nebari icon indicating copy to clipboard operation
nebari copied to clipboard
verified publisher icon nebari-dev

Add Users and Groups permissions filters to DaskWorker profiles

Open viniciusdc opened this issue 1 year ago • 6 comments

Reference Issues or PRs

#979

What does this implement/fix?

This PR includes the ability to restrict users from selecting dask worker profiles based on two factors:

  • Explicitly define which user or group will have access to the profile under nebari-config.yaml file:
profiles:
  ...
  dask_worker:
    "Small Worker":
     # New fields (Optional)
      access: yaml # Explicitly defines permission filtering from the yaml
      users: <test-user> # A list of users who will have access to this profile
      groups: <my-group> # A list of groups who will have access to this profile
      ....
      worker_cores_limit: 1
      worker_cores: 1
      worker_memory_limit: 1G
      worker_memory: 1G
...
  • Or, by including the dask_profiles attribute for the user or group on Keycloal
profiles:
  ...
  dask_worker:
    "Small Worker":
     # New fields (Optional)
      access: keycloak # Explicitly defines permission filtering from keycloak
      ....

bellow an example of such an attribute for a given user:

Captura de Tela 2024-04-11 às 11 52 53

This follows the same model that is already in place for jupyterhub profiles.

Put a x in the boxes that apply

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds a feature)
  • [ ] Breaking change (fix or feature that would cause existing features not to work as expected)
  • [ ] Documentation Update
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes, no API changes)
  • [ ] Build related changes
  • [ ] Other (please describe):

Testing

  • [ ] Did you test the pull request locally?
  • [ ] Did you add new tests?

Any other comments?

viniciusdc avatar Apr 11 '24 14:04 viniciusdc

A few remarks:

  1. Deployment Testing Pending: The implementation must still be tested in a live deployment. (I will test on local soon)
  2. Inconsistency in Profile Object Standards: There must be more consistency in how profile objects are handled across different environments. For instance, Dask treats profiles as a dict entity, Terraform expects them as a list, and Jupyterlab also uses a list but with unconventional handling. This could be an excellent first issue.
  3. Mapper Functionality Check: I confirmed through Postman that the mapper is operational. However, there is an observable delay in updating the scopes.
  4. Need for Unit Testing in Configuration Files: Developing unit tests, or mock-ups, for gateway-config.py and jupyterhub python files is essential. These tests should ensure that the configuration objects and methods function as expected, at least from a Python perspective.
  5. Upcoming Refactoring for Keycloak Attribute Mapper: The Keycloak attribute mapper will likely undergo refactoring in light of the anticipated new permissions system.

viniciusdc avatar Apr 11 '24 15:04 viniciusdc

@viniciusdc what's the status of this PR?

marcelovilla avatar Sep 05 '24 13:09 marcelovilla

Hi, @marcelovilla; thanks for the ping. This was ready for review back then, but there are some changes that I need to make for this work again. As you said, the first step is fixing the conflicts.

viniciusdc avatar Oct 29 '24 12:10 viniciusdc

@viniciusdc I'll review this once you've had the change to fix the merge conflicts

marcelovilla avatar Mar 03 '25 21:03 marcelovilla

@viniciusdc what is the status here?

dcmcand avatar Oct 30 '25 10:10 dcmcand

Will need to fix this during the weekend

viniciusdc avatar Nov 11 '25 15:11 viniciusdc