General Settings

General Settings allow you to control access to Enterprise Steam and to configure Enterprise Steam.

Access Control

Enterprise Steam supports Local, LDAP, and SAML authentication. No additional configuration is required for Local authentication. Refer to the sections that follow for information on how to configure LDAP and SAML authentication.

General section

Authentication

Configure LDAP Connection Settings

Enterprise Steam ships with a built-in SQLite database. By default, Enterprise Steam uses this database to store user and cluster management metadata. You can use this database, or you can configure Enterprise Steam to work with your existing LDAP directory.

  1. Navigate to the Authentication page.
  2. Select LDAP in the Enabled authentication type drop down menu, then configure the LDAP connection settings. (Refer to the table below and the image that follows.)
Field Description Example
LDAP Connection Settings
Hostname The LDAP host server address ldap.0xdata.loc
Port The LDAP server port 389 for LDAP or 636 for LDAPs
Enable LDAPs Enable this if your LDAP supports Secured LDAP/LDAPs.  
Internal cert authority Enable this if your LDAPs server certificate is signed by internal cert authority  
Internal CA path The path to the public key of the certificate authority that signed the LDAPs server certificate (PEM format)  
Bind DN The Distinguished Name used by the LDAP server if extended access is required. This can be left blank if anonymous bind is sufficient. cn=admin,dc=0xdata,dc=loc
Bind DN Password/Confirm The password for the Bind DN user h2o
User Base DN The location of the LDAP users, specified by the DN of your user subtree ou=users,dc=0xdata,dc=loc
User Base Filter The LDAP search filter used to filter users department=IT
User Name Attribute The User Attribute that contains the username uid
LDAP Group Settings
Group Names The Distinguished Name used for group synch cn=jettygroup,ou=groups,dc=0xdata,dc=loc
Group Base DN The location of your LDAP groups, specified by the DN of your user subtree ou=groups,dc=0xdata,dc=loc
Group Name Attribute The Group Attribute that contains the username cn
Static Member Attribute The attribute for static group entries memberUid
LDAP Advanced Settings
Search Request Size Limit Limit the size of search results. 0 indicates unlimited.  
Search Request Time Limit Limit the time allotted for completing search results. 0 indicates unlimited. 0
Cache Max Age (in mins) The maxium age in minutes of of LDAP record in cache before forcing a refresh. Use 0 for no cache (not recommended). 5
CA Certificate Path Specify CAs to use for contacting LDAP servers. Leave empty to use system root CAs.  
LDAP Configuration
  1. Click Test Config when you are done. A valid response message indicates that the configuration was successful.
  2. Click Save Config.

After LDAP is configured, users can log in to Enterprise Steam using their LDAP username and password.

Configure SAML Connection Settings

Perform the the following steps to configure Enterprise Steam to use SAML authentication.

  1. Navigate the Authentication page.
  2. Select SAML in the Enabled authentication type drop down menu, then configure the following SAML settings:
Field Description
SAML Settings
IDP Metadata Path The path to the SAML Identity Provider (IdP) metadata file on the local file system.
Keystore Path The path to the keystore file on the local file system.
Keystore Password The keystore password.
Base URL The base URL for Enterprise Steam. For example, http://steam.loc:8888.
SAML Group Settings
User Name Attribute The attribute of authorization token that contains usernames.
Group Name Attribute The attribute of authorization token that contains group names.
Admin Group Name The name of the admin group that will get privileges in Enterprise Steam.
SAML Advanced Settings
SAML Entity ID The PartnerSpID value that will be passed to the IDP. This is optional.
Logout URL Specify the URL where the user will be redirected to after logging out. This is optional. By default, users will see the “Logged Out” screen.
SAML Configuration
  1. Click Save and Enable when you are done.

Token

The Token page allows you to generate a personal access tokens for use in scripts and on the command line. Note: Be careful, these tokens are like passwords so you should guard them carefully. The advantage to using a token over putting your password into a script is that a token can be revoked.

On the Token page, click Generate New Token to generate and retrieve your token. Note: For security reasons the token will be shown only once after generating. If you lose your token, you must generate a new one. You can only have one token at a time.

Token page

Users

By default, the Users page shows all current Enterprise Steam users. (Note that you can also specify to show deactivated Enterprise Steam users as well.) This section describes how to add, edit, and deactivate users.

Adding Users

Admins can add users into the Enterprise Steam SQLite database from within the UI.

  1. Click the Create User button on the Users Page.
  2. Username: Enter the name of the user. Note that the name must match with a username in your YARN system.
  3. Password/Confirm Password: Specify and confirm a password for the user.
  4. Role: Specify the role(s) for this user. Note that Enterprise Steam ships with two default roles: admin and standard user.
  5. YARN Queues: Optionally specify a list of YARN queues associated with this user.
  6. Cluster Profile: Specify the cluster profile(s) that this user will be part of. Note that Enterprise Steam ships with a number of default cluster profiles.
  7. Click Create User when you are done.
Create user

Upon successful completion, the new user will appear in the list of Enterprise Steam users.

Editing Users

This section describes how to edit a user’s role.

On the Users page, click the Edit link beside the user you want to edit. This opens the Edit User Details form. Change the user’s roles or cluster profile. You can also specify an authentication type of LDAP, Local, or SAML, and you can specify YARN queues for the user. Click Confirm when you are done.

Edit user

Note: A message will display in the UI if you remove all roles from a user.

Resetting a User’s Password

If a user is added with Local Authentication, then admins can reset the user’s password by clicking the Reset Local Password link for the desired user. A new password will display at the top of the screen for approximately 5 seconds. This new password should then be provided to the user so that he/she can log in to Enterprise Steam. Note that this option is not available for users added with LDAP or SAML authentication.

Reset user's password

Deactivating Users

On the Users page, click the Deactivate Steam User link for the user whose Enterprise Steam access you want to revoke.

Roles

Roles determine the activities/permissions that an Enterprise Steam user can perform within your environment. Enterprise Steam ships with two default roles: admin and standard user. These default roles are sufficient for most Enterprise Steam deployments and, in general, should not be changed. You can create additional roles, however, if you require more granularity in the way that your users access and utilize Enterprise Steam.

Creating Roles

  1. Click the Create Role button on the Roles page.
  2. Specify a name and description for the role.
  3. Select the permissions that will be granted to this role.
  4. Click Create Role at the bottom of the form when you are done.
Create role

Changing Permissions

Admins can add or remove permissions for each role directly on the Roles page.

  1. Select the checkbox for the correspoding permission and role that you want to change
  2. Click Review Changes at the bottom of the page. A popup displays, providing you with a summary of the changes.
  3. Click the Confirm button beside each change that you want to make, then click Save Changes to complete the update.
Change permissions

Deleting Roles

On the Roles page, scroll down to the bottom of the page, and click the trashcan icon under the Role column that you want to delete. A confirmation page will display, prompting you to confirm the deletion. Click Confirm to remove the role.

Note The Admin role cannot be deleted.

Delete role

Profiles

The Profiles page allow you to define individual cluster sizes and configurations. Admins can then give different users access to the different clusters by specifying a specific profile when launching a new cluster.

Enterprise Steam comes with four profiles:

  • default-h2o: This is enabled by default.
  • default-sparkling-internal: This is disabled by default. Configure Spark settings to enable this profile. (See the Sparkling Water section for more information.)
  • default-sparkling-external: This is disabled by default. Configure Spark settings to enable this profile. (See the Sparkling Water section for more information.)
  • default-dai: This is disabled by default. Configure Driverless AI settings to enable this profile. (See the Driverless AI section for more information.)

Note: The minimum Sparkling Water versions are 2.1.41, 2.2.27, 2.3.16, 2.4.*

From this page, you can edit any of the default profiles, add additional profiles, copy profiles, and delete profiles.

Cluster profiles page

Adding Profiles

  1. On the Configurations page, click the Profiles option to open the Profiles page. This page shows a list of available profiles.
  2. In the Create New Profile section of this page, enter a name for the new profile and select an available type (H2O, Sparkling Water - Internal Backend, Sparkling Water - External Backend). Click Create when you are ready. This opens the Creating Profiles form. Note that this form varies depending on the Type.

H2O Type

  1. YARN Queues: Optionally specify a comma-separated list of YARN queues available for user of this profile. Leave empty if you want to let the user to specify this parameter when launching the cluster.
  2. LDAP Groups: Optionally specify a comma-separated list of LDAP groups that will have access to this cluster. Enter * to allow any LDAP user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  3. SAML Groups: Optionally specify a comma-separated list of SAML groups that will have access to this cluster. Enter * to allow any SAML user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  4. Cluster Limit Per User: Specify the maximum number of clusters that a user with this profile can launch.
  5. H2O Nodes: Specify the minimum, maximum, and default number of allowed H2O nodes (cluster size) for this profile.
  6. H2O Node Memory (GB): Specify the minimum, maximum, and default amount of memory to allocate to H2O for each node (in GB).
  7. H2O Node Threads: Specify the minimum, maximum, and default number of H2O threads (CPUs) to use for each node. 0 defaults to using all CPUs on the host.
  8. H2O Node Extra Memory (%): Specify the minimum, maximum, and default extra memory for internal JVM use outside of the Java heap. (This corresponds to the extramempercent Hadoop launch parameter.)
  9. Maximum Idle Time (hrs): Specify the minimum, maximum, and default idle time in hours.
  10. Maximum Uptime (hrs): Specify the minimum, maximum, and default uptime in hours.
  11. YARN Virtual Cores: Specify the minimum, maximum, and default number of YARN virtual cores.

Sparkling Water - Internal Backend Type

  1. YARN Queues: Optionally specify a comma-separated list of YARN queues available for user of this profile. Leave empty if you want to let the user to specify this parameter when launching the cluster.
  2. LDAP Groups: Optionally specify a comma-separated list of LDAP groups that will have access to this cluster. Enter * to allow any LDAP user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  3. SAML Groups: Optionally specify a comma-separated list of SAML groups that will have access to this cluster. Enter * to allow any SAML user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  4. Cluster Limit Per User: Specify the maximum number of clusters that a user with this profile can launch.
  5. Python Environments: Select the environment(s) that will be associated with this profile. This list of available environments comes from the Python Environments page.
  6. Spark Properties: Optionally enter additional Spark properties for this cluster. Specify one property per line using ‘key=value’ format.
  7. Driver Cores: Specify the minimum, maximum, and default number of driver cores.
  8. Driver Memory (GB): Specify the minimum, maximum, and default driver memory (in GB).
  9. Number of Executors: Specify the minimum, maximum, and default number of executors.
  10. Executor Cores: Specify the minimum, maximum, and default number of cores per executor.
  11. Executor Memory: Specify the minimum, maximum, and default amount of executor memory per node (in GB).
  12. H2O Node Threads: Specify the minimum, maximum, and default number of H2O threads (CPUs) to use for each node. 0 defaults to using all CPUs on the host.
  13. Startup Timeout (seconds): Specify the minimum, maximum, and default startup timeout in seconds. The cluster will terminate if it cannot start within this time.

Sparkling Water - External Backend Type

  1. YARN Queues: Optionally specify a comma-separated list of YARN queues available for user of this profile. Leave empty if you want to let the user to specify this parameter when launching the cluster.
  2. LDAP Groups: Optionally specify a comma-separated list of LDAP groups that will have access to this cluster. Enter * to allow any LDAP user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  3. SAML Groups: Optionally specify a comma-separated list of SAML groups that will have access to this cluster. Enter * to allow any SAML user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  4. Cluster Limit Per User: Specify the maximum number of clusters that a user with this profile can launch.
  5. Python Environments: Select the environment(s) that will be associated with this profile. This list of available environments comes from the Python Environments page.
  6. Spark Properties: Optionally enter additional Spark properties for this cluster. Specify one property per line using ‘key=value’ format.
  7. Driver Cores: Specify the minimum, maximum, and default number of driver cores.
  8. Driver Memory (GB): Specify the minimum, maximum, and default driver memory (in GB).
  9. Number of Executors: Specify the minimum, maximum, and default number of executors.
  10. Executor Cores: Specify the minimum, maximum, and default number of cores per executor.
  11. Executor Memory: Specify the minimum, maximum, and default amount of executor memory per node (in GB).
  12. H2O Nodes: Specify the minimum, maximum, and default number of allowed H2O nodes (cluster size) for this profile.
  13. H2O Node Memory (GB): Specify the minimum, maximum, and default amount of memory to allocate to H2O for each node (in GB).
  14. H2O Node Threads: Specify the minimum, maximum, and default number of H2O threads (CPUs) to use for each node. 0 defaults to using all CPUs on the host.
  15. Startup Timeout (seconds): Specify the minimum, maximum, and default startup timeout in seconds. The cluster will terminate if it cannot start within this time.

Driverlesss AI

  1. LDAP Groups: Optionally specify a comma-separated list of LDAP groups that will have access to this cluster. Enter * to allow any LDAP user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  2. SAML Groups: Optionally specify a comma-separated list of SAML groups that will have access to this cluster. Enter * to allow any SAML user to access this profile. Leave empty if you want to manually assign each cluster profile to each user.
  3. Instance Limit Per User: Specify the maximum number of Driverless AI instances that a user with this profile can access.
  4. DAI Servers: Specify the Driverless AI servers that a user with this profile can access.
  5. Config Toml Override: Specify and Driverless AI configuration overrides that will be asssociated with this profile. A list of available configuration options is available in the Driverless AI config.toml file.
  1. Click Save when you are done.

Upon completion, the new profile will appear in the Existing Profile section. If necessary, you can update or delete existing profiles directly from this section.

Editing Profiles

Enterprise Steam comes with a default profile. You can edit this profile or other expstings profiles by following the steps below.

  1. On the Configurations page, click the Profiles page. This page shows a list of available profiles.
  2. Click the Edit button beside the profile that you want to edit.
  3. Edit any properties that you want to change, then click Save at the bottom of the form.

Copying Profiles

Copying profiles is an easy way to create a new profile based on an existing one.

  1. On the Configurations page, click the Profiles page. This page shows a list of available profiles.
  2. Click the Copy button beside the profile that you want to copy.
  3. Change the name of the profile and change any options that you want to be different from the existing profile.
  4. Click Save when you are done.

Upon completion, the new profile will appear in the Existing Profile section.

Deleting Profiles

  1. On the Configurations page, click the Profiles page. This page shows a list of available profiles.
  2. Click the Delete button beside the profile that you want to delete.
  3. A confirmation page displays. Click Confirm to complete the deletion.

Steam Configuration

The Steam Configuration options allow you to configure settings that were previously available in the steam.yaml file.

General section

Licensing

The Licensing page shows you how long you have left on your current license. If your license expires, you will be prompted to enter a new Enterprise Steam license.

Licensing page

Security

By default, a self-signed TLS certificate will be autogenerated by Steam. It is advised to change this to a valid secure certificate.

Security page
  1. Specify the certificate file used by both the Steam process and Steam’s haproxy process.
  2. Specify the private key PEM file used by both the Steam process and Steam’s haproxy process.
  3. Specify the server strict transport value. The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS instead of using HTTP. This value is in seconds, and the default value is equivalent to 20 years (max-age=631135819). Leave this empty to disable this setting.
  4. Specify the server X-XSS protection value. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. When this value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). This value defaults to 0
  5. Specify the Server Content Security Policy (CSP). CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. This defaults to:
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:;
  1. Specify the web timeout value in minutes.
  2. Specify whether to disable JupyterHub.
  3. Click Save Configuration when you are finished.

Logging

This page allows you to configure or edit Enterprise Steam logging information and download existing logs.

Logging page
  1. Specify the Log Directory. Steam will save application logs into this directory.
  2. Specify the Log Level. The Steam log level can be set to Panic, Fatal, Error, Warning, Info, or Debug.
  3. Specify the Log File Permissions. This represents the Unix permission of the log files and defaults to 644.
  4. Click Save Configuration when you are done.

Import/Export

This page allows you to import or export current configuration for authentication, YARN, Sparkling Water, Driverless AI, security, and logging.

Import/Export page

You can import a new configuration file by clicking the Browse button and navigating to the configuration file. Or you can download an existing configuration file to your local machine.