Managing users

There are two kinds of users in PowerAI Vision: administrators, and everyone else. The way you work with users and passwords differs, depending on how PowerAI Vision is installed.

PowerAI Vision uses Keycloak for user management and authentication. All users and passwords are maintained by Keycloak and stored in a Postgres database. A default user name of admin with a password of passw0rd are created at install time. You can add, remove, or modify users by using the kubectl command.

Types of users

Non-administrator users
Users other than the administrator can only see and edit resources that they created.
Administrator
The administrator user (admin) can see and manage all resources in PowerAI Vision regardless of who owns it. A default user name of admin with a password of passw0rd are created at install time. You can add, remove, or modify users by using the kubectl command. You should be aware of the following considerations when working with admin users:
Data sets
  • The administrator can see and edit all data sets. That is, this user can add and delete files, create labels, assign categories, duplicate, rename, and delete the data set.
  • If the administrator uploads a file to a different user's data set, it is listed as being owned by the data set owner.
  • If the administrator duplicates a data set, the duplicate data set is owned by the administrator.
Models
  • The administrator can see, rename, and delete all models, including after they are deployed.
  • If the administrator trains a model, the training task and the generated model is owned by the administrator.
  • If the administrator deploys a model, the deployed model is owned by the administrator.
Project groups
An administrator can add assets to a project group that was created by a different user. However, the project group owner will not be able to see the added assets because only administrators can see resources created by other users. Because of that, the value for "Total items" on the Projects page might be larger than the number of items shown on a project's details page.

PowerAI Vision installed as stand-alone

If you installed PowerAI Vision stand-alone, you can use the powerai_vision_users.sh script in the /opt/powerai-vision/bin/ directory to create, delete, modify, and list users.
Usage
powerai_vision_users.sh [command] [ --user name ] [ --password password ]
Command
Specifies the action to take.
create
Create a user in the PowerAI Vision instance. The user argument is required for this operation. You can set the password by one of these methods:
  • Specify it with the command by using the password argument.
  • Store it in the environment variable, VISION_USER_PASSWORD.
delete
Delete a user from the PowerAI Vision instance. The user argument is required for this operation.
list
List the currently created users for a specified PowerAI Vision instance.
modify
Modifies the user's password. The user argument is required for this operation. You can set the new password by one of these methods:
  • Specify it with the command by using the password argument.
  • Store it in the environment variable, VISION_USER_PASSWORD.
Name
The user name on which the command is to operate on.
Password
Optionally set a user's password when creating or modfying a user.

PowerAI Vision installed with IBM Cloud Private

  1. Authenticate to the cluster, so that you can run kubectl commands. For example:
    • In an IBM Cloud Private 2.1.0 environment, run: 
      bx pr login -a https://<cluster-domain-name>:8443/ --skip-ssl-validation
    • In an IBM Cloud Private 3.1.0 environment, run: 
      cloudctl login -a https://<cluster-domain-name>:8443/ --skip-ssl-validation
  2. Note your release name. In the example below, this is aivision.
  3. To manage users, run the following command: 
    kubectl run --rm -i --restart=Never usermgt --image=cluster-domain-name:8443/powerai-vision-usermgt:version -- action 
            --user newusername --password password --release release
    The above command has the following variables:
    • action can be one of these values: create, delete, modify, or list.
    • version is the release number of the PowerAI Vision product. For example, 1.1.5.0. To find the correct value, view the configmap. For example: 
      $ kubectl get cm
NAME                         DATA      AGE
powerai-vision-v1.1.5-config   52        56d
    The password argument is optional. You can set the password in one of these ways:
    • The --password argument in powerai-vision-usermgt.
    • The --env option for kubectl with the VISION_USER_PASSWORD environment variable. For example, add --env="VISION_USER_PASSORD=${MY_PASS} to the kubectl run command.
    Example: To create customusername with password custompassw0rd1234 on release aivision, run: 
    $ kubectl run --rm -i --restart=Never usermgt --image=myicpcluster.com:8443/powerai-vision-usermgt:1.1.5.0 
              -- create --user customusername --password custompassw0rd1234 --release aivision
Created user: customusername
    Example: To list users in the PowerAI Vision 1.1.5 deployment, run:
    $ kubectl run --rm -i --restart=Never usermgt --image=powerai-vision-usermgt:1.1.5.0 -- list --release v111
If you don't see a command prompt, try pressing enter.
admin
testuser1
testuser2
    Notes:
    • If running in the non-default namespace, make sure to specify the --namespace option.
    • The version tag on the container should match image.releaseTag in the values.yaml file.
    • The argument release should match the release name you assigned when deploying the chart.
    • There is not a typo with the spacing of the "--" before create. It should be --<SPACE>create<SPACE> --user username.... This is intentional and an artifact of how the commands are passed into the user management tool.
Parent topic: Administering PowerAI Vision