSecret": "7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL",
        "redirectURI": "http://<ip>:30658/callback",
        "scopes": ["groups", "email", "profile"],
        "claimMapping":{
            "groups": "http://pachyderm.com/groups"
        },
        "insecureEnableGroups": true
        }
    }
    ```
    

    === “oidc-dex-connector.yaml”

    ``` yaml
    type: oidc
    id: auth0
    name: Auth0
    version: 1
    config:
        issuer: https://dev-k34x5yjn.us.auth0.com/
        clientID: hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5
        clientSecret: 7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL
        redirectURI: http://<ip>:30658/callback
        scopes: 
        - groups
        - email
        - profile
        claimMapping:
            groups: http://pachyderm.com/groups
        insecureEnableGroups: true
    ```
    

    Note the addition of the scopes and claimMapping fields to your original connector configuration file. Update your connector:

    pachctl idp update-connector auth0 --version 2

    Your group is all set to receive permissions to Pachyderm’s resources.

  4. Grant the group an admin access to a specific repo in Pachyderm.

    pachctl auth set repo testinput repoOwner group:testgroup

    A quick check at this repo should give you its updated list of users an their access level:

    pachctl auth get repo testinput

    System Response

    pach:root: [repoOwner]
    user:another-pachyderm-user@gmail.com: [repoReader]
    group:testgroup: [repoOwner]
📖
The following command `pachctl auth get-groups` lists the groups that have been defined on your cluster.