Enforce Shared User Agent Group IDs
Overview #
To use the shared filesystem effectively for saving and manipulating datasets, the system administrator must assign group permissions consistently. This applies both to the users and the shared filesystem itself.
Enforcing Shared User Agent Group IDs #
Background #
Agent tasks in Machine Learning Development Environment environments default to running as user root
with group root
. To facilitate more fine-grained permissions control, it is possible to configure each user to set a specific user ID and group ID on the agents.
Configuration #
If your cluster has been configured to use specific user and group IDs, the shared filesystem must also be configured to utilize a shared group ID. This ensures proper access and manipulation of files within the shared filesystem.
Documentation Reference #
For detailed configuration instructions, visit User Accounts - Run Tasks as Specific Agent Users.
Implementation Steps #
-
Adopt a Shared Group ID:
- Choose a Group ID to serve as the shared identifier for all users of GenAI Studio. This ID can either be the default for tasks as defined in
master.yaml
or a specific group created for this purpose.
- Choose a Group ID to serve as the shared identifier for all users of GenAI Studio. This ID can either be the default for tasks as defined in
-
User Configuration:
- Ensure that all users expected to run jobs have this shared group ID assigned. This assignment can be done through User Accounts or via the User Admin Panel in your browser.
-
Filesystem Assignment:
- Configure the
shared_fs
drive to use this agent group ID as its group. Additionally, set thesetgid
flag to ensure all subdirectories inherit this group ID as shown in the example script.
- Configure the
Example Script #
You can use the script below to facilitate the enforcement of shared user agent group IDs.
#!/bin/sh
# Get the ACL library so we can set default permissions
apt-get update -y && apt-get install acl -y
# Assuming we have mounted the shared drive to /shared_fs
chmod 2775 /shared_fs
# GROUP_ID and GROUP_NAME defined here for reference. Use appropriate value for your cluster
GROUP_ID=1100
# Change the group
chgrp +${GROUP_ID} /shared_fs
# Set the defaults on the ACL permissions for the group such that it gives rwx to the group
setfacl -d -m g::rwX /shared_fs
# If your shared drive has already has data, you will need to run the chgrp recursively
# chgrp -R +${GROUP_ID} /shared_fs