ACL service enablement¶
プレミアム機能
ACL hydration is a premium feature. 詳細については、DataRobotの担当者にお問い合わせください。
The ACL (Access Control List) service provides continuous synchronization of file permissions from external sources such as Google Drive and SharePoint, ensuring that vector database query results respect the original source-system access controls.
When enabled, the ACL service deploys two Kubernetes workloads:
acl-serviceDeployment: A long-running server that continuously polls Google Drive (via Drive Activity API) and SharePoint (via Delta Query) for permission changes and updates the stored ACLs accordingly.principals-updateCronJob: A scheduled task running every 30 minutes to refresh external user and group memberships (for example, Google Workspace groups).
For information on configuring ACL hydration for your organization and end-user behavior, see ACL hydration.
要件¶
Before enabling the ACL service, ensure the following:
- DataRobot 11.6 or later is installed.
- At least one supported data source connector is configured:
- The Kubernetes cluster has sufficient capacity for the additional workloads (see Resource requirements below).
Resource requirements¶
The ACL service introduces two new Kubernetes workloads with the following resource footprint:
| ワークロード | CPU request/limit | Memory request/limit |
|---|---|---|
acl-service Deployment |
2 / 2 | 4Gi / 4Gi |
principals-update CronJob |
100m / 1 | 300Mi / 600Mi |
Enablement¶
The ACL service is disabled by default. To enable it, add the following to your Helm values override file:
global:
acl_service:
enabled: true
Apply the updated values and perform a Helm upgrade:
helm upgrade datarobot datarobot/datarobot-prime \
-f your-values-override.yaml \
--namespace datarobot
Once global.acl_service.enabled is set to true, DataRobot automatically sets the ACL_SYNC_AVAILABLE environment variable to True in the application configuration. This makes the Enable ACL Synchronization feature flag available for organization administrators to enable per-organization from the DataRobot UI.
Verification¶
After the upgrade completes, verify that the ACL service pods are running:
kubectl get pods -n datarobot -l app=acl-service-app
Verify that the principals-update CronJob was created:
kubectl get cronjobs -n datarobot | grep principals-update
Confirm that the ACL_SYNC_AVAILABLE variable is set in the application ConfigMap:
kubectl get configmap datarobot-modeling-envvars -n datarobot -o yaml | grep ACL_SYNC_AVAILABLE
The output should include:
ACL_SYNC_AVAILABLE: "True"
Post-enablement configuration¶
After the service is running, a DataRobot organization administrator must enable ACL synchronization for each supported data source connection in the DataRobot UI. See Setting up ACL hydration for steps.