Onboarding event when a user logs in

[Yuwei0021]

Hello,

with Onyxia, I would like to ensure that when a user logs in, it triggers some code to create the namespace for the user, specifically to avoid granting the onyxia service account the right to create/modify namespaces.

Currently, the InitNamespaceEvent is only triggered when a user launches a service and if their namespace does not already exist.

It would be ideal to emit an onboarding event whenever a user logs in, independent of service instantiation.

Best regards,
Yuwei

[Yuwei0021]

Hello,
Based on my observations, the onboarding endpoint is triggered every time a user logs in. The onyxia-api either creates a namespace if it doesn’t already exist or updates the lastlogin annotation for the namespace.

If the onboarding process only performs those actions, would it make sense to make it optional?
We could either let Onyxia handle the onboarding or allow it to be managed externally. The second option could help bypass security restrictions in organizations that don't want to grant cluster-wide permissions to the Onyxia API.

yuwei

[olevitt]

Hi !

Yes, I agree with you.
Mid / long term answer : we are planning to separate the onboarding process from the rest of the API (possibly creating a new optional module onyxia-onboarding with elevated privileges so that Onyxia-api can be run with lower privileges.
Short term answer : there is a configuration key in region (services.allowNamespaceCreation, see https://github.com/InseeFrLab/onyxia-api/blob/main/docs/region-configuration.md#services-properties) that let you disable the namespace creation, assuming it has been done externally from Onyxia. But yeah, if you have allowNamespaceCreation disabled then you have to create the namespace by yourself and you (currently at least, this issue may want to change that) don't get any event. So this is probably only suitable if your onboarding process is completly external from Onyxia (e.g you are watching Keycloak events)