Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENH] - Parse and load keycloak roles into JupyterHub #2432

Closed
aktech opened this issue Apr 30, 2024 · 1 comment · Fixed by #2471
Closed

[ENH] - Parse and load keycloak roles into JupyterHub #2432

aktech opened this issue Apr 30, 2024 · 1 comment · Fixed by #2471
Labels
area: integration/jupyterhub area: integration/keycloak type: enhancement 💅🏼 New feature or request
Milestone
Permission RBAC

Comments

@aktech
Copy link
Member

aktech commented Apr 30, 2024

Feature description

After the issue #2308 is implemented, we will have access to groups and roles from keycloak in JupyterHub. Next we need to parse the role attributes and load them into JupyterHub, so that those permissions scopes are actually in affect in JupyterHub.

For example, consider the following role in Keycloak:

Role: allow-app-sharing-role

The role attributes (in keycloak) for the above mentioned role:

Key Value
resource jupyterhub
scopes shares!user,read:users:name,read:groups:name

The value for scopes defined above is (and must be) a valid syntax for scopes in JupyterHub. When these are applied, the users in that group should have permissions to share an app(or server).

Let's take another simpler example (that can be used as a motivating example for the implementation of this issue):

Role: read-only-user-models

The role attributes (in keycloak) for the above mentioned role:

Key Value
resource jupyterhub
scopes read:users

This role allows users/groups (when attached this role) to read (but not modify) any user’s model. This example is taken from: https://jupyterhub.readthedocs.io/en/latest/rbac/roles.html#defining-roles

This feature is part implementation of RFD: nebari-dev/governance#47

Value and/or benefit

This will allow us to do fine-grained permissions on JupyterHub, which can be controlled from keycloak.

Anything else?

No response
@aktech aktech added the type: enhancement 💅🏼 New feature or request label Apr 30, 2024
@viniciusdc viniciusdc mentioned this issue May 3, 2024
Open
@krassowski krassowski mentioned this issue May 4, 2024
Merged
10 tasks
@aktech aktech removed the status: blocked ⛔️ This item is on hold due to another task label May 14, 2024
@aktech
Copy link
Member Author

aktech commented May 14, 2024

Unblocked now, since #2447 is merged.

@aktech aktech mentioned this issue May 17, 2024
Merged
10 tasks
@aktech aktech added this to the Permission RBAC milestone Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: integration/jupyterhub area: integration/keycloak type: enhancement 💅🏼 New feature or request
Projects
🪴 Nebari Project Management
Archived in project
Milestone
Permission RBAC
Development

Successfully merging a pull request may close this issue.

Parse and insert keycloak roles scopes into JupyterHub nebari-dev/nebari
2 participants
@aktech @viniciusdc