Authentication in KDB.AI
This page explains how to set up and use authentication in KDB.AI. It includes details on environment variables, Docker examples, and Python client usage.
KDB.AI now supports authentication, allowing access management for different users. Currently, it supports static authentication, detailed below.
Static authentication
KDB.AI server supports static authentication, where the server verifies the client password with a static key provided to the server. You can supply the static key as an environment variable or as a mounted file path (for example, to use with Kubernetes secret). The following variables enable static authentication:
| VARIABLE | PURPOSE | SUPPORTED VALUES | MANDATORY | DEFAULT |
|---|---|---|---|---|
AUTH_TYPE
|
Authentication type | static
|
Yes | None |
ENABLE_TCP_AUTH
|
Enable/disable qIPC authentication |
|
No | 0
|
ENABLE_HTTP_AUTH
|
Enable/disable REST authentication | 0 (disable) / 1 (enable) |
No | 0
|
AUTH_PASSWORD
|
Authentication password | any string | No (password file can be mounted instead) | None |
Static authentication with environment variable
To configure static authentication, add the following environment variables to your Docker / Kubernetes configuration:
bash
AUTH_TYPE=static
ENABLE_TCP_AUTH=1 # if q authentication is required else no need to define this variable
ENABLE_HTTP_AUTH=1 # if REST authentication is required else no need to define this variable
AUTH_PASSWORD="secret" # if static API key is passed using env var else no need to define this variableStatic authentication with password file
To use a mounted secret file, mount it at the path /opt/kx/secret/auth_pwd.
A mounted secret file always takes precedence over the AUTH_PASSWORD environment variable.
Python Client version
To maintain compatibility with the server, use kdbai-client>=1.6.0:
-
kdbai-client==1.6.0supportsTCP/QIPCconnection with authentication. -
kdbai-client>=1.7.0supportsTCP/QIPCandHTTPconnections with authentication. -
kdbai-client<1.6.0is not compatible.
Docker examples
Authentication from environment variable
Use the AUTH_PASSWORD variable:
bash
docker run -it --rm -p 8081:8081 -p 8082:8082 \
-e KDB_LICENSE_B64="$KDB_LICENSE_B64" \
-e AUTH_TYPE=STATIC \
-e ENABLE_TCP_AUTH=1 \
-e ENABLE_HTTP_AUTH=1 \
-e AUTH_PASSWORD="secret" \
-v "$PWD/vdbdata":/tmp/kx/data \
portal.dl.kx.com/kdbai-db:1.7.0 Authentication from file
Create a password file and mount it into the container:
bash
echo "secret" > /tmp/auth_pwd
docker run -it --rm -p 8081:8081 -p 8082:8082 \
-e KDB_LICENSE_B64="$KDB_LICENSE_B64" \
-e AUTH_TYPE=STATIC \
-e ENABLE_TCP_AUTH=1 \
-e ENABLE_HTTP_AUTH=1 \
-v /tmp/auth_pwd:/opt/kx/secret/auth_pwd \
-v "$PWD/vdbdata":/tmp/kx/data \
portal.dl.kx.com/kdbai-db:1.7.0 No authentication specified
Run as normal without specifying any authentication variables:
bash
docker run -it --rm -p 8081:8081 -p 8082:8082 \
-e KDB_LICENSE_B64="$KDB_LICENSE_B64" \
-v "$PWD/vdbdata":/tmp/kx/data \
portal.dl.kx.com/kdbai-db:1.7.0Examples
HTTP authentication using curl
bash
curl http://localhost:8081/api/v2/version
{"message":"You are not authorized to access this resource."}
curl -u user:password-file http://localhost:8081/api/v2/version
{"serverVersion":"1.7.0","clientMinVersion":"1.7.0","clientMaxVersion":"latest"}Authentication using Python Client
bash
import kdbai_client as kdbai
import os
PASSWORD = os.environ.get("auth_pwd")
try:
session = kdbai.Session(endpoint="http://localhost:8082", options={"username":"user","password":"pass"})
print(f"Success, connected to server with qipc")
except kdbai.KDBAIException as e:
print(f"Failed to connect with password={PASSWORD} --> {e}")
EOF