Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[META] Permissions overhaul #2304

Open
aktech opened this issue Mar 11, 2024 · 2 comments
Open

[META] Permissions overhaul #2304

aktech opened this issue Mar 11, 2024 · 2 comments

Comments

@aktech
Copy link
Member

aktech commented Mar 11, 2024

Context

This is a meta issue to define and document problems with the current permissions model in Nebari

Nebari Permissions

🛡️Authentication

Login / Logout to Services or Components

Application Authentication Required? Login Behavior Logout Behavior
Keycloak Yes - -
Monitoring Yes Logs in automatically if logged in to Nebari Nebari Home logout doesn't logs you out of Monitoring
VSCode / JupyterLab Yes Logs in automatically if logged in to Nebari Nebari Home logout logs you out of VSCode/JupyterLab
conda-store Yes Requires another login (via Keycloak) Redirects to localhost after logout, no actual logout (conda-store bug?)
Argo Yes Requires another login (via Keycloak) Nebari Home logout doesn't logs you out of Argo
Dask Diagnostics Dashboard No (Accessible without auth) N/A N/A
Extenstions (e.g. mlflow) don't care yet don't care yet don't care yet

🛡️Authorization

Permission Profiles (JupyterLab Profiles)

profiles:
  jupyterlab:
    - display_name: Small Instance
      description: Stable environment with 1 cpu / 1 GB ram
      access: all
      default: true
      kubespawner_override:
        cpu_limit: 1
        cpu_guarantee: 1
        mem_limit: 1G
        mem_guarantee: 1G
    - display_name: Medium Instance
    ...

  • It is possible to control which users have access to which JupyterLab profiles. Each profile has a field named access which can be set to all (default if omitted), yaml, or keycloak.
  • all means every user will have access to the profile (default).
  • keycloak means that access is restricted to any user who in Keycloak has either their group(s) or user with the attribute jupyterlab_profiles containing this profile name. For example, if the user is in a Keycloak group named developers which has an attribute jupyterlab_profiles set to Large Instance, they will have access to the Large Instance profile. To specify multiple profiles for one group (or user) delimit their names using ## - for example, Large Instance##Another Instance.

Permissions via Keycloak

Groups

  • analyst
  • developer
  • admin
  • superadmin

This also gives users the access to right groups in the jupyterhub shared filesystem, if a user is in above groups, they will have access to following shared directories in /shared:

drwxrwxrwx  5 0 0 4.0K Jan  4  2023 developer
drwxrwxrwx  2 0 0 4.0K Apr 12  2023 superadmin
drwxrwxrwx 14 0 0 4.0K Sep 26 16:37 quansight
drwxrwxrwx  4 0 0 4.0K Feb 14 12:34 analyst
drwxrwxrwx  2 0 0 4.0K Feb 27 13:37 admin

When a use spins up a JupyterLab server, it fetches the groups the user is in via Keycloak API and mounts those directories for the user.

Roles

Conda Store

  • conda_store_developer (e.g. read access to conda-store namespace say “developer”)
  • conda_store_admin
  • conda_store_superadmin (e.g. full access to conda-store read/write/delete)

JupyterHub

  • jupyterhub_developer
  • jupyterhub_admin

Argo

  • argo_viewer
  • argo_developer
  • argo_admin

Keycloak

  • realm_admin (Keycloak)

Grafana

  • grafana_viewer
  • grafana_developer
  • grafana_admin

Dask

  • dask_developer
  • dask_admin

References:

Problems / Concerns / Questions:

Translation of levels of access between Nebari permissions and respective services permission

Role Mapping (just an idea):

jupyterhub-role:create-share=quansight
jupyterhub-role:no-create-share
conda-store-role:env:quansight:read
conda-store-role:env:quansight:write

Value and/or benefit

  • Better UX by consistent Authentication
  • Better control over access to resources

Anything else?

No response

@aktech
Copy link
Member Author

aktech commented Apr 4, 2024

An RFD has been created for the RBAC implementation: nebari-dev/governance#47

@viniciusdc
Copy link
Contributor

viniciusdc commented May 3, 2024

The RFD above has been accepted, and the work referenced in this issue and in the RFD itself has been broken down in the following issues:

@aktech aktech added this to the Permission RBAC milestone Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: New 🚦
Development

No branches or pull requests

2 participants