Skip to content

Instantly share code, notes, and snippets.

@msteffen

msteffen/Run experimental Pachyderm release.md

Last active August 23, 2018 00:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save msteffen/4d2febbce39e126fa6442295cc33d035 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save msteffen/4d2febbce39e126fa6442295cc33d035 to your computer and use it in GitHub Desktop.
Download ZIP
Running experimental Pachyderm release
Raw
Run experimental Pachyderm release.md

Activate Pachyderm enterprise and Pachyderm auth

pachctl enterprise activate <enterprise code>
pachctl auth activate --initial-admin=robot:abc

Write Pachyderm config

# Lookup current config version--pachyderm config has a barrier to prevent
# read-modify-write conflicts between admins
live_config_version="$(pachctl auth get-config | jq .live_config_version)"
live_config_version="${live_config_version:-0}"

# Set the Pachyderm config
pachctl auth set-config <<EOF
{
  "live_config_version": ${live_config_version}, # prevent read-modify-write conflicts by explicitly specifying live version
  "id_providers": [
    {
      "name": "okta",
      "description": "Okta test app",
      "saml": {
        "metadata_url": <okta app metadata URL>
      }
    }
  ],
  "saml_svc_options": {
    "acs_url": "http://localhost:30654/saml/acs",
    "metadata_url": "http://localhost:30654/saml/metadata", # works if using pachctl port-forward
    "dash_url": "http://localhost:30080/auth/autologin",
  }
}
EOF

Logging In

Currently Pachyderm only supports IdP-initiated authentication. Configure an Okta app to point to the Pachyderm ACS (http://localhost:30654/saml/acs if using pachctl port-forward), then sign in via the new Okta app

This should allow you to log in at the Pachyderm dash. To log in with the Pachyderm CLI, get a One-Time Password from the Pachyderm dash, and then run pachctl auth login --code=<one-time password> in your terminal.

Debug Logging

If we run into issues while deploying this, it may be useful to enable a collection of debug logs that we added during development. To do so, add the option "debug_logging": true to "saml_svc_options":

pachctl auth set-config <<EOF
{
  ...
  "saml_svc_options": {
    ...
    "debug_logging": true
  }
}
EOF

Groups

Pachyderm has very preliminary, experimental support for groups. While they won't appear in ACLs in the dash (and may have other issues), you can experiment using the CLI by setting "group_attribute" in the IDProvider field of the auth config:

pachctl auth set-config <<EOF
{
  ...
  "id_providers": [
    {
      ...
      "saml": {
        "group_attribute": "memberOf"
      }
    }
  ],
}
EOF

Then, try:

pachctl create-repo group-test
pachctl put-file group-test master -f some-data.txt
pachctl auth set group/saml:"Test Group" reader group-test

Elsewhere:

pachctl auth login --code=<auth code>
pachctl get-file group-test master /some-data.txt # should work for members of "Test Group"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment