Conda-store permissions v2 + load roles from keycloak #2531

aktech · 2024-06-21T14:36:09Z

Reference Issues or PRs

Docs: nebari-dev/nebari-docs#480
Rendered link: https://deploy-preview-480--nebari-docs.netlify.app/docs/how-tos/fine-grained-permissions

This achieves the following two things:

Uses conda-store's v2 of RBACAuthorizationBackend
Parses and loads conda-store roles from keycloak

This PR basically lets you assign conda-store roles to users/groups from keycloak:

The following role when applied to a group or user will give the users in group /user "viewer" access to namespace "aktech":

What does this implement/fix?

Put a x in the boxes that apply

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds a feature)
Breaking change (fix or feature that would cause existing features not to work as expected)
Documentation Update
Code style update (formatting, renaming)
Refactoring (no functional changes, no API changes)
Build related changes
Other (please describe):

Testing

Did you test the pull request locally?
Did you add new tests?

Any other comments?

...netes_services/template/modules/kubernetes/services/conda-store/config/conda_store_config.py

Adam-D-Lewis

See comments

- specificy log format via c.CondaStoreServer.log_format - Fix capitalization in KeyCloakCondaStoreRoleScopes - more readable log message for role validation - use internal urls for accessing keycloak

Adam-D-Lewis

LGTM!

aktech and others added 9 commits June 21, 2024 15:33

conda store load roles

a67e02c

[pre-commit.ci] Apply automatic pre-commit fixes

d6aa198

refactor, remove previously attached roles

e629088

[pre-commit.ci] Apply automatic pre-commit fixes

c6e6a70

debug

d8be481

disable ssl context

eac0fb5

[pre-commit.ci] Apply automatic pre-commit fixes

7cfa8ae

handle multiple permissions in a single role

df61020

add tests for conda-store load roles

99360d0

aktech marked this pull request as ready for review June 24, 2024 12:35

aktech added 4 commits June 24, 2024 13:37

remove unnecessary logs

70529c0

add test for duplicate namespace role

816341b

use objects for readability

ef5f153

validate role and disable ssl in tests

9a98568

aktech requested a review from krassowski June 24, 2024 13:30

ignore resource warning

a40a8fc

aktech requested a review from viniciusdc June 24, 2024 14:39

aktech mentioned this pull request Jun 24, 2024

Add docs for fine-grained permissions from keycloak nebari-dev/nebari-docs#480

Merged

18 tasks

aktech added this to the Permission RBAC milestone Jun 25, 2024

aktech requested review from dcmcand, Adam-D-Lewis and marcelovilla June 27, 2024 13:20

Merge branch 'develop' into conda-store-permissions

3c79c84