To use the platform, you must be logged in as a user with relevant permissions. A user can optionally be a member of one or more user groups. When a user is a member of multiple groups, one of the groups is defined as the user’s primary group.
The platform has several predefined users. A security administrator — which is any user with the Security Admin management policy, including the predefined security_admin user — can manage platform users and user groups. A security administrator can create new local users and groups, import users and groups from a supported identity provider (IdP), and delete local or imported users and groups.
Every user has a username and a password, which can be used to authenticate the user’s identity. In addition, every user and user group must be assigned one or more management policies that determine user permissions to access resources and perform different operations. Users with the Application Admin management policy — including the predefined security_admin user — can define fine-grained data-access policies to restrict or allow user access to specific data resources. For more information, see the Security concepts documentation, and specifically the Authentication and Authorization sections.
The following users are predefined for the default tenant and for any new tenant that you create:
- The predefined pipelines user has the default Data management policy and is used by the platform’s pipelines service to access ML pipeline data. Note that editing this user’s profile might cause the monitoring service to stop working.
- The predefined monitoring user has the default Application Admin and Data management policies and is used by the platform’s monitoring service to access performance logs. Note that editing this user’s profile might cause the monitoring service to stop working.
- The predefined tenancy-administrator user has the IT Admin and Tenant Admin management policies, which enable performing cluster administration — including shutting down the cluster, monitoring events and alerts, triggering log gathering, and managing tenants.
The default password of the tenancy_admin user is “IGZTEN”. You must change this password after the first login.
The following users are predefined only for the default tenant:
- The predefined security-administrator user has the Security Admin management policy, which enables managing users and user groups — including creating and deleting users and user groups, integrating the platform with a supported IdP, and assigning management policies.
The default password of the security_admin user is “IGZSEC”. You must change this password after the first login.
- The predefined system user — known as “the backup user” — has the Application Admin and Data management policies and is used for performing backups.
- Data backups aren’t activated automatically on all systems. Contact Iguazio’s support team to check the backup status for your cluster.
- To allow backups when using data-access policy rules, ensure that as part of these rules, preferably at the start, you also grant the “sys” backup user access to the data.
For more information, see Data-Access Policy Rules in the Security documentation.
Using an External Identity Provider (IdP)
A user with a Security Admin management policy, such as the predefined security_admin user, can select to import users and user groups from an external identity provider (IdP) into the platform. When an IdP is configured, it is used to authenticate the identity of all its imported users in the platform. This doesn’t prevent you from also defining local users and using the platform to authenticate them. For more information, see Authentication in the security documentation.
IdP configuration is done from the
- Configuring the Remote IdP Host
- Configuring IdP Synchronization
- Configuring Default Management Policies
Configuring the Remote IdP Host
(&(objectClass=Person)(memberOf=<full LDAP group path>)
For example, to synchronize with a user group named
AppA whose full group path is “
IguazioDevUsers,OU=ApplicationAccess,OU=Groups,OU=GlobalProd,DC=GLOBAL,DC=ECOLAB,DC=CORP”, use this filter criteria:
You can add multiple group search criteria to the filter.
Configuring IdP Synchronization
You can select between two alternative modes of synchronization — Partial or Full:
- Partial synchronization
Synchronize addition and removal of users in the IdP after the initial import, but do not synchronize field changes for previously imported users and user groups. During partial synchronization, the currently configured IdP default management policies are applied to all new imported users and user groups, but the management policies of local previously imported IdP users and groups remain unaffected. For example:
The following local changes to imported users or user groups in the platform are not overwritten during partial synchronization:
- A user record field (such as an email address or job title) was added or removed, or a value of an existing field has changed. For example, you can disable an imported IdP user locally in the platform by changing the value of relevant user field without affecting the user’s status in the external IdP.
A user was added to or removed from an imported user group.
A user’s or user group’s management policies were modified.
The following IdP changes since the previous synchronization are not applied locally in the platform during partial synchronization:
- A user record field was added or removed, or the value of an existing field has changed.
- A user was added to or removed from an existing group.
The following IdP changes since the previous synchronization are also applied locally in the platform during partial synchronization:
- A new user or user group was added. (The newly imported IdP users and groups will be assigned the default IdP management policies that are configured in the platform at the time of the synchronization.)
- An existing user or user group was deleted or renamed.
- Full synchronization
Synchronize all IdP user and user group additions, removals, and record updates by overwriting the current imported IdP user and user-group information with the updated IdP information.Note
Empty IdP user groups are not imported to the platform. When users are added to a group, the group is imported as part of the next full or partial IdP synchronization and the related user information is updated accordingly.
As part of the full-sync import, the currently configured IdP default management policies will be applied to all imported users and user groups.
Modifying the IdP configuration (including an initial configuration) triggers an automatic synchronization cycle.
Periodic synchronizations are triggered according to the configured periodic-sync interval (if configured), and you can also always trigger a manual synchronization by selecting the
Configuring Default Management Policies
Before deleting a platform user, check the need to reallocate their resources and responsibilities. If the user is the running user of managed application services (such as Spark or Presto), a service administrator should either delete these services or reassign them to a different running user.