Configure your hopsworks cluster to use OAuth2 for user management.#
Once you have created a Hopsworks cluster you can configure it to use OAuth2 for its access control. We will go through a step-by-step description of the configuration process. To illustrate our explanation We will use Azure Active Directory as the identity provider, but the same can be done with any identity provider supporting OAuth2.
Step 1: Configure your identity provider.#
To use OAuth2 in hopsworks you first need to create and configure an OAuth client in your identity provider. We will take the example of Azure AD for the remaining of this documentation, but equivalent steps can be taken on other identity providers.
Enter a name for the client such as hopsworks_oauth_client. Verify the Supported account type is set to Accounts in this organizational directory only. And Click Register.
In the Overview section, copy the Application (client) ID field. We will use it in step 2 under the name OAUTH_CLIENT_ID.
Click on Endpoints and copy the OpenId Connect metadata document endpoint excluding the .well-known/openid-configuration part. We will use it in step 2 under the name PROVIDER_URI.
Click on Certificates & secrets, then Click on New client secret.
Add a description of the secret. Select an expiration period. And, Click Add.
Copy the secret. This will be used in step 2 under the name OAUTH_CLIENT_SECRET.
Click on Authentication. Then click on Add a platform
In Configure platforms click on Web.
Enter the Redirect URI and click on Configure. The redirect URI is HOPSWORKS-URI/callback with HOPSWORKS-URI the URI of your hopsworks cluster. You can find it by going to the hopsworks.ai dashboard in the General tab of your cluster and copying the URI (excluding the /#!/).
Step 2: Configure Hopsworks#
Log into your Hopsworks cluster and go to the admin page.
Click on Edit variables
Enter oauth in the Name entry field (1). Set oauth_enabled to true (2).Set oauth_redirect_uri to the same redirect URI as above (3). Set oauth_logout_redirect_uri to the same redirect URI as above without the callback at the end (4). Set oauth_account_status to 2 (5). Set oauth_group_mapping to ANY_GROUP->HOPS_USER (6). Click on Reload variables (7) and click on Admin Home (8).
If you let the value 1 for oauth_account_status an administrator will need to enable the user in hopsworks each time a new user tries to login with OAuth.
Setting oauth_group_mapping to ANY_GROUP->HOPS_USER will assign the role user to any user from any group in your identity provider when the log into hopsworks with OAuth for the first time. You can replace ANY_GROUP with the group of your choice in the identity provider. You can replace HOPS_USER by HOPS_ADMIN if you want the users of the group to be admins in hopsworks. You do several mappings of groups to roles by comma separating them.
Click on Register OAuth 2.0 Client.
Click on the + next to Register OpenId provider and client (1). Set Client id to be the OAUTH_CLIENT_ID you copied above (2). Set Client secret to be the OAUTH_CLIENT_SECRET you copied above (3). Give a name to your provider in Provider name for example, OAuth (4). Give the name that will be displayed on the login page for your provider in Provider display name for example, OAuth (5). Set Provider URI to the PROVIDER_URI you copied above (6). Click Save (7).
Users will now see a new button on the login page. The button has the name you set above for Provider display name and will redirect to your identity provider.