H2O AI Hybrid Cloud (H2OAIC) utilizes a compatible OpenID Connect (OIDC) provider, such as Keycloak, to authenticate and authorize users in both the App Store and Wave apps. This allows for easy integration and federation with other services like SAML and LDAP.
The actions a user may perform within the H2O AI Hybrid Cloud depends on the user's role, as documented in the Authorization section of the user guide.
The user's role is based on the OIDC access token claims returned by the identity provider.
This is configurable via
App Store configuration.
App Store server OIDC configuration
The following chart describes the various configuration options which may be either set within
[OIDC] section of the server configuration
ConfigMap TOML, or set via environment variables.
The environment variable names in the table below need to be prefixed with
|TOML Key /
|Confidential client ID for authenticating browser requests
|Confidential client secret for authenticating browser requests
|Public client ID for authenticating CLI requests
|Confidential client ID used by Apps to authenticate users. If empty, OIDC authentication is disabled for apps.
|Confidential client secret used by Apps to authenticate users. If empty, OIDC authentication is disabled for apps.
|Callback address for the OIDC provider to redirect the user after app authentications
|Callback address for the OIDC provider to redirect the user to after authentication
|URL of OIDC provider
|URL to redirect the user to terminate their OIDC session
|Access token claim containing the user's roles
|Role name assigned to administrators within the OIDC provider
|Role assigned to users with "full access". If empty, all users have full access.
|OIDC scopes to be granted
All users have access to use the CLI, however, what they can do depends on the category of the user. An offline Open ID Connect (OIDC) refresh token,
generated by the user by visiting
/auth/get-token, is used to generate access tokens to authenticate each request from the CLI to the
App Store server. The CLI stores the refresh token, in addition to its other configuration, on the user's machine at
To configure the CLI, users will need four pieces of information:
- The address of the server that the CLI will connect to
- The OpenID Connect (OIDC) provider URL to obtain access tokens
- The public OpenID Client ID designated for CLI access
- A refresh token, generated by the user by visiting
/auth/get-tokenwhile logged in to the AI App Store web interface
Visitors, a.k.a., users without "full access", have limited permissions within the platform. Users without full access privileges are considered to be visitors, and tags are used to manually assign specific app versions to OIDC roles. See the Authorization section in the user guide for details.
Visitor functionality requires that
FullAccessRoleName in the App Store configuration
be properly configured.
When creating a new tag, the administrator can specify an admin role and a visitor role to the tag. Users assigned the OIDC role that matches the admin role for the tag have the ability to assign that tag to specific apps. Users who are visitors but assigned an OIDC role that matches the visitor role on the tag can see all app versions that tag is assigned to. See Tag section of the CLI documentation on using the CLI to manipulate tags.
Users who log in with the OIDC role matching the server configured
AdminRoleName are granted administrator access to the
AI App Store. Administrators access to the administrator views within the App Store and the
admin subcommand of the CLI.
Within the App Store, the "Admin Apps" view provides administrators with a list of every app imported into the App Store, regardless of its visibility, and allows administrators to delete specific versions of apps. The "Admin Instances" view provides administrators with a list of every running instance known to H2O AI Hybrid Cloud, and allows administrators to terminate specific instances of apps.
h2o admin command in the CLI provides administrators with several commands, such as:
h2o admin app <get|list|delete>- Manage apps owned by all users
h2o admin instance <get|list|status|terminate>- Manage and inspect running app instances for all users
h2o admin secret <create|delete|get|list|update>- Manage application secrets including global secrets
h2o admin tag <assign|create|delete|get|list|remove|update>- Manage application tags
h2o admin iam <delete|export|get|import|list>- Manage IAM policies
Identity and Access Management (IAM) policies
Note: IAM policies are currently in beta and aren't enabled by default.
Exceptions to normal authorization rules can be granted by leveraging IAM policies, which can be authored in JSON and imported or exported from the platform by using the
admin iam CLI subcommand.
IAM policies apply to one or more resources and contain one or more statements. The policy resource limits the scope of the statements being evaluated. Statements may have the effect of either allowing or denying the request. If any one statement in any policy denies the action, then the entire request is denied.
The following is a sample IAM policy that grants users with the OIDC role
SUPPORT the ability to list and view logs for all instances regardless of instance owner and visibility setting:
"actions": ["instance:view_log", "instance:read"],
Wave application instance access controls
The App Store server enforces access restrictions on which users can access running applications. See the Authorization section in the user guide for details.
Wave application user authentication
Wave applications can run as both single user instances and as multi-user instances. Multi-user instances requires users to
first authenticate with a supported OpenID Connect (OIDC) provider. The OIDC session created with the Wave application is
independent to the App Store user session (including the relevant OIDC client settings and tokens).
The App Store provides an opt-in mechanism to pass OpenID Connect (OIDC) endpoint,
client, and client secret to Wave applications upon start up.
WaveClientSecret values in the App Store configuration
must be set to enable OIDC integration.
See Wave's documentation for more.