depends on conda-incubator/conda-store#1040

Since these tests depend on a live cluster, I suggest extending the already existing local integration tests with this extra check https://github.com/nebari-dev/nebari/blob/main/.github/workflows/test_local_integration.yaml -- since it uses CiRun under the hood you should not be affected by any flakiness of the GH runner in case of constrained resources.

Hey @soapy1 no rush on this, but could you update us on this? Just considering adding to our next Feb release

Heya @viniciusdc I've gotten a bit stuck on this one. I'm not able to find a way to pull an admin token for conda-store from nebari in order to run the tests (full notes in this comment - #2895 (comment)).

Things that I've tried:

• pulling a service token from the terraform state - this works but is a little janky
• logging in with the test user and generating a token - this user does not have enough permissions to create an admin token
• logging in with the root keycloak user to generate a token - this user also doesn't have enough permissions to create an admin token

Other options I've considered (but haven't tried yet):

• is there a way to seed a new service token for conda store (like a config option to add some service tokens)
• is there a way to use the keycloak api to add a user with admin permissions, and then generate a token from there

Definitely open to other ideas if you have a suggestion!

I left a comment to your thread there, but basically I think your best options are those two:

is there a way to seed a new service token for conda store (like a config option to add some service tokens)
is there a way to use the keycloak api to add a user with admin permissions, and then generate a token from there

1. For the first one, conda-store has a service token attribute that could be used, though this would require some extension to allow this to be customizable by the user to include new services:

Used for example here:

2. I think this one might be easier to get going, nebari already has a command to create users from CLI -- nebari keycloak --adduser, which could be used for creating the new user. Right now, there is no way of programmatically changing the group, we can have a script under tests that do this:

try:
    # Get user ID
    users = keycloak_admin.get_users({"username": USER_TO_ADD})
    if not users:
        print(f"User '{USER_TO_ADD}' not found.")
        exit(1)
    
    user_id = users[0]["id"]
    
    # Get group ID
    groups = keycloak_admin.get_groups()
    group_id = next((g["id"] for g in groups if g["name"] == "superadmin"), None)
    
    if not group_id:
        print(f"Group 'superadmin' not found.")
        exit(1)
    
    # Add user to group
    keycloak_admin.group_user_add(user_id, group_id)
    print(f"User '{USER_TO_ADD}' successfully added to 'superadmin' group.")

except KeycloakError as e:
    print(f"Error: {e}")

for the main API KeycloakAdmin class, you might be able to use this function

I wonder if this should be configured directly trough nebari's CLI anyway, we already have root access level credentials in the yaml, so it would not be a security overlook to allow the group in which the user will be created to appear as a custom flag as well....

I wonder if this should be configured directly trough nebari's CLI anyway

ya, I was thinking about adding this. Something like nebari keycloak adduser -c nebari-config.yaml --user test password --role superadmin. I think it would be good to have some mechanism so that users can't create a user with more permissions than they ought to be able to.

so it would not be a security overlook to allow the group in which the user will be created to appear as a custom flag as well

could make a v1 of this be something like only root users are allowed to set a role?