Skip to main content

Engine profile security configuration

Engine profiles are the primary way administrators in H2O AI Engine Manager (AIEM) enforce resource boundaries and operational limits on the engines users create. A profile defines the resource constraints, timeout limits, and configuration rules that apply to every engine created with it. Administrators also control which engine versions and container images users can select. Together, these settings let you apply least-privilege resource governance across a workspace.

This page is a reference for the security-relevant profile, version, and image settings, their defaults, and the recommended values.

Before you begin

  • You need an engine admin role (enginemanager-dai-engine-admin, enginemanager-h2o-engine-admin, or enginemanager-notebook-engine-admin) assigned in the workspaces/global workspace. See RBAC roles and permissions for the full permission breakdown.
  • You need access to the AIEM REST API or web interface.
  • AIEM manages engine profiles, engine versions, and notebook and sandbox images in the workspaces/global workspace, so assign the relevant admin role in the global workspace to the people who manage them. Sandbox engine templates and engine instances are managed per project workspace.
note

AIEM creates no profiles, versions, or images by default. Until an administrator creates them, users cannot create engines. Create at least one profile and one approved version or image per engine type before users start working.

Engine profiles

Each engine type has its own profile schema. Profiles for Driverless AI, H2O-3, and Notebook engines share a common set of resource and access controls, and each type adds settings specific to its engine.

REST API

Manage profiles through the REST API at these endpoints:

  • Driverless AI: POST|GET|PATCH|DELETE /v1/workspaces/global/daiEngineProfiles[/{profile}]
  • H2O-3: POST|GET|PATCH|DELETE /v1/workspaces/global/h2oEngineProfiles[/{profile}]
  • Notebook: POST|GET|PATCH|DELETE /v1/workspaces/global/notebookEngineProfiles[/{profile}]

See the REST API reference for full request and response schemas.

Resource constraints

Resource constraints bound how much compute an engine can request. Each constraint is a structured value with a min, a max, and a default. Numeric constraints also accept an optional cumulative_max that caps the total across all of a user's engines using that profile. When you leave max unset, the value is unlimited, so always set an explicit max to prevent resource exhaustion.

ConstraintEngine typesDescription
cpu_constraintDriverless AI, H2O-3, NotebookCPU core allocation range.
gpu_constraintDriverless AI, H2O-3, NotebookGPU allocation range. Constrain this to control access to expensive GPU resources.
memory_bytes_constraintDriverless AI, H2O-3, NotebookMemory allocation range.
storage_bytes_constraintDriverless AI, NotebookPersistent storage allocation range.
node_count_constraintH2O-3Number of nodes in the H2O-3 cluster. Controls distributed compute scale.

Each resource constraint is a required field when you create a profile.

Duration and concurrency limits

Duration and concurrency limits prevent idle and abandoned engines from consuming resources indefinitely. Set them to enforce cost and resource governance.

SettingEngine typesTypeDefaultDescription
max_idle_duration_constraintDriverless AI, H2O-3, NotebookDuration range (min/max/default)RequiredPauses an engine (Driverless AI, Notebook) or terminates it (H2O-3, which has no pause) after it is idle for the configured duration.
max_running_duration_constraintDriverless AI, H2O-3, NotebookDuration range (min/max/default)RequiredPauses an engine (Driverless AI, Notebook) or terminates it (H2O-3, which has no pause) after it has run for the configured duration.
max_unused_durationDriverless AIDurationUnset (no limit)Auto-deletes an engine that stays in a paused or failed state for this duration.
max_non_interaction_durationDriverless AIDurationUnset (not applied)When set, a Driverless AI engine is auto-paused only if it is idle and has also had no system interaction for this duration.
max_running_enginesDriverless AI, H2O-3, NotebookIntegerUnset (unlimited)Maximum number of running engines per user for this profile.
tip

Set max_running_engines to a limit appropriate for your organization to prevent a single user from monopolizing workspace resources, and set max_unused_duration on Driverless AI profiles to clean up abandoned engines automatically.

Driverless AI configuration controls

Driverless AI profiles add settings that govern whether and how users can change Driverless AI configuration (config.toml). These settings exist only on Driverless AI profiles.

SettingTypeDefaultDescription
config_editabilityEnum: CONFIG_EDITABILITY_DISABLED, CONFIG_EDITABILITY_BASE_CONFIG_ONLY, CONFIG_EDITABILITY_FULLNone — requiredControls whether users can change Driverless AI configuration parameters.
configuration_overrideMapEmptyConfiguration that overrides user settings. Users cannot change these values.
base_configurationMapEmptyDefault configuration that a user can override when config_editability allows it.
triton_enabledBooleanfalseEnables the built-in Triton inference server in the Driverless AI engine.

config_editability is a required field with no default value — you must set it to one of the three values on every Driverless AI profile:

  • CONFIG_EDITABILITY_DISABLED — users cannot change any configuration.
  • CONFIG_EDITABILITY_BASE_CONFIG_ONLY — users can change only the keys in base_configuration.
  • CONFIG_EDITABILITY_FULL — users can change any configuration value. This is the most permissive option.
danger

CONFIG_EDITABILITY_FULL lets users override Driverless AI configuration freely. Set config_editability to CONFIG_EDITABILITY_DISABLED or CONFIG_EDITABILITY_BASE_CONFIG_ONLY unless users genuinely need full configuration control, and use configuration_override to enforce any security-relevant values that users must not change.

Profile access restrictions

By default, any user with access to a workspace can use any enabled profile in it. Restrict a profile to specific OIDC roles to limit who can create engines with sensitive resource allocations.

SettingTypeDefaultDescription
assigned_oidc_roles_enabledBooleanfalseWhen true, AIEM checks assigned_oidc_roles before letting a user use the profile.
assigned_oidc_rolesList of stringsEmptyThe OIDC roles allowed to use the profile when assigned_oidc_roles_enabled is true.
enabledBooleanfalseWhen set to false, the profile is turned off and cannot be used to create engines.

Pod-level controls

Profiles can inject Kubernetes pod configuration into the engines they create. Review these settings carefully, because they change how engine pods are scheduled and what runs alongside them.

SettingEngine typesDescription
yaml_pod_template_specDriverless AI, H2O-3, NotebookA custom PodTemplateSpec merged into the engine pod. Can add sidecars, tolerations, or node selectors.
yaml_gpu_tolerationsDriverless AI, H2O-3, NotebookGPU node scheduling tolerations applied when the engine requests a GPU.
gpu_resource_nameDriverless AI, H2O-3, NotebookThe Kubernetes GPU resource name (for example, nvidia.com/gpu). When unset, the server applies a default value.
data_directory_storage_classDriverless AIThe Kubernetes storage class for the Driverless AI data directory. When unset, the cluster's default storage class is used.
storage_class_nameNotebookThe Kubernetes storage class for notebook persistent storage. When unset, the cluster's default storage class is used.

H2O-3 runtime options

H2O-3 profiles add settings that pass extra options to the H2O-3 runtime. Review them for security-relevant flags.

SettingTypeDescription
java_classpathStringExtra Java classpath for the H2O-3 process. Review for untrusted JAR files.
java_optionsStringExtra command-line options passed to Java. Review for debug or remote-access flags.
h2o_optionsStringExtra command-line options passed to H2O-3.

Notebook git sync

Notebook profiles can sync a git repository into each notebook when the engine is created. Sync only trusted repositories, because synced content runs in the user's notebook environment.

SettingTypeDefaultDescription
sync_git_repository_enabledBooleanfalseTurns on git repository sync for notebooks created with the profile.
git_repositoryStringEmptyThe git repository URL to sync. Restrict to trusted sources.
git_refStringUnset (server applies HEAD)The git revision (branch, tag, or commit hash) to check out. Pin to a specific ref for reproducibility.
git_directory_nameStringExampleThe directory in the user's home folder where AIEM syncs the repository.

Engine versions and images

Administrators control which engine software versions and container images users can select. Curate these lists to make sure users deploy only approved software.

REST API

Manage versions and images through the REST API at these endpoints:

  • DAI versions: POST|GET|PATCH|DELETE /v1/workspaces/global/daiEngineVersions[/{version}], :assignAliases
  • H2O versions: POST|GET|PATCH|DELETE /v1/workspaces/global/h2oEngineVersions[/{version}], :assignAliases
  • Notebook images: POST|GET|PATCH|DELETE /v1/workspaces/global/notebookEngineImages[/{image}]
  • Sandbox images: POST|GET|PATCH|DELETE /v1/workspaces/global/sandboxEngineImages[/{image}]

See the REST API reference for full request and response schemas.

ResourceEngine typeAdmin operations
DAI engine versionsDriverless AICreate, update, delete, and assign aliases.
H2O engine versionsH2O-3Create, update, delete, and assign aliases.
Notebook engine imagesNotebookCreate, update, delete, and turn on or off.
Sandbox engine imagesSandboxCreate, update, delete, and turn on or off.
Sandbox engine templatesSandboxCreate, update, delete, and turn on or off.

Apply these practices to keep the catalog secure:

  • Deprecate outdated versions. Set the deprecated field to true on a version that should no longer be used. Users cannot create new engines with a deprecated version or upgrade an engine to it; engines already running on it are unaffected.
  • Use aliases to guide users. Assign aliases such as latest and stable to approved versions so users select a known-good version. Aliases are a field on the version; assign them with the version's :assignAliases operation.
  • Turn off images you do not need. A notebook or sandbox image, or a sandbox template, must have enabled set to true before users can create engines with it. Leave unneeded images and templates turned off.

Sandbox engine templates

Sandbox engine templates define fixed resource allocations and the environment for sandbox engines. Set conservative limits and review the environment for sensitive values.

REST API

Manage sandbox templates through the REST API at: POST|GET|PATCH|DELETE /v1/workspaces/{workspace}/sandboxEngineTemplates[/{template}]

Unlike profiles, versions, and images, sandbox templates are managed per project workspace, not in the global workspace.

SettingTypeDefaultDescription
milli_cpu_request, milli_cpu_limitInteger (milliCPU)UnsetCPU request and limit. Set a limit to prevent resource exhaustion.
memory_bytes_requestIntegerUnsetMemory request.
memory_bytes_limitIntegerRequiredMemory limit. Always set to prevent memory exhaustion.
storage_bytesIntegerUnsetEphemeral storage limit. Set to prevent disk exhaustion.
gpu_resource, gpuString, integerUnsetThe Kubernetes GPU resource name and the number of GPU units. Allocate GPUs only to templates that need them.
max_idle_durationDurationRequiredAuto-terminates the sandbox engine after this idle duration. A value of 0s means no idle limit.
max_running_durationDurationRequiredAuto-terminates the sandbox engine after this running duration.
environmental_variablesMapEmptyEnvironment variables injected into the sandbox. Review for sensitive values; do not include secrets.
yaml_pod_template_specString (YAML)EmptyA custom PodTemplateSpec merged into the sandbox pod. Review for security implications.
enabledBooleanfalseWhen set to false, the template is turned off and cannot be used to create sandbox engines.

Secure defaults and recommendations

Use the following table as a hardening checklist when you create profiles, versions, and images. Most security-relevant limits are optional or required-with-no-default, so apply them deliberately.

SettingDefaultRecommended
Engine profilesNone createdCreate a profile per engine type with conservative resource constraints before users create engines.
Engine versions and imagesNone configuredCreate an approved set; deprecate outdated versions; turn off images you do not need.
config_editability (Driverless AI)None — requiredSet to CONFIG_EDITABILITY_DISABLED or CONFIG_EDITABILITY_BASE_CONFIG_ONLY unless users need full configuration control.
assigned_oidc_roles_enabledfalseTurn on for sensitive profiles and list the allowed roles in assigned_oidc_roles.
max_running_enginesUnset (unlimited)Set a per-user limit to prevent resource monopolization.
max_unused_duration (Driverless AI)UnsetSet so AIEM cleans up paused or failed engines automatically.
Sandbox template environmental_variablesEmptyReview for secrets; keep sensitive values out of templates.

Verify current configuration

Administrators can review the current configuration through the AIEM REST API or the web interface. The following requests list profiles, versions, and images so you can compare them against your organization's requirements. Replace ENGINEMANAGER_URL with your AIEM host, TOKEN with a valid bearer token, and WORKSPACE with the target workspace ID (for example, my-project).

List engine profiles to verify resource constraints, duration limits, and config_editability:

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/global/daiEngineProfiles

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/global/h2oEngineProfiles

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/global/notebookEngineProfiles

List engine versions to verify that only approved versions are present and that outdated ones are deprecated:

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/global/daiEngineVersions

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/global/h2oEngineVersions

List notebook and sandbox images, and sandbox templates, to verify that only approved images are turned on and that templates set an idle limit and carry no secrets in their environment variables:

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/global/notebookEngineImages

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/global/sandboxEngineImages

curl -H "Authorization: Bearer $TOKEN" \
https://ENGINEMANAGER_URL/v1/workspaces/WORKSPACE/sandboxEngineTemplates
note

Engine profiles, engine versions, and notebook and sandbox images are managed in the global workspace, so the preceding requests use workspaces/global. Sandbox templates and engine instances are per workspace, so replace WORKSPACE with the workspace you want to inspect.


Feedback