Add admin users notion

[avishniakov]

Describe changes

I implemented the is_admin flag for the user accounts and added protection to certain operations performed via the REST interface to ADMIN-allowed only.

Only admins can: list all users, create users, get another user, update another user, deactivate another user, and delete a user.
All users can: list self, get self, update self, and activate a user.

These checks are only performed if no RBAC is in place, so ZenML Cloud RBAC functionality is not affected.

Pre-requisites

Please ensure you have done the following:

• I have read the CONTRIBUTING.md document.
• If my change requires a change to docs, I have updated the documentation accordingly.
• I have added tests to cover my changes.
• I have based my new branch on develop and the open PR is targeting develop. If your branch wasn't based on develop read Contribution guide on rebasing branch to develop.
• If my changes require changes to the dashboard, these changes are communicated/requested.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Other (add details above)

Summary by CodeRabbit

• New Features
  • Introduced admin user management, including the ability to create users with admin status and update user information with admin privileges.
• Documentation
  • Updated the Quickstart guide with correct hyperlinks and improved the community links alignment.
• Bug Fixes
  • Ensured that the default user is created with admin privileges and prevented removing admin status from the default user.
• Refactor
  • Enhanced various user management functions to support new admin features and improved permission checks across the application.
• Tests
  • Added comprehensive tests for new admin user management features, including scenarios for updating user information and admin status.

[coderabbitai]

Important

Auto Review Skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository.

To trigger a single review, invoke the @coderabbitai review command.

Walkthrough

The recent updates focus on enhancing user management and role-based access control (RBAC) within the application. Key features include the introduction of an is_admin flag to distinguish between admin and regular users, updates to user creation and modification functions to handle admin status, and improvements in permission checks and error handling for user actions. These changes aim to provide more granular control over user roles and permissions, ensuring a more secure and customizable environment.

Changes

Files	Change Summary
examples/quickstart/README.md	Updated Google Colab badge URL and Slack community link.
src/zenml/.../user_management.py, client.py	Added is_admin flag to user creation; updated user update functions with admin-related parameters.
src/zenml/models/v2/.../service_account.py, user.py, external_user.py	Added is_admin fields and updated inheritance structures.
src/zenml/zen_server/...	Enhanced user and admin permission checks, error handling, and RBAC settings in various server modules.
src/zenml/zen_stores/..., tests/...	Updated database schema for admin users, added is_admin in schemas, and integrated tests.

Poem

In the world of code, where changes are vast,
A rabbit hopped in, making updates fast.
With a flick of its ear, and a tap of its paw,
Admins and users, it clearly saw.
🐰 "Let's manage with care, and control with grace,
Permissions and roles, in their right place."
In a burrow so deep, with code so neat,
The rabbit's work done, so clever and sweet.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[stefannica]

I didn't expect the new admin user concept to permeate the RBAC code. I thought you might stop at the user endpoints without actually touching the RBAC utility code, given that they are mutually exclusive. I guess there's some beauty to having it part of RBAC though, because it kind of grew on me as I was reviewing the PR.

It all looks good with the exception of the re-factoring of the clean_client concept. I strongly suggest you do that in a separate PR, because it's an entire story in and of itself. For this PR, it should be sufficient to write tests using the same approach that the existing user zen store integration tests use.

[stefannica]

Left some improvement suggestions for the unit tests, otherwise looks good.

[avishniakov]

Left some improvement suggestions for the unit tests, otherwise looks good.

Thanks for the effort @stefannica ! I will use your suggestions.

[github-actions]

Quickstart template updates in examples/quickstart have been pushed.

[avishniakov]

Let's blow a bomb of CodeRabbit 🙂

@coderabbitai review

[coderabbitai]

@avishniakov, I will review the changes in the PR. 🚀

Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Review Status

Actionable comments generated: 10

Configuration used: .coderabbit.yaml

Commits

Files that changed from the base of the PR and between 00ca990 and 5c45457.

Files selected for processing (18)

• examples/quickstart/README.md (2 hunks)
• src/zenml/cli/user_management.py (4 hunks)
• src/zenml/client.py (4 hunks)
• src/zenml/models/v2/core/service_account.py (1 hunks)
• src/zenml/models/v2/core/user.py (6 hunks)
• src/zenml/models/v2/misc/external_user.py (1 hunks)
• src/zenml/zen_server/auth.py (2 hunks)
• src/zenml/zen_server/rbac/endpoint_utils.py (1 hunks)
• src/zenml/zen_server/rbac/utils.py (1 hunks)
• src/zenml/zen_server/routers/users_endpoints.py (11 hunks)
• src/zenml/zen_server/utils.py (2 hunks)
• src/zenml/zen_stores/migrations/versions/1a9a9d2a836d_admin_users.py (1 hunks)
• src/zenml/zen_stores/schemas/user_schemas.py (4 hunks)
• src/zenml/zen_stores/sql_zen_store.py (2 hunks)
• tests/integration/functional/zen_stores/test_zen_store.py (9 hunks)
• tests/integration/functional/zen_stores/utils.py (3 hunks)
• tests/unit/conftest.py (1 hunks)
• tests/unit/models/test_user_models.py (1 hunks)

Additional comments: 37

src/zenml/models/v2/misc/external_user.py (1)

• 28-28: The addition of the is_admin field with a default value of False to the ExternalUserModel class is implemented correctly and follows best practices. This change effectively introduces the notion of admin users, enhancing the system's security and user management capabilities.

tests/unit/models/test_user_models.py (2)

• 29-29: The addition of the is_admin=False parameter to the UserRequest constructor call in the test_user_request_model_fails_with_long_password test case is correctly implemented and ensures that the test reflects the updated model structure.
• 36-36: Similarly, the addition of the is_admin=False parameter to the UserRequest constructor call in the test_user_request_model_fails_with_long_activation_token test case is correctly implemented. This change maintains the consistency and accuracy of the test suite in light of the model updates.

src/zenml/zen_server/rbac/endpoint_utils.py (1)

• 62-65: The reformatting of the verify_permission call in the verify_permissions_and_create_entity function improves code readability without affecting functionality. This change aligns with Python best practices for formatting long function calls.

src/zenml/models/v2/core/service_account.py (1)

• 150-150: The addition of the is_admin field with a default value of False in the to_user_model method is correctly implemented. This change ensures that service accounts are accurately represented in contexts where they are treated as user models, aligning with the system's security model.

examples/quickstart/README.md (2)

• 27-27: The update to the Google Colab badge URL is correctly implemented, ensuring users are directed to the correct notebook. This change enhances the user experience by providing accurate and helpful resources.
• 211-211: The adjustment to the Slack community link is a minor change that likely improves alignment or clarity. This update ensures that users have easy access to the ZenML Slack community, fostering engagement and support.

src/zenml/cli/user_management.py (2)

• 123-132: The addition of the --is_admin flag with a default value of False is a good practice, ensuring that users are not inadvertently granted admin privileges.
• 204-281: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [1-429]

The integration of the new is_admin functionality into the CLI commands for user management is well-implemented, with appropriate error handling and user feedback mechanisms in place.

src/zenml/zen_stores/schemas/user_schemas.py (3)

• 80-80: The addition of the is_admin field with a default value of False is a prudent choice, ensuring that users are not inadvertently granted admin privileges by default.
• 171-171: Including the is_admin field in the from_user_request method ensures that the admin status is correctly mapped from the request model to the schema.
• 194-194: Explicitly setting is_admin to False for service accounts in the from_service_account_request method is a good practice, ensuring clear separation between user types.

src/zenml/zen_server/utils.py (1)

• 401-428: The addition of the verify_admin_status_if_no_rbac function is a valuable security measure, ensuring that only admin users can perform sensitive actions when RBAC is disabled. The implementation and error handling are appropriate.

src/zenml/models/v2/core/user.py (3)

• 148-195: The updates to the UserRequest class, including the addition of the is_admin field and the root validator for setting default values for full_name and active, are well-implemented and align with the PR objectives.
• 200-212: The updates to the UserUpdate class, including the optional is_admin field and the root validator for email updates, are well-implemented and provide flexibility for updating user information.
• 381-395: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [272-392]

The updates to the UserResponse class, including the addition of the is_admin field and getter methods for is_admin and email, enhance the model's usability and align with the PR objectives.

src/zenml/zen_server/rbac/utils.py (1)

• 236-239: The change to the batch_verify_permissions function signature, where parameters are now on separate lines, improves readability and adheres to Python's style guidelines. This is a good practice for maintaining clean and readable code.

src/zenml/zen_server/routers/users_endpoints.py (9)

• 62-62: The addition of verify_admin_status_if_no_rbac is a critical security measure ensuring that only admin users or users with appropriate RBAC permissions can perform sensitive operations. It's important to ensure this function is thoroughly tested, especially in scenarios where RBAC is disabled, to prevent unauthorized access.
• 116-118: The logic to ensure that users can see themselves even when RBAC restrictions apply is a good practice for user experience. However, it's crucial to ensure that this does not inadvertently expose sensitive user information to unauthorized users. Consider adding tests to cover various scenarios, including users with and without admin privileges and with RBAC enabled and disabled.
• 171-173: The use of verify_admin_status_if_no_rbac in the create_user endpoint is appropriate for enforcing admin-only creation of users. This is a critical security measure. Ensure that the error messages provided to unauthorized users do not disclose too much information about the system's state or configuration.
• 214-220: Applying verify_admin_status_if_no_rbac and verify_permission_for_model in the get_user endpoint ensures that user information is only accessible to authorized users. This is crucial for protecting user privacy. It's recommended to also verify the behavior when a user tries to access information about another user without sufficient permissions.
• 260-266: In the update_user endpoint, the use of verify_admin_status_if_no_rbac and verify_permission_for_model before allowing updates to user information is a good security practice. Additionally, the logic to prevent users from changing their own admin status unless they are admins themselves is crucial. Ensure that these checks are robust against potential bypass techniques.
• 318-318: Preserving the admin status of a user during activation in the activate_user endpoint is important for maintaining the integrity of user roles. Ensure that this logic does not allow for unintended privilege escalation, especially in scenarios where a user's admin status might be changed before activation.
• 351-359: The check to prevent self-deactivation in the deactivate_user endpoint is a necessary safeguard to prevent users from accidentally losing access. Coupled with the admin status verification, this ensures that only authorized users can deactivate others. It's important to test this functionality to ensure that users cannot bypass these restrictions.
• 405-411: The security checks in the delete_user endpoint, including the prevention of self-deletion and the requirement for admin status, are essential for maintaining system integrity and preventing unauthorized user deletions. Ensure comprehensive testing around these checks to prevent potential security vulnerabilities.
• 516-520: In the update_myself endpoint, ensuring that users cannot alter their own active, is_admin, and activation_token fields is crucial for security. This prevents users from granting themselves admin privileges or reactivating their accounts without proper authorization. It's recommended to add explicit tests to verify these constraints.

tests/unit/conftest.py (1)

• 375-375: The addition of the is_admin=True attribute to the sample_user_model fixture aligns with the PR's objectives of introducing admin users. However, it would be beneficial to add a comment explaining why this attribute is set to True here, to clarify its purpose within the tests.

src/zenml/zen_server/auth.py (1)

• 591-591: The changes to set the is_admin field based on the external_user.is_admin value in the authenticate_external_user function are correctly implemented and align with the PR's objectives. However, it's crucial to ensure that this logic is secure and does not allow unauthorized elevation of privileges. Consider conducting a security review of this logic.

Also applies to: 607-607

tests/integration/functional/zen_stores/utils.py (3)

• 211-211: The assignment of the is_admin attribute within the UserContext class is correctly implemented. This ensures that the is_admin flag is configurable upon instantiation of the context, allowing for flexible testing scenarios.
• 216-219: The inclusion of the is_admin attribute in the UserRequest object creation within the __enter__ method of the UserContext class aligns with the PR's goal to differentiate between admin and non-admin users. This change correctly passes the is_admin flag to the user creation process, ensuring that the system can create both admin and non-admin users as needed.
• 1019-1019: In the user_crud_test_config, the create_model for UserRequest now includes the is_admin parameter set to True. This change is necessary for testing the new admin user functionality. However, similar to the UserContext class, consider the implications of defaulting to True for testing configurations. It might be beneficial to test both admin and non-admin user creation explicitly.

Consider adding explicit tests for both admin and non-admin user creation to ensure comprehensive coverage of the new functionality.

tests/integration/functional/zen_stores/test_zen_store.py (2)

• 1041-1043: The TestEventSource class is commented out. If this class is not intended to be used or is awaiting future implementation, consider removing it or adding a TODO/FIXME comment to clarify its purpose.
• 1053-1059: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [1045-1073]

The TestModel class provides tests for model-related operations. It's well-structured and covers various scenarios, including fetching the latest version, updating names, and listing by tags. However, it's important to ensure that all test methods adhere to best practices for naming and documentation. Each test method should have a descriptive name that clearly indicates what scenario or functionality it's testing, and a docstring that briefly describes the test's purpose.

src/zenml/client.py (2)

• 694-709: The method create_user correctly adds a new parameter is_admin to distinguish between admin and non-admin users. This change aligns with the PR objectives to enhance security and user management capabilities. The logic to determine the active status of the user based on the presence of a password and the store type is maintained, ensuring backward compatibility.
• 817-824: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [808-844]

The method update_user has been updated to include new parameters updated_password and updated_is_admin, allowing for the modification of a user's admin status and password. This enhancement supports the PR objectives of improving user account management. The conditional checks for None before updating attributes ensure that only specified fields are modified, preserving existing data integrity.

src/zenml/zen_stores/sql_zen_store.py (2)

• 7517-7524: The addition of a check to prevent removing admin status from the default user enhances the system's security by ensuring there's always at least one admin. However, it's crucial to ensure that self._default_user_name is securely managed and not susceptible to manipulation.
• 7615-7615: Setting the is_admin flag to True for the default user upon creation is a good practice, ensuring consistency with the security measure introduced in the first hunk. This ensures the system always has at least one admin user.

[stefannica]

Everything looks great. Let's land this beast !

[avishniakov]

Ok, let's go!