You are viewing the RapidMiner Go documentation for version 9.4 -Check here for latest version
RapidMiner Identity (RMID)
RMID is the authentication and authorization service used by RapidMiner Go.
RMID is a Spring Boot application and so it can be configured using theSPRING_PROFILES_ACTIVEenvironment variable in docker-compose.yml.
This a comma separated list of the active spring profiles -- the default value isdb-postgresql,is-db. This means that default database is PostgreSQL, and default identity provider is the internal database.
On top of these profiles you can also specify environment variables -- these will override the default value of the profiles.
Database
RMID has its own database -- in the default docker setup this is in the same container/database instance as RapidMiner Go's database -rapidminer-automodel-db-- but it could be in a separate database instance. The supported database profiles aredb-postgresqlordb-h2.
Identity providers
可以配置为使用几个RMIDidentity providers (IDP) to authenticate users.
The following table shows the different IDP's and the corresponding spring profile:
| IDP | Spring profile | Protocol | Login UI/method |
|---|---|---|---|
| DB | is-db | N/A | username/password form, HTTP POST |
| Auth0 | is-auth0 | OAuth2 password grant | username/password form, HTTP POST |
| LDAP capable 3rd party IDP | is-ldap | LDAP | username/password form, HTTP POST |
| SAML capable 3rd party IDP | is-saml | SAML | hyperlink redirecting to SAML provider |
Multiple IDPs can be switched on -- in that case RMID will try to authenticate with all of them until it succeeds.
Usage
RMID Login screen can be accessed at/rmid/auth.
The login type is determined by the configured IDP -- it is a username/password form for DB, LDAP, AUTH0, and for SAML it is a link redirecting to the SAML IDP. If SAML and another IDP are used together, you have to explicitly configure a dual login type with the help of the environment variable:RMID_FRONTEND_LOGINTYPE: LOGINTYPE_DUAL-- this will display a login form and redirect link together.
After a successful login, the user is automatically redirected to RapidMiner Go.
After a successful logout from RapidMiner Go, the user is redirected back to RMID.
Administration
RMID Administration app can be accessed at/rmid/admin-- default credentials areadmin/changeit.
Users
For each user there is an entry in theRMID_USERStable and one entry in the profile tables for the configured IDPs.RMID_USERStable contains user'sdisplayNameand a few RapidMiner Go related fields.
Users can be banned by switching offactivefield. This results in the user being logged out from RapidMiner Go (and any service using RMID) within 5 minutes (configurable in the service).
User profiles
The profile tables contain user data coming from a specific IDP.
Local users are created and updated in the admin app -- they are storedRMID_PROFILE_LOCALtable.
External profiles are read-only in the admin -- their content is created and updated during login based on user info from the external IDP.
For instance, ifis-auth0, is-samlprofiles are active,RMID_PROFILE_LOCAL,RMID_PROFILE_SAMLtables will contain user data coming from these IDPs.
In this case, the User view in the Admin app will contain 3 forms:
- one editable form for the users table (displayName, active, acceptEula)
- 2 read-only forms for the 2 profiles -- saml and auth0
The following table lists IDPs and profile tables:
| IDP | Profile table | Admin operations | Display name |
|---|---|---|---|
| DB | RMID_PROFILE_LOCAL | CRUD | username |
| Auth0 | RMID_PROFILE_AUTH0 | R | Auth0网卡kname |
| SAML | RMID_PROFILE_SAML | R | SAML name assertion |
| LDAP | RMID_PROFILE_LDAP | R | LDAP username |
Example:
If Auth0 is configured as IDP, a user sign-in with Auth0 credentials will create an entry inRMID_USERStable and an entry inRMID_PROFILE_AUTH0table if necessarry.
Auth0网卡kname will be stored in profile table and also copied toRMID_USERSdisplayName field.
On later logins nickname and displayName will be updated for this user if there was a change on the IDP side.
The default display name mapping can changed in the case of SAML.
组、角色、权限
RMID defines a role based authorization system on the service level governed by these entities:
User ↔ Group ↔ Role ↔ Privilege
The entities are in many-to-many relationship.
A user can access specific API endpoints and URLs based on the privileges he or she has.
Privileges are predefined in the system and read-only.
However privileges are not directly assigned to users, but to roles.
Roles are predfined sets of privileges. Roles are assigned to groups and finally users are assigned to groups.
For example to give admin right to a user you would add the user to the RMID_ADMIN group. This group has by default ADMIN role assigned, and ADMIN role has the 'rmid:admin' privilege assigned.
This system enables fine grained control but is also powerful.
Groups can be created freely to reflect organisational hierarchy or for the needs of a data-science project.
