Update docs (#948)

2025-06-26 18:17:44 +00:00 · 2024-11-03 15:32:30 +02:00
parent af5639ac99
commit be102be4c3
51 changed files with 458 additions and 48 deletions
--- a/docs/webapp/settings/webapp_settings_admin_vaults.md
+++ b/docs/webapp/settings/webapp_settings_admin_vaults.md
@@ -7,10 +7,17 @@ This feature is available under the ClearML Enterprise plan.
 :::

 Administrators can define multiple [configuration vaults](webapp_settings_profile.md#configuration-vault) which will each be applied to designated 
-[user groups](webapp_settings_users.md). Use configuration vaults to extend and/or override entries in the local ClearML [configuration file](../../configs/clearml_conf.md)
-where a ClearML task is executed. Configuration vault values will be applied to tasks run by members of the designated user groups. 
+[user groups](webapp_settings_users.md). There are two types of vaults: 
+* [Client configuration (Agent/SDK/CLI)](#client-configuration-agentsdkcli)
+* [UI storage credentials](#ui-storage-credentials)   

-To apply its contents, a vault should be enabled. New entries will extend the configuration in the local ClearML [configuration file](../../configs/clearml_conf.md). 
+To apply its contents, a vault should be enabled in the [Administrator Vault Table](#administrator-vault-table). 
+
+## Client Configuration (Agent/SDK/CLI)
+Client configuration vaults extend and/or override entries in the local ClearML [configuration file](../../configs/clearml_conf.md)
+where a task is executed. Vault values will be applied to tasks run by members of the designated user groups. 
+
+New entries will extend the configuration in the local ClearML [configuration file](../../configs/clearml_conf.md). 
 Most existing configuration file entries will be overridden by the vault values.

 :::info 
@@ -23,24 +30,41 @@ The following configuration values are machine and/or agent specific, so they ca
 * `agent.debug`
 :::

-**To create a vault:**
+**To create a Client configuration vault:**
 1. Click **+ Add Vault**
 1. Fill in vault details:
   1. Vault name - Name that appears in the Administrator Vaults table
   1. User Group - Specify the User Group that the vault affects
-   1. Format - Specify the configuration format: HOCON / JSON / YAML.
-1. Fill in the configuration values (click <img src="/docs/latest/icons/ico-info.svg" alt="Info" className="icon size-md space-sm" /> 
-to view configuration file reference). To import and existing configuration file, click <img src="/docs/latest/icons/ico-import.svg" alt="Import" className="icon size-md space-sm" />. 
+   1. Target - Vault type. Select `Client (Agent/SDK/UI)`
+   1. Format - Specify the configuration format: HOCON / JSON / YAML. 
+   1. Fill in the configuration values (click <img src="/docs/latest/icons/ico-info.svg" alt="Info" className="icon size-md space-sm" /> 
+   to view configuration file reference). To import an existing configuration file, click <img src="/docs/latest/icons/ico-import.svg" alt="Import" className="icon size-md space-sm" />. 
 1. Click **Save** 

+## UI Storage Credentials   
+UI storage credential vaults configure UI access to cloud storage credentials for a designated group of users. 
+
+**To create a vault:**
+
+1. Click **+ Add Vault**
+1. Fill in vault details:
+   1. Vault name - Name that appears in the Administrator Vaults table
+   1. User Group - Specify the User Group that the vault affects
+   1. Target - Select `UI storage credentials` 
+   1. \+ Add access keys - Enter storage credentials (see [Browser Cloud Storage Access](webapp_settings_profile.md#browser-cloud-storage-access))
+1. Click **Save**
+
+## Administrator Vault Table
+
 The **Administrator Vaults** table lists all currently defined vaults, and the following details:
 * Active - Toggle to enable / disable the vault
 * Name - Vault name
+* Target - Type of vault: `Client (Agent/SDK/CLI)` or `UI storage credentials` 
 * Group - User groups to apply this vault to 
 * ID - Vault ID (click to copy)
 * Vault Content - Vault content summary
 * Update - Last update time

-Hover over a vault in the table to Download, Edit, or Delete a vault.  
+Hover over a vault in the table to **Download**, **Edit**, or **Delete** a vault.  

 ![Admin vaults](../../img/settings_admin_vaults.png)
--- a/docs/webapp/settings/webapp_settings_overview.md
+++ b/docs/webapp/settings/webapp_settings_overview.md
@@ -24,4 +24,6 @@ The Settings page consists of the following sections:
  * [Identity Providers](webapp_settings_id_providers.md) (ClearML Enterprise Server) - Manage server identity providers
  * [Resource Configuration](webapp_settings_resource_configs.md) (ClearML Enterprise Server) - Define the available resources and the way in which they 
  will be allocated to different workloads 
-  * [Usage & Billing](webapp_settings_usage_billing.md) (ClearML Hosted Service) - View current usage information and billing details 
+  * [Usage & Billing](webapp_settings_usage_billing.md) (ClearML Hosted Service) - View current usage information and billing details
+  * [Storage Credentials](webapp_settings_storage_credentials.md) (ClearML Enterprise Server) - Configure storage provider access credentials to 
+  enable ClearML to delete artifacts stored in cloud storage when tasks and models are deleted
--- a/docs/webapp/settings/webapp_settings_profile.md
+++ b/docs/webapp/settings/webapp_settings_profile.md
@@ -62,7 +62,7 @@ to switch to.
 
 ![Workspace configuration page](../../img/settings_workspace_configuration.png)

-### ClearML Credentials
+### ClearML App Credentials

 Generate ClearML credentials, made up of an access and secret key pair, and insert them into your [configuration file](../../configs/clearml_conf.md) 
 or Jupyter Notebook to grant the ClearML SDK and the ClearML Agent API access to the server. 
@@ -91,6 +91,20 @@ these credentials cannot be recovered.

 **To revoke ClearML credentials:** hover over the desired credentials, and click <img src="/docs/latest/icons/ico-trash.svg" alt="Trash can" className="icon size-md" />

+## AI Application Gateway Tokens 
+
+:::important Enterprise Feature
+This feature is available under the ClearML Enterprise plan.
+:::
+
+The AI Application Gateway enables external access to ClearML tasks and applications. The gateway is configured with an 
+endpoint or external address (ingress), accessible from outside ClearML.
+
+Generate tokens providing API access to the AI Application Gateway endpoints:
+
+1. Click **Generate a Token**
+1. Under `Expiration`, enter the number of days the token should remain valid 
+1. Click `Generate`, which creates a token and copies it to your clipboard 

 ### Changing Your Workspace Name
 To change the name of your own workspace, click **Edit workspace name**  <img src="/docs/latest/icons/ico-edit.svg" alt="Edit Pencil" className="icon size-md" /> 
--- a/docs/webapp/settings/webapp_settings_storage_credentials.md
+++ b/docs/webapp/settings/webapp_settings_storage_credentials.md
@@ -0,0 +1,55 @@
+---
+title: Storage Credentials 
+---
+
+:::important Enterprise Feature 
+This feature is available under the ClearML Enterprise plan.
+:::
+
+To enable ClearML to delete task artifacts stored in cloud storage when a task is deleted, configure access credentials for your storage provider:
+* [Google Cloud Storage](#google-cloud-storage)
+* [AWS S3 Storage](#aws-s3-storage)
+* [Azure](#azure)
+
+![Storage Credentials page](../../img/webapp_settings_storage_credentials.png)
+
+## Google Cloud Storage
+Set up credentials for Google Cloud buckets: 
+* Default credentials - These credentials apply to all GCS buckets unless bucket-specific credentials are set.
+  * Project - Default Google Cloud Storage project
+  * Credentials JSON
+* Bucket specific credentials:
+  * Bucket 
+  * Project
+  * Credentials JSON
+
+## AWS S3 Storage 
+Set up credentials for S3 protocol storage (i.e. AWS S3, MinIO, etc.): 
+* Default credentials - These credentials apply to all buckets unless bucket-specific credentials are set:
+  * Access Key - Default access key for the storage service.
+  * Secret -  Default secret access key.
+  * Access token - Session key for temporary credentials (if applicable).
+  * Region -  Default region for all unspecified buckets.
+  * Credentials Chain - If selected, use boto3 default [credentials search](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials) 
+  (i.e. look for credentials in environment variables, credential files, and instance metadata services).
+* Bucket Specific Credentials: 
+  * Bucket - Name of the specific bucket.
+  * Region - Region for the bucket.
+  * Host - For non-AWS endpoints, the host URL and port number of the specific bucket. Note that port specification 
+  is *always* needed (e.g. `my-minio-host:9000`), even for standard ports like 433 for HTTPS (e.g. `my-minio-host:433`) 
+  * Secure Host - Select in order to enable TLS. 
+  * Verify SSL certificate - Select to enable SSL verification for secure hosts.
+  * Access key - Access key for the bucket.
+  * Secret - Secret key for the bucket.
+  * Access token - The session key for your bucket. This is only needed when you are using temporary credentials.
+  * Use Credentials chain - If selected, use boto3 default [credentials search](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials) 
+  (i.e. looks for credentials in environment variables, credential files, and instance metadata services).
+
+## Azure
+Set up credentials for Azure storage containers: 
+* Account name - Azure storage account name.
+* Account key - Azure storage account key.
+* Container name - Name of the specific container.
+
+
+
--- a/docs/webapp/settings/webapp_settings_users.md
+++ b/docs/webapp/settings/webapp_settings_users.md
@@ -109,6 +109,32 @@ To revoke a set of credentials:
 1. In the editing panel, hover of the relevant credential's row
 2. Click the <img src="/docs/latest/icons/ico-trash.svg" alt="Trash can" className="icon size-md" /> button

+### Service Account Configuration Vault
+Use a service account’s configuration vault to store ClearML configuration entries that can extend the ClearML 
+[configuration file](../../configs/clearml_conf.md) of any ClearML Agents or ClearML SDK running with the service account's 
+credentials. 
+
+Vault entries will extend the configuration in the ClearML [configuration file](../../configs/clearml_conf.md) if they 
+don't yet exist, and override values for those already present in the file.
+
+Fill in values using any of ClearML supported configuration formats: HOCON / JSON / YAML.
+
+To edit vault contents:
+1. Click on the relevant service account to open its details panel 
+2. Click **EDIT** on the configuration vault 
+3. Insert / edit the configurations in the vault
+4. Press **OK**
+
+To apply vault contents:
+* Click the toggle atop the vault to enable / disable the configurations
+* Once enabled, the configurations will be merged to the configuration file during ClearML and ClearML Agent usage
+
+In addition to the service account-specific configuration vault, [administrator vaults](#administrator-vaults) can also 
+be applied to service accounts. See all the vaults applied to the account in the **Applied administrator vaults** below 
+the configuration vault.   
+
+![Service Account Config Vault](../../img/settings_service_account_config_vault.png)
+
 ### Deleting Service Account
 Deleting a service account will revoke its credentials, causing agents using the account's credentials to fail. 
 Tasks and associated artifacts logged to your workspace by a service account will remain in your workspace.