Chapter 1. Adding users

1.1. Overview of user types and permissions

Table 1 describes the Red Hat OpenShift AI user types.

Table 1.1. User types

User TypePermissions

Data scientists

Data scientists can access and use individual components of Red Hat OpenShift AI, such as Jupyter and data science pipelines. See also Accessing the OpenShift AI dashboard.

Administrators

In addition to the actions permitted to a data scientist, administrators can perform these actions:

  • Configure Red Hat OpenShift AI settings.
  • Access and manage notebook servers.
  • Access and manage data science pipeline applications for any data science project.

See also OpenShift Dedicated cluster administration or Red Hat OpenShift Service on AWS (ROSA) cluster administration.

By default, all OpenShift users have access to Red Hat OpenShift AI. In addition, users in the OpenShift administrator group (cluster admins or dedicated-admins), automatically have administrator access in OpenShift AI.

Optionally, if you want to restrict access to your OpenShift AI deployment, you can create specialized user groups for users and administrators.

If you decide to restrict access, and you already have user groups defined in your configured identity provider, you can add these user groups to your OpenShift AI deployment. If you decide to use specialized user groups without adding these groups from an identity provider, you must create the groups in OpenShift and then add users to them.

The user groups configured in OpenShift, cluster-admins and dedicated-admins, are separate to any specialized user groups for OpenShift AI. There are some operations relevant to OpenShift AI that require the cluster-admins or dedicated-admins role. Those operations include:

  • Adding users to the OpenShift AI user and administrator groups, if you are using specialized groups.
  • Removing users from the OpenShift AI user and administrator groups, if you are using specialized groups.
  • Managing custom environment and storage configuration for users in OpenShift, such as Jupyter notebook resources, ConfigMaps, and persistent volume claims (PVCs).
  • Managing data science pipeline servers and pipeline applications from the OpenShift AI dashboard, or from the command-line interface (CLI), for any data science project.
Important

Although users of OpenShift AI and its components are authenticated through OpenShift, session management is separate from authentication. This means that logging out of OpenShift or OpenShift AI does not affect a logged in Jupyter session running on those platforms. This means that when a user’s permissions change, that user must log out of all current sessions in order for the changes to take effect.

1.2. Defining OpenShift AI administrator and user groups

By default, all users authenticated in OpenShift can access OpenShift AI.

Also by default, users with cluster admin permissions and users in the dedicated-admins administrator group are OpenShift AI administrators. A cluster admin is a superuser that can perform any action in any project in the OpenShift cluster. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project. The dedicated-admins user group applies only to OpenShift Dedicated.

You can define additional administrator and user groups by using the OpenShift AI dashboard.

Prerequisites

  • You have logged in to Red Hat OpenShift AI as described in Logging in to OpenShift AI.
  • You are part of the administrator group for OpenShift AI in OpenShift.
  • The groups that you want to define as administrator and user groups for OpenShift AI already exist in OpenShift.

Procedure

  1. From the OpenShift AI dashboard, click SettingsUser management.
  2. Define your OpenShift AI admin groups: Under Data science administrator groups, click the text box and select an OpenShift group. Repeat this process to define multiple admin groups.
  3. Define your OpenShift AI user groups: Under Data science user groups, click the text box and select an OpenShift group. Repeat this process to define multiple user groups.

    Important

    The system:authenticated setting allows all users authenticated in OpenShift to access OpenShift AI.

  4. Click Save changes.

Verification

  • Administrator users can successfully log in to OpenShift AI and perform administrative functions.
  • Non-administrator users can successfully log in to OpenShift AI. They can also access and use individual components, such as Jupyter.

1.3. Adding users to specialized OpenShift AI user groups

By default, all OpenShift users have access to Red Hat OpenShift AI.

Optionally, you can restrict user access to your OpenShift AI instance by defining specialized user groups. You must grant users permission to access Red Hat OpenShift AI by adding user accounts to the Red Hat OpenShift AI user group, administrator group, or both. You can either use the default group name, or specify a group name that already exists in your identity provider.

The user group provides the user with access to product components in the Red Hat OpenShift AI dashboard, such as data science pipelines, and associated services, such as Jupyter. By default, users in the user group have access to data science pipeline applications within data science projects that they created.

The administrator group provides the user with access to developer and administrator functions in the Red Hat OpenShift AI dashboard, such as data science pipelines, and associated services, such as Jupyter. Users in the administrator group can configure data science pipeline applications in the OpenShift AI dashboard for any data science project.

If you restrict access by using specialized user groups, users that are not in the OpenShift AI user group or administrator group cannot view the dashboard and use associated services, such as Jupyter. They are also unable to access the Cluster settings page.

Important

If you are using LDAP as your identity provider, you need to configure LDAP syncing to OpenShift. For more information, see Syncing LDAP groups in OpenShift Dedicated or Syncing LDAP groups in Red Hat OpenShift Service on AWS (ROSA)

Follow the steps in this section to add users to your specialized OpenShift AI administrator and user groups.

Note: You can add users in OpenShift AI but you must manage the user lists in the OpenShift web console.

Prerequisites

  • You have configured a supported identity provider for your OpenShift cluster.
  • You are part of the cluster-admins or dedicated-admins user group in your OpenShift cluster. The dedicated-admins user group applies only to OpenShift Dedicated.
  • You have defined an administrator group and user group for OpenShift AI.

Procedure

  1. In the OpenShift web console, click User ManagementGroups.
  2. Click the name of the group you want to add users to.

    • For administrative users, click the administrator group, for example, rhoai-admins.
    • For normal users, click the user group, for example, rhoai-users.

      The Group details page for that group appears.

  3. Click ActionsAdd Users.

    The Add Users dialog appears.

  4. In the Users field, enter the relevant user name to add to the group.
  5. Click Save.

Verification

  • Click the Details tab for each group and confirm that the Users section contains the user names that you added.

1.4. Viewing OpenShift AI users

If you have defined specialized user groups for OpenShift AI, you can view the users that belong to these groups.

Prerequisites

  • The Red Hat OpenShift AI user group, administrator group, or both exist.
  • You have the cluster-admin role or you are part of the dedicated-admins administrator group. The dedicated-admins group applies only to OpenShift Dedicated.
  • You have configured a supported identity provider for your OpenShift cluster.

Procedure

  1. In the OpenShift web console, click User ManagementGroups.
  2. Click the name of the group containing the users that you want to view.

    • For administrative users, click the name of your administrator group. for example, rhoai-admins.
    • For normal users, click the name of your user group, for example, rhoai-users.

      The Group details page for the group appears.

Verification

  • In the Users section for the relevant group, you can view the users who have permission to access Red Hat OpenShift AI.