nebari icon indicating copy to clipboard operation
nebari copied to clipboard
verified publisher icon nebari-dev

How to handle roles in `qhub-user-import.json` when upgrading from pre `0.4.0` to post

Open iameskild opened this issue 3 years ago • 0 comments

If and when users upgrade from pre 0.4.0 to post 0.4.0, they will run the qhub upgrade command which produces:

  • an updated qhub-config.yaml
  • qhub-user-import.json

This second file contains data that reflect the state of the users and groups in the system before the upgrade. After the upgrade, it can imported into keycloak to add all of these users and groups quickly. However prior to 0.4.0 (before keycloak), QHub had no concept of roles. Therefore all of these imported groups will have no roles / no access and if that's the only group the user is in, they won't be able to do anything.

So when upgrading, how do we decide which roles any existing group in particular should have? Some options might include:

  • [ ] simply document this limitation and have the cluster admins decide
  • [ ] give every imported group the same roles (and access) as the analyst group

I became aware of this issue when a user (who I know was imported into keycloak after the upgrade) couldn't launch jupyterlab.

iameskild avatar May 03 '22 23:05 iameskild