Users¶
Determined is designed for teams of machine learning developers. By default, developers can access Determined without needing to authenticate; moreover, the objects (e.g., experiments and notebooks) created by one developer will be visible to all users of the system.
While this is convenient for small teams, larger teams may prefer to create a Determined user account for each developer. After authenticating as a given user, the Determined objects created in that session will be associated with that user account. By default, the WebUI and CLI will only display objects created by the current user.
Initially, a Determined installation has two users: admin and determined.
The determined user is the default account that is used for WebUI and CLI
operations. If individual user accounts are not required, no additional
configuration is needed. In this case, all assets created within Determined
(experiments, commands, etc.) will be attributed to determined.
The admin user can be used to create users, change other users’
passwords, and activate/deactivate users.
Note
The admin user initially has a blank password. The user
change-password CLI command can be used by the admin to update this
password:
det -u admin user change-password
Getting Started¶
To start using users in a Determined cluster, the system administrator should
first set a password for the admin user as described above.
Next, the admin user should deactivate the determined user:
det -u admin user deactivate determined
This ensures that no one can access the Determined cluster as the default user (any objects that were created by this user will remain). Finally, the system administrator should create user accounts for each individual who would like to access Determined:
det -u admin user create <username>
Authentication¶
WebUI¶
The WebUI will automatically redirect users to a login page if there is no valid Determined session established on that browser. After logging in, the user will be redirected to the URL they initially attempted to access.
A browser Determined session can be ended by clicking “Sign Out” under the user menu in the top right of the WebUI.
CLI¶
In the CLI, the user login subcommand can be used to authenticate a
user:
det user login <username>
Logging in results in a persistent session, which lasts for 30 days. The session can be terminated using:
det user logout
Temporary authentication¶
In some cases, it may be useful to execute a single command as a
specific user without starting a persistent session for that user (think
of the sudo command on a Unix-like system). In Determined, this can be
achieved with the -u flag:
det -u <username> ...
This will execute the command as the given user without creating a
permanent session for that user. Although no persistent session is
created, an authentication token is stored for that user so that future
attempts to execute commands as that user will not require
re-authenticating. This token can be discarded using the user logout
subcommand:
det -u <username> user logout
Changing passwords¶
Users have blank passwords by default. This might be sufficient for
low-security or experimental clusters, and it still provides the
organizational benefits of associating each Determined object with the
user that created it. If desired, a user can change their own password
using the user change-password subcommand:
det user change-password
An admin can also change another user’s password:
det -u admin user change-password <target-user>
Warning
Although Determined supports password-based authentication, communication between the CLI, WebUI, and master does not take place over an encrypted channel by default. See Security for information on configuring secure connections over HTTPS. Users should not be assigned “valuable” passwords, and passwords used with Determined should not be reused for other purposes.
Listing assets¶
CLI¶
When using the CLI to list experiments, commands, etc., the default
behavior is to only show assets belonging to the current user. It is
possible to show assets owned by all users by passing the -a flag to
the respective commands:
det experiment list -a # List all experiments.
det command list -a # List all commands.
det notebook list -a # List all notebooks.
det tensorboard list -a # List all TensorBoards.
WebUI¶
Just as in the CLI, by default the WebUI will only assets created by the current user. To see assets belonging to all users, uncheck the “Show only mine” checkbox in the filter panel found in the tab for each asset type.
Activating/deactivating users¶
When a user is created, they are designated as active by default. Only
active users can interact with Determined. The admin user can deactivate a
user with the user deactivate subcommand:
det -u admin user deactivate <target-user>
All assets created by a deactivated user will remain available through both the WebUI and the CLI.
To reactivate a user, user activate can be used:
det -u admin user activate <target-user>
Running tasks as particular agent users¶
If an experiment, notebook, or command task uses the bind_mount
option in its Experiment Configuration, it is often useful to set
the Unix user and group on the agent that the task runs as. This allows
the file permissions on the agent to be reflected in the task and vice
versa.
This can be configured by linking a Determined user with the user and group configuration on an agent:
det user link-with-agent-user <target-user> --agent-uid <uid> --agent-user <username> --agent-gid <gid> --agent-group <group-name>
All arguments are required. This command can only be run by a system administrator.
Once set, any tasks created by the target user will be run as the specified user and group.
Note
By default, if a user is not linked with a user and group on an agent, tasks created by that user will run as the root user on the agent. This behavior may change in the future.
If the task does not use bind_mount option, the effect of running as root will be limited to the task container and not intrude on the agent itself.
The default user and group that will be used when a Determined user is not
explicitly linked to a user and group on an agent can be configured in
the master.yaml file located at /usr/local/determined/etc on the Determined
master instance:
security:
default_task:
user: root
uid: 0
group: root
gid: 0