Adding user password and restricting user creation about clearml-server HOT 7 CLOSED

+1 for g-suite auth :)

from clearml-server.

@GolfDeltaFox thank you for clarifying, I totally understand now. Although adding SSO is doable, from a security point of view, I would not recommended putting a TRAINS-server open on the web. Firewall and load-balancer to prevent DDOS and other brute-force attacks is a must these days...

With the above said, I would recommend to do as you suggested, and put everything behind a VPN/VPC.

I'm also tagging this thread as 'user management feature request', and again I have to stress TRAINS-server should be deployed as internal access only :)

from clearml-server.

First, the compliment is greatly appreciated :)

When we designed trains-server, we thought of it as an internal infrastructure system. This is why we thought user/pass login is unnecessary, since we wanted to encourage visibility, instead of limiting it with a defined set of credentials.

The main use case for individual web-app login is in the "admin" page (which will soon be renamed to profile), where you create your specific key/secret credentials pair, to put into your trains.conf file.

Once you have configured your trains.conf file, any task/experiment created from your machine will be created with your user-name, so everyone knows who trained which model, etc.

Login to the web-app by itself, is kind of meaningless as, it will mostly give you read access to the ongoing development of the project. In other words, great way to create transparency between: research, engineering and management.

It was also quite convenient to store fixed credentials per remote machine. Every time someone logged into the machine, it automatically used their credentials, so we immediately knew who was running on which machine.

Quick FYI, you can also set these key/secret credentials from OS environment, so it can be part of the login .bashrc script:

export TRAINS_API_ACCESS_KEY=""
export TRAINS_API_SECRET_KEY=""
export TRAINS_API_HOST=""

Did that answer your question? If not, what is exactly the scenario you had in mind, meaning why would you limit the login to a specific set of users in your organization?

from clearml-server.

I'm using the AWS AMI release and addressing the front end of managing users (I'm ok with credentials management in back-end)

Before creating the credentials we need to login to the web interface - How do I manage users authentication and authorisation in the web interface ? Can I login using g-suite ?

After I have used new user login and all the users that logged in the past appear in the login screen, this is a bit ugly since the login screen now includes test users and demo users (test, test1, test11, test111 etc ;-)

I want to clear these users they all appear in the login screen after logout and clutter the view
It would be best if the web login could use the Google’s SAML and/or OpenID

from clearml-server.

@bmartinn : Thank you for your answer and additional information. Although our use case is the following:
Our users want to use the same trains-server in different locations. But, yet we still want to be able to hide the web interface behind either a login page or in a VPC (to prevent anyone to randomly kill or archive experiments, or steal sensitive data). Since the second option is more complicated for the end user, the ideal scenario would be to have a Gsuite SSO with a restriction on the domain name (eg: [email protected]).

from clearml-server.

@GolfDeltaFox we added the ability to specify a list of User/Pass login credentials for the web server.
Feel free to check v0.10.1
😃

from clearml-server.

Closing, feature added to v0.10.1

from clearml-server.