[META] Permissions overhaul #2304
Labels
area: authentication
area: integration/keycloak
status: in progress 🏗
This task is currently being worked on
type: enhancement 💅🏼
New feature or request
Milestone
Context
This is a meta issue to define and document problems with the current permissions model in Nebari
Nebari Permissions
🛡️Authentication
Login / Logout to Services or Components
🛡️Authorization
Permission Profiles (JupyterLab Profiles)
access
which can be set to all (default if omitted),yaml
, orkeycloak
.all
means every user will have access to the profile (default).keycloak
means that access is restricted to any user who in Keycloak has either their group(s) or user with the attribute jupyterlab_profiles containing this profile name. For example, if the user is in a Keycloak group named developers which has an attribute jupyterlab_profiles set to Large Instance, they will have access to the Large Instance profile. To specify multiple profiles for one group (or user) delimit their names using ## - for example, Large Instance##Another Instance.Permissions via Keycloak
Groups
analyst
developer
admin
superadmin
This also gives users the access to right groups in the jupyterhub shared filesystem, if a user is in above groups, they will have access to following shared directories in
/shared
:When a use spins up a JupyterLab server, it fetches the groups the user is in via Keycloak API and mounts those directories for the user.
Roles
Conda Store
conda_store_developer
(e.g. read access to conda-store namespace say “developer”)conda_store_admin
conda_store_superadmin
(e.g. full access to conda-store read/write/delete)JupyterHub
jupyterhub_developer
jupyterhub_admin
Argo
argo_viewer
argo_developer
argo_admin
Keycloak
realm_admin
(Keycloak)Grafana
grafana_viewer
grafana_developer
grafana_admin
Dask
dask_developer
dask_admin
References:
Problems / Concerns / Questions:
Translation of levels of access between Nebari permissions and respective services permission
Role Mapping (just an idea):
jupyterhub-role:create-share=quansight
jupyterhub-role:no-create-share
conda-store-role:env:quansight:read
conda-store-role:env:quansight:write
Value and/or benefit
Anything else?
No response
The text was updated successfully, but these errors were encountered: