Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] - Only users in admin group can create environments #1898

Closed
ericdatakelly opened this issue Aug 9, 2023 · 14 comments
Closed

[BUG] - Only users in admin group can create environments #1898

ericdatakelly opened this issue Aug 9, 2023 · 14 comments
Labels
area: integration/conda-store impact: high 🟥 This issue affects most of the nebari users or is a critical issue needs: investigation 🔍 Someone in the team needs to find the root cause and replicate this bug project: JATIC Work item needed for the JATIC project type: bug 🐛 Something isn't working
Milestone
Release Q2 2024

Comments

@ericdatakelly
Copy link
Contributor

Describe the bug

I am unable to create an environment in a shared namespace via Conda Store. Another user on the same deployment of Nebari has the same experience. Our admin says we are in the shared user groups, so we should be able to create envs in those namespaces. I am able to view and use existing shared environments, but I cannot create one.

Screenshot 2023-08-09 at 7 53 41 AM

Expected behavior

I expected to be able to click on the plus symbol in a shared namespace and create an environment.

OS and architecture in which you are running Nebari

AWS

How to Reproduce the problem?

  • log into Nebari
  • click on Environment Management
  • click on user icon to be sure you are logged in
  • expand a shared namespace (e.g., Analyst, Global, etc.)
  • click on the plus symbol (or hover over symbol to see if permission is given or denied like in screenshot above)

Command output

No response

Versions and dependencies used.

Nebari version: v2023.5.2.dev151+gc6941f3d.d20230727

Compute environment

AWS

Integrations

Keycloak, conda-store

Anything else?

No response
@ericdatakelly ericdatakelly added needs: triage 🚦 Someone needs to have a look at this issue and triage type: bug 🐛 Something isn't working labels Aug 9, 2023
@kcpevey kcpevey added impact: high 🟥 This issue affects most of the nebari users or is a critical issue needs: investigation 🔍 Someone in the team needs to find the root cause and replicate this bug area: integration/conda-store project: JATIC Work item needed for the JATIC project and removed needs: triage 🚦 Someone needs to have a look at this issue and triage labels Aug 9, 2023
@kcpevey
Copy link
Contributor

kcpevey commented Aug 9, 2023

For reference, this is my view on the same deployment. I'm able to create environments.

image

Eric is in analyst, developer, gpu-access and users groups. I am in admin, analyst, gpu-access, and users.

@kcpevey
Copy link
Contributor

kcpevey commented Aug 9, 2023

I added @ericdatakelly to the admin group and he is now able to create environments as expected.

@pavithraes
Copy link
Member

pavithraes commented Aug 10, 2023
edited
Loading

@kcpevey Could you please confirm if this Nebari deployment uses the default Keycloak roles set by Nebari? Double-checking because I believe we can update this configuration in Keycloack later if needed, and I'd like to verify that this is a bug in Nebari vs. a case of better documentation. :)

Also, potential ref:

nebari/src/_nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/server.tf

Lines 57 to 62 in a402580

role_mapping = {
"superadmin" = ["conda_store_superadmin"]
"admin" = ["conda_store_admin"]
"developer" = ["conda_store_developer"]
"analyst" = ["conda_store_developer"]
}

@kcpevey
Copy link
Contributor

kcpevey commented Aug 10, 2023

@pavithraes the configuration matches the default.

@iameskild
Copy link
Member

I assumed that users in the analyst group only the had view access to the conda-store. It is still bizarre that they have the same role mapping as developer. This will need to be investigated further.

@kcpevey kcpevey changed the title [BUG] - Permission to create environment in shared namespace [BUG] - Only users in admin group can create environments Sep 14, 2023
@iameskild
Copy link
Member

We might also need to modify how the role_bindings for developer role:

nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/conda-store/config/conda_store_config.py

Lines 123 to 127 in aab5f3f

role_bindings = {
f"{username}/*": {"admin"},
f"{default_namespace}/*": {"viewer"},
"global/*": roles,
}

@pavithraes
Copy link
Member

Ref to conda-store role mapping:

Screenshot 2023-09-14 at 9 14 16 PM

@pavithraes
Copy link
Member

Next steps for @fangchenli:

@fangchenli
Copy link
Member

fangchenli commented Sep 15, 2023
edited
Loading

We might also need to modify how the role_bindings for developer role:

nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/conda-store/config/conda_store_config.py

Lines 123 to 127 in aab5f3f

role_bindings = {
f"{username}/*": {"admin"},
f"{default_namespace}/*": {"viewer"},
"global/*": roles,
}

The output for role_bindings looks correct to me. I moved role bindings related code to one method, and here is a simple test.

user = "JohnDoe"
default_namespace = "default"
roles = {"developer"}
groups = {"group1", "group2", "group3"}
role_bindings = create_role_bindings(user, default_namespace, roles, groups)

result:

{'JohnDoe/*': {'admin'}, 'default/*': {'viewer'}, 'global/*': {'developer'}, 'group3/*': {'developer'}, 'group1/*': {'developer'}, 'group2/*': {'developer'}}

@pavithraes pavithraes mentioned this issue Sep 18, 2023
Closed
@kcpevey kcpevey modified the milestones: 2024.1.1, Next Release Jan 4, 2024
@kcpevey
Copy link
Contributor

kcpevey commented Jan 9, 2024

This has been resolved at the conda-store level. Nebari needs to be upgraded to V2 role mapping to resolve this issue.

@kcpevey kcpevey mentioned this issue Jan 10, 2024
Open
@pavithraes
Copy link
Member

I've verified that this is still an issue. As Kim said above, this can be resolved by upgrading to v2 of conda-store API.

@pavithraes pavithraes modified the milestones: 2024.2.1, Release Q2 2024 Feb 16, 2024
@pavithraes
Copy link
Member

pavithraes commented Feb 16, 2024
edited
Loading

xref: #2090

@kcpevey
Copy link
Contributor

kcpevey commented May 6, 2024

This will be taken care of as part of the permissions overhaul. Blocked until that work is further along.
xref: nebari-dev/governance#47

@kcpevey
Copy link
Contributor

kcpevey commented Jul 19, 2024

This is resolved by the permissions overhaul.

Keycloak admins can assign fine-grained permissions for certain namespaces with view, edit admin access

https://www.nebari.dev/docs/how-tos/fine-grained-permissions#conda-store-scopes

@kcpevey kcpevey closed this as completed Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: integration/conda-store impact: high 🟥 This issue affects most of the nebari users or is a critical issue needs: investigation 🔍 Someone in the team needs to find the root cause and replicate this bug project: JATIC Work item needed for the JATIC project type: bug 🐛 Something isn't working
Projects
🪴 Nebari Project Management
Archived in project
Milestone
Release Q2 2024
Development

No branches or pull requests
5 participants
@fangchenli @kcpevey @ericdatakelly @pavithraes @iameskild