Managing users
There are two kinds of users in PowerAI Vision: administrators, and everyone else. The way you work with users and passwords differs, depending on how PowerAI Vision is installed.
- Types of users
- PowerAI Vision installed as stand-alone
- PowerAI Vision installed with IBM Cloud Private
Types of users
- Non-administrator users
- Users other than the administrator can only see and edit resources that they created.
- Administrator
- The administrator user (admin) can see and manage all resources in PowerAI Vision regardless of who owns it. A default user name of admin with a password
of passw0rd are created at install time. You can add, remove, or modify users by
using the kubectl command. You should be aware of the following considerations when working
with admin users:
- Data sets
- The administrator can see and edit all data sets. That is, this user can add and delete files, create labels, assign categories, duplicate, rename, and delete the data set.
- If the administrator uploads a file to a different user's data set, it is listed as being owned by the data set owner.
- If the administrator duplicates a data set, the duplicate data set is owned by the administrator.
- Models
- The administrator can see, rename, and delete all models, including after they are deployed.
- If the administrator trains a model, the training task and the generated model is owned by the administrator.
- If the administrator deploys a model, the deployed model is owned by the administrator.
PowerAI Vision installed as stand-alone
If you installed PowerAI Vision stand-alone, you can use the powerai_vision_users.sh script in the /opt/powerai-vision/bin/ directory to create, delete, modify, and list users.Usage
powerai_vision_users.sh [command] [ --user name ] [ --password password ]
- Command
- Specifies the action to take.
- create
- Create a user in the PowerAI Vision instance. The
user argument is required for this operation. You can set the password by one of
these methods:
- Specify it with the command by using the password argument.
- Store it in the environment variable, VISION_USER_PASSWORD.
- delete
- Delete a user from the PowerAI Vision instance. The user argument is required for this operation.
- list
- List the currently created users for a specified PowerAI Vision instance.
- modify
- Modifies the user's password. The user argument is required for this operation.
You can set the new password by one of these methods:
- Specify it with the command by using the password argument.
- Store it in the environment variable, VISION_USER_PASSWORD.
- Name
- The user name on which the command is to operate on.
- Password
- Optionally set a user's password when creating or modfying a user.
PowerAI Vision installed with IBM Cloud Private
PowerAI Vision uses Keycloak for user management and authentication. All users and passwords are maintained by Keycloak and stored in a Postgres database. A default user name of admin with a password of passw0rd are created at install time. You can add, remove, or modify users by using the kubectl command.
- Authenticate to the cluster, so that you can run kubectl commands. For example:
- In an IBM Cloud Private 2.1.0 environment, run:
bx pr login -a https://<cluster-domain-name>:8443/ --skip-ssl-validation
- In an IBM Cloud Private 3.1.0 environment, run:
cloudctl login -a https://<cluster-domain-name>:8443/ --skip-ssl-validation
- In an IBM Cloud Private 2.1.0 environment, run:
- Note your release name. In the example below, this is aivision.
- To manage users, run the following command:
The above command has the following variables:kubectl run --rm -i --restart=Never usermgt --image=cluster-domain-name:8443/powerai-vision-usermgt:version -- action --user newusername --password password --release release
- action can be one of these values: create, delete, modify, or list.
- version is the release number of the PowerAI Vision product. For example, 1.1.2.0. To find the correct value, view the configmap. For
example:
$ kubectl get cm NAME DATA AGE powerai-vision-v1.1.2-config 52 56d
The password argument is optional. You can set the password in one of these ways:- The --password argument in powerai-vision-usermgt.
- The --env option for kubectl with the VISION_USER_PASSWORD environment variable. For example, add --env="VISION_USER_PASSORD=${MY_PASS} to the kubectl run command.
Example: To create customusername with password custompassw0rd1234 on release aivision, run:$ kubectl run --rm -i --restart=Never usermgt --image=myicpcluster.com:8443/powerai-vision-usermgt:1.1.2.0 -- create --user customusername --password custompassw0rd1234 --release aivision Created user: customusername
Example: To list users in the PowerAI Vision 1.1.2 deployment, run:$ kubectl run --rm -i --restart=Never usermgt --image=powerai-vision-usermgt:1.1.2.0 -- list --release v111 If you don't see a command prompt, try pressing enter. admin testuser1 testuser2
Notes:- If running in the non-default namespace, make sure to specify the --namespace option.
- The version tag on the container should match image.releaseTag in the values.yaml file.
- The argument release should match the release name you assigned when deploying the chart.
- There is not a typo with the spacing of the "--" before create. It should be --<SPACE>create<SPACE> --user username.... This is intentional and an artifact of how the commands are passed into the user management tool.