-
Notifications
You must be signed in to change notification settings - Fork 199
Integration with Keycloak
This page explains how we can integration MONAI Label with Keycloak for User Authentication and Role Based Access.
- Before you start
- Download Keycloak
- Start Keycloak
- Create an admin user
- Log in to the Admin Console
-
Create a realm with Realm name
monailabel
-
Create a user
- Create user with Username
admin
- Create user with Username
user
- Create user with Username
- Log in to the Account Console
-
Create Client with Client ID as
monailabel-app
Create following roles:
-
monailabel-admin
- all admins will be assigned with this role. -
monailabel-reviewer
- all reviewers will be assigned with this role. -
monailabel-annotator
- all annotators will be assigned with this role. -
monailabel-user
- all (normal) users will be assigned with this role.
Name of the roles can be customized via MONAI Label configs.
Either you can create groups or assign roles to user directly. However creating groups is recommended for easier management. Create following groups:
-
MONAILabel Admins
- will be assigned with this role. -
MONAILabel Reviewers
- all reviewers will be assigned with this role. -
MONAILabel Annotators
- all annotators will be assigned with this role. -
MONAILabel Users
- all (normal) users will be assigned with this role.
Assign corresponding roles to each of the groups.
Group | Role Mapping |
---|---|
MONAILabel Admins |
|
MONAILabel Reviewers |
|
MONAILabel Annotators |
|
MONAILabel Users |
|
Example:
Auth is enabled only from 0.7.0rc2
Run
pip install monailabel>=0.7.0rc2 -U
to update/install latest monailabel
Following are corresponding configs for Auth Related in MONAI Label
Name | Type | Default | Description |
---|---|---|---|
MONAI_LABEL_AUTH_ENABLE | bool | False | Enable or Disable Auth |
MONAI_LABEL_AUTH_REALM_URI | str | http://localhost:8080/realms/monailabel | Realm URI for Auth Server |
MONAI_LABEL_AUTH_TIMEOUT | int | 10 | Connect Timeout (in seconds) to Auth Server |
MONAI_LABEL_AUTH_CLIENT_ID | str | monailabel-app | Client ID for Auth Server |
MONAI_LABEL_AUTH_ROLE_ADMIN | str | monailabel-admin | Admin role name |
MONAI_LABEL_AUTH_ROLE_REVIEWER | str | monailabel-reviewer | Revierw role name |
MONAI_LABEL_AUTH_ROLE_ANNOTATOR | str | monailabel-annotator | Annotator role name |
MONAI_LABEL_AUTH_ROLE_USER | str | monailabel-user | User role name |
MONAI_LABEL_AUTH_TOKEN_USERNAME | str | preferred_username | Key name to fetch user name field from JWT token |
MONAI_LABEL_AUTH_TOKEN_EMAIL | str | Key to fetch email field from JWT token | |
MONAI_LABEL_AUTH_TOKEN_NAME | str | name | Key to fetch name from JWT token |
MONAI_LABEL_AUTH_TOKEN_ROLES | str | realm_access#roles | Key to fetch roles assigned for the user from JWT token |
For Windows:
set MONAI_LABEL_AUTH_ENABLE=True
monailabel start_server -a sample-apps\radiology -s C:\Dataset\Radiology -c models segmentation_spleen
For Ubuntu:
export MONAI_LABEL_AUTH_ENABLE=True
monailabel start_server -a sample-apps/radiology -s ~/Dataset/Radiology -c models segmentation_spleen
If you are using different ClientID or RealmURI etc.. make sure you to set the corresponding configs before starting the server.
Visit http://127.0.0.1:8000/ on web-browser to understand which are roles have access to MONAI Label REST APIs.
Use latest version of 3D Slicer(https://download.slicer.org/). Preview version is more preferred.
If you have already installed MONAI Label plugin, you have to uninstall existing one. Please configure/install MONAI Label plugin in developer mode.
Open 3D Slicer and switch to MONAI Label plugin. When you refresh the MONAI Label server and if Auth is enabled, it will automatically prompt for login. Enter user name and password. In this case, you can try normal user.
As a normal user you can fetch new image and run inference. However when you can save annotations or run training as normal user, server will throw an error saying operation is not permitted. And in such case you can reload MONAILabel Plugin (or restart 3D Slicer) to login as different user.