Configuring Anaconda Client#

Anaconda Client gives you the ability to upload packages to your on-site Anaconda Enterprise 4 Repository and provides highly granular access control capabilities. The instructions below describe how to configure Client to use your local Repository instead of Anaconda Cloud.

Client configuration#

On each machine that accesses your on-site Repository, run this command as the machine’s local user:

anaconda config --set url http://your.server.name:<port>/api

Or, to set the default repo on a system-wide basis, run this command:

anaconda config --set url http://your.server.name:<port>/api --site

NOTE: Replace your.server.name with the name of your local Repository and <port> with the name of the port used by Repository.

The system level config file is used only if no user-level config file is present.

To show the system and user config file locations and configuration settings:

anaconda config --show

Conda configuration#

When the above anaconda config steps are completed, you can access all packages and channels from the local on-site Repository instead of the public Anaconda.org.

Users can then add individual accounts to their .condarc file by running the following command:

conda config --add channels USERNAME

If you still want to access certain channels from the public Anaconda.org, run:

conda config --add channels http://conda.anaconda.org/USERNAME

NOTE: Replace USERNAME with your username.

Conda channel priority#

To set a preferred priority for the channels conda searches for package installs, edit your ~/.condarc file and change the order. Channels at the top are searched first.

For example:

channels:
  - channel
  - https://conda.anaconda.org/t/<token>/<channel2>
  - http://conda.anaconda.org/<channel1>
  - defaults

The order of search is:

  1. Private on-site Repository channel.

  2. Private Anaconda.org channel2.

  3. Public Anaconda.org channel1.

  4. Default channel on the on-site Repository.

Pip configuration#

To install PyPI packages from your Repository, add your channel to your ~/.pip/pip.conf configuration file.

Edit the file and add an extra-index-url entry to the global config section:

[global]
extra-index-url = http://your.server.name:<port>/pypi/USERNAME/simple

NOTE: Replace your.server.name with the name of your local Repository, <port> with the name of the port used by Repository and USERNAME with your username.

Kerberos configuration#

If you have enabled Kerberos authentication as described in Configuring Repository to use Kerberos, your browser and Client should be able to authenticate to Repository using Kerberos.

In macOS/Unix, configure the file /etc/krb5.conf:

[libdefaults]
default_realm = YOUR.DOMAIN

[realms]
YOUR.DOMAIN = {
  kdc = your.kdc.server
}

[domain_realm]
your.anaconda.repository = YOUR.DOMAIN

NOTE: Replace YOUR.DOMAIN with your domain, your.kdc.server with your Kerberos key distribution center (KDC) and your.anaconda.repository with your local Repository server.

If your configuration is correct, you should be able to authenticate using the command line tool kinit:

kinit jsmith
anaconda login

NOTE: Replace jsmith with your username.

Browser Setup#

Many browsers do not present your Kerberos credentials by default, to prevent leaking credentials to untrusted parties. In order to use Kerberos authentication, you must whitelist Repository as a trusted party to receive credentials.

You must restart your browser after configuring the whitelist in order for changes to be reflected.

Safari#

Safari requires no configuration—it automatically presents your credentials without whitelisting.

Chrome#

The AuthServerWhitelist policy must be set to your.anaconda.repository to allow Chrome to present credentials to Repository with the hostname your.anaconda.repository. Depending on your DNS configuration, DisableAuthNegotiateCnameLookup may also be required to prevent Chrome from canonicalizing the hostname before generating a service name.

NOTE: Replace your.anaconda.repository with your local Repository server.

To configure on macOS:

defaults write com.google.Chrome AuthServerWhitelist "your.anaconda.repository"

On Linux:

mkdir -p /etc/opt/chrome/policies/managed
mkdir -p /etc/opt/chrome/policies/recommended
chmod -w /etc/opt/chrome/policies/managed
echo '{"AuthServerWhitelist": "your.anaconda.repository"}' > /etc/opt/chrome/policies/managed/anaconda_repo_policy.json

On Windows, use Group Policy objects to set the Authentication server whitelist setting to your.anaconda.repository.

For more information, see Chrome’s SPNEGO authentication and administration documentation.

Firefox#

  1. Navigate to the configuration page about:config.

  2. Search for negotiate.

  3. Set the configuration item network.negotiate-auth.trusted-uris to your.anaconda.repository

NOTE: Replace your.anaconda.repository with your local Repository server.

Internet Explorer#

  1. In the Tools menu, select Internet Options.

  2. On the Advanced tab, in the Security section, select Enable Integrated Windows Authentication.