Datalore 2025.2 Help

Enable SSO for Kubernetes deployment

You can use JetBrains Hub (further in the article referred to as Hub) for user authentication and user management in Datalore. Hub supports most popular identity providers.

This article explains how to enable Hub for Datalore On-Premises installed using Kubernetes. If your Datalore deployment is done with Docker, see Enable SSO for Docker deployment.

Prerequisites

Define a base URL for the Hub installation and make sure that Kubernetes cluster used for this installation is capable of providing Ingress resource. For that, an Ingress controller should be installed and configured prior to the Hub installation.

In this article, we will use hub.example.com as base URL and Nginx as an ingress controller.

Install and configure Hub

Install Hub

  1. Create a hub.values.yaml file, using the below example as reference:

    volumeClaimTemplates: - metadata: name: hub spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi volumeMounts: - name: hub mountPath: /opt/hub/data subPath: data - name: hub mountPath: /opt/hub/conf subPath: conf - name: hub mountPath: /opt/hub/logs subPath: logs - name: hub mountPath: /opt/hub/backups subPath: backups ingress: enabled: true hosts: - host: hub.example.com paths: - path: / pathType: Prefix annotations: kubernetes.io/ingress.class: "nginx"
  2. Install the Hub Helm chart and wait, until Hub's pod is in Ready state.

    helm install -f hub.values.yaml hub datalore/hub --version 0.2.28
    kubectl wait --for=condition=Ready pod/hub-0
  3. Check the pod logs (using the kubectl logs service/hub command) for a wizard_token. The output should have a line like this:

    JetBrains Hub 2025.1 Configuration Wizard will listen inside container on {0.0.0.0:8080}/ after start and can be accessed by this URL: [http://<put-your-docker-HOST-name-here>:<put-host-port-mapped-to-container-port-8080-here>/?wizard_token=pPXTShp4NXceXqGYzeAq].

    Copy the wizard_token value to the clipboard - this value is required during the Hub bootstrapping procedure.

  4. Open the Hub's base URL in your browser and insert the wizard_token into the Token field.

  5. Click the Log in button.

  6. Click the Set Up link.

  7. In Base URL, enter specify a Hub public URL (referred to as HUB_ROOT_URL later). Do not change the Application Listen Port setting.

  8. Click the Next button.

  9. Configure the admin account by setting the admin password.

  10. Click the Next button.

  11. Click the Finish button and wait for Hub to start.

Configure the Datalore service in Hub

  1. Go to Services (click the gear icon in the right upper side of the screen, then Services) and click the New service button.

    Use the name datalore and provide the Datalore base URL.

  2. Copy the ID field value and save it somewhere temporarily. It will be required later to configure Datalore.

  3. Click the Change... button next to the Secret label.

  4. Copy the generated secret and save it somewhere temporarily: it will be used when configuring Datalore ($HUB_DATALORE_SERVICE_SECRET property). Click the Change secret button to confirm the selection.

  5. Enter the Datalore base URL in the Base URLs field.

  6. Enter the line /api/hub/openid/login in the Redirect URIs field.

  7. Click the Trust Service button in the upper right corner.

  8. Click the Save button.

Enabling Hub in Datalore

To enable Hub, the following configuration variables must be defined (and the server should be restarted once changes are applied):

  • HUB_PUBLIC_BASE_URL: Hub public URL (the one you specified in the Base URL field during the Hub installation).

  • HUB_DATALORE_SERVICE_ID: ID of the Datalore service in Hub (the one you created in the Configure the Datalore service in Hub step).

  • HUB_DATALORE_SERVICE_SECRET: Token of the Datalore service in Hub (the one you created in the Configure the Datalore service in Hub step).

For the full list of available configuration options, see the Single sign-on (Hub) configuration section.

Optional procedures

Enable additional auth modules

Authentication modules are used to verify the identity of users before granting them access to resources in Hub.

  1. Click the gear icon in the right upper side of the Hub admin panel, then go to Auth Modules.

  2. Add or remove auth modules (for example, Google Auth, GitHub Auth, LDAP, and so on).

Force email verification

Datalore uses user emails from Hub; so it is recommended to force email verification in Hub. When this option is enabled, users with unverified emails will not be able to use Datalore.

  1. Configure the SMTP server:

    • Click the gear icon in the right upper side of the Hub admin panel, then go to SMTP

    • Click the Configure SMTP server... button.

    • Configure your SMTP server parameters.

    • Click the Save button.

    • Click the Enable notifications button.

    • (Optional) To make sure your configuration is working, click the Send Test message button.

  2. Enable email verification:

    • Click the gear icon in the right upper side of the Hub admin panel, then go to Auth Modules.

    • Open the Common settings page.

    • Enable the Email verification option.

    • Click the Save button.

  3. Set and verify an admin user email:

    • Click the gear icon in the right upper side of the Hub admin panel, then go to Users.

    • Click your admin username.

    • Set an email in the Email field.

    • Click the Save button.

    • Click the Send verification email link.

    • Find the verification email in your inbox and click the Verify email address button.

Last modified: 24 April 2025