Add ability for users to change their passwords

[achaiah]

Hi,

We would like to use ClearML but the system seems to be inadequate for multi-person use (in a self-hosted environment). While there's a way to specify users and passwords in a file, there seems to be no way for users to self-manage their passwords. It's very awkward to have to specify a password for the user as the admin of the system, because then the admin knows everyone's password. Even if you hash the password, it's not ideal because there is no salt added to the hash or any other mechanism to actually make the passwords secure. Ideally, there would be an option in settings for each user to set their own password. Could this feature be added please?

Thanks

[ainoam]

Hi @achaiah,

You have a valid point there, and the reality is that unfortunately there is a company behind this open-source project and we do at the end of the day have to have a business model. This means the more "sophisticated" features like user management, RBAC & SSO, are not part of the open-source offering, only part of the licensed offerings. With time, as the product and market grows, more features will trickle from the licensed version into the open-source, but currently we're just at the beginning of the road. If this is an important feature I can suggest contacting the ClearML sales team. In the meantime, you can change the user configuration add/remove users and just respin the server. All the clients are built in a way that will not cause them to crash if the server is down, they will just retry to access it, so really other than a minor hiccup you can "live" add/remove users. wdyt?

[achaiah]

Hi @ainoam,

Thanks for your quick reply. Unfortunately I have to disagree with you on a couple of items. First, it sounds odd to me that ClearML as a company would focus on "user management" as a "sophisticated" feature. I understand if somehow SSO is meant to be a differentiator (for large companies) but basic user management ought not to be a huge deal. The way it is currently implemented in the open-source solution doesn't even let us evaluate it properly. It might work if there was only one IT person handling all of the roles: security, configuration, administration. However, in reality, these are distributed roles with their own functions so it's not as easy as editing a file and restarting the server. What if you don't have roles to edit that file? What if you can't even see the underlying file system? Obviously, it's up to you guys, what you decide to open-source. ClearML seems to be a pretty neat product overall, but it would probably demo even better if it had basic user self-management functionality that didn't require an admin. You already have some of that with the capability of generating user-specific keys/tokens, so why not go all the way?

[ainoam]

Appreciate the feedback @achaiah. At the code level, current user management in the ClearML Server is trivial: it basically loads the static configuration at startup. To support this feature independently you'd need to add an entire user login system (i.e. add/remove/change-password etc), as an API and create the web UI to use it (Where SSO integration is a wholly different subsystem). This is not a negligible task, and so without saying it will never be supported, is not on the current development roadmap. Does that make sense?

[achaiah]

Hmm ok, so this makes me wonder how you attribute events in the framework to users. For example, it would be crucial to me to know who launched which task or produced a certain artifact. Say I have User_A, User_B, and User_C in the static configuration map. They all do something in the framework and then I remove User_C and re-launch the server. What happens to the tasks that were launched by User_C? Are they attributed to a user still or are they orphaned or...?

[jkhenning]

Hi @achaiah, all system objects created by a user retain the user's ID (even if the user was removed), and the system will retain an entry recording the user's name (again, even if the user's auth entry was removed). When you see these objects in the UI (tasks, for example), they should show the past user's name.