Refactor shared group mounting using RBAC

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/03-profiles.py

@@ -82,11 +82,11 @@ def base_profile_home_mounts(username):
     }
 
 
-def base_profile_shared_mounts(groups):
+def base_profile_shared_mounts(groups, group_roles):
     """Configure the group directory mounts for user.
 
-    Ensure that {shared}/{group} directory exists and user has
-    permissions to read/write/execute. Kubernetes does not allow the
+    Ensure that {shared}/{group} directory exists based on the scope availability
+    and if user has permissions to read/write/execute. Kubernetes does not allow the
     same pvc to be a volume thus we must check that the home and share
     pvc are not the same for some operation.
 
@@ -103,40 +103,50 @@ def base_profile_shared_mounts(groups):
             {"name": "shared", "persistentVolumeClaim": {"claimName": shared_pvc_name}}
         )
 
-    extra_container_config = {
-        "volumeMounts": [
-            {
-                "mountPath": pod_shared_mount_path.format(group=group),
-                "name": "shared" if home_pvc_name != shared_pvc_name else "home",
-                "subPath": pvc_shared_mount_path.format(group=group),
-            }
-            for group in groups
-        ]
-    }
+    groups_to_volume_mount = []
+    for group in groups:
+        for roles in group_roles.get(group, []):
+            # Check if the group has a role that has a shared-directory scope
+            if "shared-directory" in roles.get("attributes", {}).get("component", []):
+                groups_to_volume_mount.append(group)
+                break
+
+    extra_container_config = {"volumeMounts": []}
 
     MKDIR_OWN_DIRECTORY = "mkdir -p /mnt/{path} && chmod 777 /mnt/{path}"
     command = " && ".join(
         [
             MKDIR_OWN_DIRECTORY.format(path=pvc_shared_mount_path.format(group=group))
-            for group in groups
+            for group in groups_to_volume_mount
         ]
     )
+
     init_containers = [
         {
             "name": "initialize-shared-mounts",
             "image": "busybox:1.31",
             "command": ["sh", "-c", command],
             "securityContext": {"runAsUser": 0},
-            "volumeMounts": [
-                {
-                    "mountPath": f"/mnt/{pvc_shared_mount_path.format(group=group)}",
-                    "name": "shared" if home_pvc_name != shared_pvc_name else "home",
-                    "subPath": pvc_shared_mount_path.format(group=group),
-                }
-                for group in groups
-            ],
+            "volumeMounts": [],
         }
     ]
+
+    for groups in groups_to_volume_mount:
+        extra_container_config["volumeMounts"].append(
+            {
+                "mountPath": pod_shared_mount_path.format(group=groups),
+                "name": "shared" if home_pvc_name != shared_pvc_name else "home",
+                "subPath": pvc_shared_mount_path.format(group=groups),
+            }
+        )
+        init_containers[0]["volumeMounts"].append(
+            {
+                "mountPath": f"/mnt/{pvc_shared_mount_path.format(group=groups)}",
+                "name": "shared" if home_pvc_name != shared_pvc_name else "home",
+                "subPath": pvc_shared_mount_path.format(group=groups),
+            }
+        )
+
     return {
         "extra_pod_config": extra_pod_config,
         "extra_container_config": extra_container_config,
@@ -475,7 +485,7 @@ def profile_conda_store_viewer_token():
     }
 
 
-def render_profile(profile, username, groups, keycloak_profilenames):
+def render_profile(profile, username, groups, keycloak_profilenames, group_roles):
     """Render each profile for user.
 
     If profile is not available for given username, groups returns
@@ -513,7 +523,7 @@ def render_profile(profile, username, groups, keycloak_profilenames):
         deep_merge,
         [
             base_profile_home_mounts(username),
-            base_profile_shared_mounts(groups),
+            base_profile_shared_mounts(groups, group_roles),
             profile_conda_store_mounts(username, groups),
             base_profile_extra_mounts(),
             configure_user(username, groups),
@@ -543,13 +553,35 @@ def preserve_envvars(spawner):
     return profile
 
 
+def parse_roles(data):
+    parsed_roles = {}
+
+    for role in data:
+        for group in role["groups"]:
+            # group = str(group).replace("/", "")
+            group_name = Path(group).name
+            if group_name not in parsed_roles:
+                parsed_roles[group_name] = []
+
+            role_info = {
+                "description": role["description"],
+                "name": role["name"],
+                "attributes": role["attributes"],
+            }
+
+            parsed_roles[group_name].append(role_info)
+
+    return parsed_roles
+
+
 @gen.coroutine
 def render_profiles(spawner):
     # jupyterhub does not yet manage groups but it will soon
     # so for now we rely on auth_state from the keycloak
     # userinfo request to have the groups in the key
     # "auth_state.oauth_user.groups"
     auth_state = yield spawner.user.get_auth_state()
+    group_roles = parse_roles(spawner.authenticator.group_roles_map)
 
     username = auth_state["oauth_user"]["preferred_username"]
     # only return the lowest level group name
@@ -566,7 +598,7 @@ def render_profiles(spawner):
         filter(
             None,
             [
-                render_profile(p, username, groups, keycloak_profilenames)
+                render_profile(p, username, groups, keycloak_profilenames, group_roles)
                 for p in profile_list
             ],
         )

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/04-auth.py

@@ -7,7 +7,7 @@
 from jupyterhub import scopes
 from jupyterhub.traitlets import Callable
 from oauthenticator.generic import GenericOAuthenticator
-from traitlets import Bool, Unicode, Union
+from traitlets import Bool, List, Unicode, Union
 
 
 class KeyCloakOAuthenticator(GenericOAuthenticator):
@@ -27,6 +27,11 @@ class KeyCloakOAuthenticator(GenericOAuthenticator):
         config=True, help="""The keycloak REST API URL for the realm."""
     )
 
+    group_roles_map = List(
+        config=False,
+        help="""A mapping of roles to groups based on the user's assigned roles.""",
+    )
+
     reset_managed_roles_on_startup = Bool(True)
 
     async def update_auth_model(self, auth_model):
@@ -55,6 +60,11 @@ async def update_auth_model(self, auth_model):
         user_roles_rich = await self._get_roles_with_attributes(
             roles=user_roles, client_id=jupyterhub_client_id, token=token
         )
+        self.group_roles_map = await self._fetch_and_map_roles(
+            roles=user_roles_rich,
+            token=token,
+            url=f"clients/{jupyterhub_client_id}/roles/{{role_name}}",
+        )
         keycloak_api_call_time_taken = time.time() - keycloak_api_call_start
         user_roles_rich_names = {role["name"] for role in user_roles_rich}
         user_roles_non_jhub_client = [
@@ -154,17 +164,36 @@ async def load_managed_roles(self):
 
         return list(roles.values())
 
-    def _get_scope_from_role(self, role):
+    def _get_scope_from_role(self, role, component_filter=["jupyterhub"]):
         """Return scopes from role if the component is jupyterhub"""
         role_scopes = role.get("attributes", {}).get("scopes", [])
         component = role.get("attributes", {}).get("component")
         # Attributes are returned as a single-element array, unless `##` delimiter is used in Keycloak
         # See this: https://stackoverflow.com/questions/68954733/keycloak-client-role-attribute-array
-        if component == ["jupyterhub"] and role_scopes:
+        if component == component_filter and role_scopes:
             return self.validate_scopes(role_scopes[0].split(","))
+        elif component_filter is None:
+            return self.validate_scopes(role_scopes)
         else:
             return []
 
+    async def _fetch_and_map_roles(self, roles, token, url, group_name_key="path"):
+        # we could use either `name` (e.g. "developer") or `path` ("/developer");
+        # since the default claim key returns `path`, it seems preferable.
+
+        self.log.info("Mapping roles with groups and users..")
+
+        for role in roles:
+            role_name = role["name"]
+            # fetch role assignments to groups
+            base_url = url.format(role_name=role_name)
+            groups = await self._fetch_api(f"{base_url}/groups", token=token)
+            role["groups"] = [group[group_name_key] for group in groups]
+            users = await self._fetch_api(f"{base_url}/users", token=token)
+            role["users"] = [user["username"] for user in users]
+
+        return roles
+
     def validate_scopes(self, role_scopes):
         """Validate role scopes to sanity check user provided scopes from keycloak"""
         self.log.info(f"Validating role scopes: {role_scopes}")

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf

@@ -304,6 +304,17 @@ module "jupyterhub-openid-client" {
         "component" : "jupyterhub"
       }
     },
+    {
+      "name" : "allow-group-directory-creation-role",
+      "description" : "Grants a group the ability to manage the creation of its corresponding mounted directory.",
+      # Adding it to analyst group such that it's applied to every user.
+      "groups" : ["admin", "analyst", "developer"],
+      "attributes" : {
+        # grants permissions to read services
+        "scopes" : "write:shared-mount",
+        "component" : "shared-directory"
+      }
+    },
   ]
   callback-url-paths = [
     "https://${var.external-url}/hub/oauth_callback",

tests/tests_deployment/keycloak_utils.py

@@ -81,6 +81,16 @@ def create_keycloak_role(client_name: str, role_name: str, scopes: str, componen
     )
 
 
+def get_keycloak_client_role(client_name, role_name):
+    keycloak_admin = get_keycloak_admin()
+    client_details = get_keycloak_client_details_by_name(
+        client_name=client_name, keycloak_admin=keycloak_admin
+    )
+    return keycloak_admin.get_client_role(
+        client_id=client_details["id"], role_name=role_name
+    )
+
+
 def get_keycloak_client_roles(client_name):
     keycloak_admin = get_keycloak_admin()
     client_details = get_keycloak_client_details_by_name(

tests/tests_deployment/test_jupyterhub_api.py

@@ -4,6 +4,7 @@
 from tests.tests_deployment.keycloak_utils import (
     assign_keycloak_client_role_to_user,
     create_keycloak_role,
+    get_keycloak_client_role,
     get_keycloak_client_roles,
 )
 from tests.tests_deployment.utils import create_jupyterhub_token, get_jupyterhub_session
@@ -33,6 +34,7 @@ def test_jupyterhub_loads_roles_from_keycloak():
         "view-profile",
         # default roles
         "allow-read-access-to-services-role",
+        "allow-group-directory-creation-role",
     }
 
 
@@ -52,6 +54,23 @@ def test_check_default_roles_added_in_keycloak():
     role_names = [role["name"] for role in client_roles]
     assert "allow-app-sharing-role" in role_names
     assert "allow-read-access-to-services-role" in role_names
+    assert "allow-group-directory-creation-role" in role_names
+
+
+@pytest.mark.parametrize(
+    "component,scopes",
+    (["shared-directory", "write:shared-mount"],),
+)
+@pytest.mark.filterwarnings(
+    "ignore:.*auto_refresh_token is deprecated:DeprecationWarning"
+)
+@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
+def test_check_default_groups_receive_directory_creation_scope(component, scopes):
+    client_role = get_keycloak_client_role(
+        client_name="jupyterhub", role_name="allow-group-directory-creation-role"
+    )
+    assert client_role["attributes"]["component"][0] == component
+    assert client_role["attributes"]["scopes"][0] == scopes
 
 
 @pytest.mark.parametrize(