aaw

aaw copied to clipboard

Reported by @chritter ; he has some collaborators who cannot access his namespace (but I can).

I am wondering if there were gatekeeper changes that are preventing new contributors from being added? Or maybe quotas?

@justbert or @zachomedia ; would there be a way to list the kubeflow contributor resources to see if they exist in the namespace?

I took a look here, but I cannot list these resources in order to debug

https://www.kubeflow.org/docs/components/multi-tenancy/getting-started/

@blairdrummond Could this be prioritized as we have multiple clients who need to access the namespace? As this is a basic capability further efforts would be great.

What's the exact issue here? The user is added as a contributor but then they can't do what?

They cannot access ANYTHING in the Kubeflow UI in Christian's namespace (it's as though they are not in his namespace at all) even though they seem to be in @chritter 's list of contributors.

Sorry @chritter I had forgotten about this issue and mixed it up with the shared namespaces issue

The mechanism from which the access to the namespace is granted is through RoleBindings of the kubeflow-edit role in the namespace. Three RoleBindings were created 13 days ago for users. They look to be in order. Have users attempted to access the namespace since this issue was first created?

Perhaps @chritter can provide a screenshot of who he has in his contributor list? Wondering if some of the RoleBindings didn't go through

Or @chritter can you run kubectl -n <namespace> get rolebindings and see if everyone you gave access to is there?

@justbert Lindsay who is not able to access my namespace has the edit role: user-lindsay-elisson-cloud-statcan-ca-clusterrole-edit 13d. @blairdrummond all others who are supposed to access my namespace have the same cluster edit role. I can guide Lindsay to do further tests this morning.

@chritter Thanks! If you can have a chat with them and report back to give us a bit more info, I'll continue to look into it! :)

There seems to be a conflict issue on KF where it tracks users via the user annotation and this is case-sensitive, However, the resources tracking the user through the RoleBinding is lowercased. This means you can't add a say [email protected] and John.Smithcloud.statcan.ca to your contributors since it will cause errors when trying to create the RoleBinding which is user-john-smith-cloud-statcan-ca-clusterrole-edit for both email accounts.

Does this sound like the kind of thing to look at upstream?

I don't think so. From what @zachomedia was saying it's expected (the case-sensitivity). The issue also stems from random uppercasing in the username creation in our tenant, so THAT should be looked into.