nebari-dev
[ENH] - Enable scoped access to specific shared folders
Feature description
Currently anyone who has access to a particular shared folder, say ~/shared/<my_folder>, has either complete R/W access or the folder is hidden from them. It would be great to enable scoped access to this folder such that one privileged user has R/W access while another less-privileged user only has R.
Value and/or benefit
This would make the filesystem behave more like the linux filesystem (though not exactly). Enabling this kind of scoped access allows admins and managers to shared important data without fear that it will be modified.
Anything else?
This is based on a conversation that @viniciusdc @costrouc and I had recently.
For each user (example chris) several group folders are mounted into /shared/
. For my pod jupyterlab yaml within the volumeMount section we would mount a specific group mount (the shared) as read only. This would not apply to other users. Thinks of this as an override to a particular mount saying intead of r/w make this one r. This is possible and something we could support. Question would be for me is how would this tie into authentication/authorization. Is this similar to github teams where there is team maintainer and member. E.g. we should be able to annotate that a particular user is read only within a group. This is something that conda-store could benifit from as well.
The point about authorization is good one! Would this be handled via client roles in keycloak? Iām just having a hard time imagining where the admin would make these changes.
Yeah not totally sure. Something that we'd need to talk through. I think this is a good use case for user attributes within keycloak. Though we could have roles like you said e.g. datascience-readonly, datascience-member. Not sure how we'd handle this
