I have 10 Desktop licenses and 100 Webportal licenses for KNIME Server. I went to the “Users & Groups” page on KNIME Server’s WebPortal and I added four new users. All four of these users have successfully obtained a Desktop license and a Webportal license. Now I need to add another three users, but I want to restrict these users to only “Webportal”. To be specific, I do not want them to obtain a Desktop license. How do I prevent new users from grabbing a desktop license?
The following is true for up to KNIME Server 4.6.
It is possible to use the KNIME Server configuration specified below to limit access to the server. This configuration is made in <knime-server-repository>/knime-server.config
It is possible to limit the users who can connect to the KNIME Server by adding the relevant AD groups to information about the configuration for excluding/including groups to certain KNIME Server functionality:
See pages 5,6,7.
For e.g. 5 named users (client access users) and 50 webportal users.
analyticsplatformusers AD/LDAP group should have no more than 5 users,
webportalusers AD/LDAP group should have no more than 50 users.
restapiusers AD/LDAP group should have no more than 50 users.
Thanks for the information. I used the following setting
and I was able to prevent non-members from using a KNIME AP license.
I will try the other settings as well.
By the way, I see that there was a pre-defined KNIME group after I installed KNIME Server. Is that group required for anything or was it just there as an example?
Glad the solution worked for you.
That’s a default group that is defined. It’s not required and is treated the same as any other group that you may choose to define.
We are upgrading from KNIME Server 4.6 to KNIME Server 4.8. I noticed that the allowed groups configuration options have changed for two of the three groups.
The groups used to be:
They are now:
Is this just a name change, or is it also a functionality change?
I have three active directory groups that I use for KNIME Server:
- knime_webportal_users: This group needs to be be able to log onto the KNIME Webportal page.
- knime_rest_users: This group needs to be able to make a REST call.
- knime_ap_users: This group needs to be able to connect from KNIME AP to KNIME Server.
How do I assign my Active Directory groups above to the three allowed_groups configuration for KNIME Server 4.8 to accomplish my permission goals described above?
If my strategy above is complicated, I am open to using another set of Active Directory groups.
I would also like to know what these three groups are used for. The documentation is vague because it does not explain what a user and consumer is. It also does not distinguish how these two are different from the “plain” user group.
We introduced the distinction between users and consumers in KNIME Server 4.7. The most basic explanation is that users are those who log in from an Analytics Platform client, to do all the tasks typically done that way (upload workflows, create schedules, etc.)
Consumers, on the other hand, are those who can only execute workflows, from either the WebPortal or via REST API.
Therefore, your knime-server.config should be:
- com.knime.server.login.consumer.allowed_groups=knime_rest_users,knime_ap_users(,knime_ap_users, in case those should also be able to use WebPortal/REST)
Hope that helps, let me know if you have more questions.
Thanks for the information.
I have another question: What is the job of the following setting:
For example, if I add the “knime_ap_users” AD group to
then do I also have to add this AD group to:
Another way to look at this question. If I add the “knime_ap_users” AD group to
but I do not add it to the “users” or “consumers” group, then what will members of this AD group be able to do?
This option controls which groups are allowed to login to KNIME Server in general, while com.knime.server.login.user.allowed_groups and com.knime.server.login.consumer.allowed_groups define where exactly those groups can login.
In practice, if you only add a group to com.knime.server.login.allowed_groups, and to none of the other two, they won’t be able to do anything.
So if I add an AD group to the “user” or “consumer” settings, do I also need to add that AD group to com.knime.server.login.allowed_groups setting?
That is correct - groups that need to login to KNIME Server have to be added to com.knime.server.login.allowed_groups as well.