nebari icon indicating copy to clipboard operation
nebari copied to clipboard

Published 20 hours ago • verified publisher icon nebari-dev

[ENH] - uid/gid assignements for username and groups

Open costrouc opened this issue 1 year ago • 0 comments

Feature description

We can store the uid/gid given to a user in keycloak as an attribute.

There are a few ways we can assign the uid:

  • when the new user is created assign a uid/gid that is unique
  • when the user logs into jupyterhub check if a uid/gid is assigned and if not create a uid/gid

Also check that all the groups the user is assigned to have a gid set.

Option (2) seems better to me since I'm not sure how to do (1). We do have to account for the rare and currently not existing case where a user visits another service which might need the uid/gid before their first login with jupyterhub. Once they have logged in once their uid/gid is set in stone.

This feature is implemented in qhub-hpc here https://github.com/Quansight/qhub-hpc/blob/main/roles/jupyterhub/templates/jupyterhub_config.py#L68-L105. I'm not happy with this solution because it uses root username/password. Ideally we would instead make the jupyterhub oauth2 client have the role with a service account such that it can modify and read user uid/gids attributes. Completely possible with minor changes.

The uids/gids that are assigned should be as deterministic as possible e.g.hash(username) and restricted within some interval and on collisions sure we increment (similar to a hashmap). We want them deterministic so that it is easier to predict the uid/gid of users/groups in the shared folders in case we mess something up.

Next with the assigned uid/gids set the running securityContext for the jupyterlab pod (has been done in the past).

Now here comes the problem... it is the umask this is a tricky one to set properly ... maybe we'll get it right this time but the default was that users were only able to read others files ... which seems like what the client wants here. Good! Since this is the linux default. We've struggled to get this right in the past.

Additionally we need to make the nswrapper and passwd and groups files which determine the uid -> username and gid -> groupname mapping. We will need to construct the mapping for all the usernames that share a common group with them along with the groups they are a member of.

Value and/or benefit

Protected shared directories.

Anything else?

No response

costrouc avatar Sep 24 '22 00:09 costrouc