Users

PEDL is designed for teams of machine learning developers. By default, developers can access PEDL without needing to authenticate; moreover, the objects (e.g., experiments and notebooks) created by one developer will be visible to all users of the system.

While this is convenient for small teams, larger teams may prefer to create a PEDL user account for each developer. After authenticating as a given user, the PEDL objects created in that session will be associated with that user account. By default, the WebUI and CLI will only display objects created by the current user.

Initially, a PEDL installation has two users: admin and pedl. The pedl user is the default account that is used for WebUI and CLI operations. If individual user accounts are not required, no additional configuration is needed. In this case, all assets created within PEDL (experiments, commands, etc.) will be attributed to pedl.

The admin user can be used to create users, change other users' passwords, and activate/deactivate users.

Note

The admin user initially has a blank password. The user change-password CLI command can be used by the admin to update this password:

pedl -u admin user change-password

Getting Started

To start using users in a PEDL cluster, the system administrator should first set a password for the admin user as described above.

Next, the admin user should deactivate the pedl user:

pedl -u admin user deactivate pedl

This ensures that no one can access the PEDL cluster as the default user (any objects that were created by this user will remain). Finally, the system administrator should create user accounts for each individual who would like to access PEDL:

pedl -u admin user create <username>

Authentication

WebUI

The WebUI will automatically redirect users to a login page if there is no valid PEDL session established on that browser. After logging in, the user will be redirected to the URL they initially attempted to access.

A browser PEDL session can be ended by clicking "Sign out" under the user menu in the top right of the WebUI.

CLI

In the CLI, the user login subcommand can be used to authenticate a user:

pedl user login <username>

Logging in results in a persistent session, which lasts for 30 days. The session can be terminated using:

pedl user logout

Temporary authentication

In some cases, it may be useful to execute a single command as a specific user without starting a persistent session for that user (think of the sudo command on a Unix-like system). In PEDL, this can be achieved with the -u flag:

pedl -u <username> ...

This will execute the command as the given user without creating a permanent session for that user. Although no persistent session is created, an authentication token is stored for that user so that future attempts to execute commands as that user will not require re-authenticating. This token can be discarded using the user logout subcommand:

pedl -u <username> user logout

Changing passwords

Users have blank passwords by default. This might be sufficient for low security or experimental clusters, and it still provides the organizational benefits of associating each PEDL object with the user that created it. If desired, a user can change their own password using the user change-password subcommand:

pedl user change-password

An admin can also change another user's password:

pedl -u admin user change-password <target-user>

Warning

Although PEDL supports password-based authentication, communication between the CLI, WebUI, and Master does not take place over an encrypted channel. Hence, users should not be assigned "valuable" passwords, and passwords used with PEDL should not be reused for other purposes.

Listing assets

CLI

When using the CLI to list experiments, commands, etc., the default behavior is to only show assets belonging to the current user. It is possible to show assets owned by all users by passing the -a flag to the respective commands:

pedl experiment list -a   # List all experiments.
pedl command list -a      # List all commands.
pedl notebook list -a     # List all notebooks.
pedl tensorboard list -a  # List all TensorBoards.

WebUI

Just as in the CLI, by default the WebUI will only assets created by the current user. To see assets belonging to all users, uncheck the "Show only mine" checkbox in the filter panel found in the tab for each asset type.

Activating/deactivating users

When a user is created, they are designated as active by default. Only active users can interact with PEDL. The admin user can deactivate a user with the user deactivate subcommand:

pedl -u admin user deactivate <target-user>

All assets created by a deactivated user will remain available through both the WebUI and the CLI.

To reactivate a user, user activate can be used:

pedl -u admin user activate <target-user>

Running tasks as particular agent users

If an experiment, notebook, or command task uses the bind_mount option in its configuration, it is often useful to set the user and group on the agent that the task runs as. This allows the file permissions on the agent to be reflected in the task and vice versa.

This can be configured by linking a PEDL user with the user and group configuration on an agent:

pedl user link-with-agent-user <target-user> --agent-uid <uid> --agent-user <username> --agent-gid <gid> --agent-group <group-name>

All arguments are required. This command can only be run by a system administrator.

Once set, any tasks created by the target user will be run as the specified user and group.

Note

By default, if a user is not linked with a user and group on an agent, tasks created by that user will run as the root user on the agent. This behavior may change in the future.

If the task does not use bind_mount option, the effect of running as root will be limited to the task container and not intrude on the agent itself.

The default user and group that will be used when a PEDL user is not explicitly linked to a user and group on an agent can be configured in the master.yaml file located at /usr/local/pedl/etc on the PEDL master instance:

security:
  default_task:
    user: root
    uid: 0
    group: root
    gid: 0