nebari-dev · iameskild · Apr 10, 2023 · Apr 7, 2023 · Apr 7, 2023 · Apr 7, 2023
diff --git a/nebari/constants.py b/nebari/constants.py
@@ -8,6 +8,6 @@
 DEFAULT_NEBARI_DASK_VERSION = "2023.1.1"
 DEFAULT_NEBARI_IMAGE_TAG = "2023.1.1"
 
-DEFAULT_CONDA_STORE_IMAGE_TAG = "v0.4.12"
+DEFAULT_CONDA_STORE_IMAGE_TAG = "v0.4.14"
 
 LATEST_SUPPORTED_PYTHON_VERSION = "3.10"
diff --git a/nebari/stages/input_vars.py b/nebari/stages/input_vars.py
@@ -240,7 +240,8 @@ def stage_06_kubernetes_keycloak_configuration(stage_outputs, config):
         .get("keycloak", {})
         .get("realm_display_name", realm_id),
         "authentication": config["security"]["authentication"],
-        "keycloak_groups": ["admin", "developer", "analyst"] + users_group,
+        "keycloak_groups": ["superadmin", "admin", "developer", "analyst"]
+        + users_group,
         "default_groups": ["analyst"] + users_group,
     }
 

diff --git a/nebari/template/stages/06-kubernetes-keycloak-configuration/permissions.tf b/nebari/template/stages/06-kubernetes-keycloak-configuration/permissions.tf
@@ -0,0 +1,48 @@
+data "keycloak_openid_client" "realm_management" {
+  realm_id  = keycloak_realm.main.id
+  client_id = "realm-management"
+}
+
+data "keycloak_role" "manage-users" {
+  realm_id  = keycloak_realm.main.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "manage-users"
+}
+
+data "keycloak_role" "query-users" {
+  realm_id  = keycloak_realm.main.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "query-users"
+}
+
+data "keycloak_role" "query-groups" {
+  realm_id  = keycloak_realm.main.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "query-groups"
+}
+
+data "keycloak_role" "realm-admin" {
+  realm_id  = keycloak_realm.main.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "realm-admin"
+}
+
+resource "keycloak_group_roles" "admin_roles" {
+  realm_id = keycloak_realm.main.id
+  group_id = keycloak_group.groups["admin"].id
+  role_ids = [
+    data.keycloak_role.query-users.id,
+    data.keycloak_role.query-groups.id,
+    data.keycloak_role.manage-users.id
+  ]
+
+  exhaustive = false
+}
+
+resource "keycloak_group_roles" "superadmin_roles" {
+  realm_id = keycloak_realm.main.id
+  group_id = keycloak_group.groups["superadmin"].id
+  role_ids = [data.keycloak_role.realm-admin.id]
+
+  exhaustive = false
+}
diff --git a/nebari/template/stages/07-kubernetes-services/conda-store.tf b/nebari/template/stages/07-kubernetes-services/conda-store.tf
@@ -36,7 +36,7 @@ variable "conda-store-image" {
 variable "conda-store-image-tag" {
   description = "Version of conda-store to use"
   type        = string
-  default     = "v0.4.12"
+  default     = "v0.4.14"
 }
 
 # ====================== RESOURCES =======================

diff --git a/...-kubernetes-services/modules/kubernetes/services/conda-store/config/conda_store_config.py b/...-kubernetes-services/modules/kubernetes/services/conda-store/config/conda_store_config.py
@@ -43,6 +43,12 @@ def conda_store_config(path="/var/lib/conda-store/config.json"):
 
 c.CondaStore.default_namespace = "global"
 c.CondaStore.filesystem_namespace = config["default-namespace"]
+c.CondaStore.conda_allowed_channels = []  # allow all channels
+c.CondaStore.conda_indexed_channels = [
+    "main",
+    "conda-forge",
+    "https://repo.anaconda.com/pkgs/main",
+]
 
 # ==================================
 #        server settings
@@ -93,6 +99,15 @@ async def authenticate(self, request):
         response.raise_for_status()
         user_data = response.json()
 
+        username = user_data["preferred_username"]
+
+        # superadmin gets access to everything
+        if "conda_store_superadmin" in user_data.get("roles", []):
+            return schema.AuthenticationToken(
+                primary_namespace=username,
+                role_bindings={"*/*": {"admin"}},
+            )
+
         role_mappings = {
             "conda_store_admin": "admin",
             "conda_store_developer": "developer",
@@ -103,7 +118,6 @@ async def authenticate(self, request):
             for role in user_data.get("roles", [])
             if role in role_mappings
         }
-        username = user_data["preferred_username"]
         default_namespace = config["default-namespace"]
         namespaces = {username, "global", default_namespace}
         role_bindings = {

diff --git a/.../template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/server.tf b/.../template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/server.tf
@@ -55,9 +55,10 @@ module "conda-store-openid-client" {
   client_id    = "conda_store"
   external-url = var.external-url
   role_mapping = {
-    "admin"     = ["conda_store_admin"]
-    "developer" = ["conda_store_developer"]
-    "analyst"   = ["conda_store_developer"]
+    "superadmin" = ["conda_store_superadmin"]
+    "admin"      = ["conda_store_admin"]
+    "developer"  = ["conda_store_developer"]
+    "analyst"    = ["conda_store_developer"]
   }
   callback-url-paths = [
     "https://${var.external-url}/conda-store/oauth_callback"