Refactor shared group mounting using RBAC

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/03-profiles.py

@@ -82,11 +82,11 @@ def base_profile_home_mounts(username):
     }
 
 
-def base_profile_shared_mounts(groups):
+def base_profile_shared_mounts(groups, group_roles):
     """Configure the group directory mounts for user.
 
-    Ensure that {shared}/{group} directory exists and user has
-    permissions to read/write/execute. Kubernetes does not allow the
+    Ensure that {shared}/{group} directory exists based on the scope availability
+    and if user has permissions to read/write/execute. Kubernetes does not allow the
     same pvc to be a volume thus we must check that the home and share
     pvc are not the same for some operation.
 
@@ -103,22 +103,30 @@ def base_profile_shared_mounts(groups):
             {"name": "shared", "persistentVolumeClaim": {"claimName": shared_pvc_name}}
         )
 
+    relevant_groups = []
+    for group in groups:
+        for roles in group_roles.get(group, []):
+            # Check if the group has a role that has a shared-directory scope
+            if "shared-directory" in roles.get("attributes", {}).get("component", []):
+                relevant_groups.append(group)
+                break
+
     extra_container_config = {
         "volumeMounts": [
             {
                 "mountPath": pod_shared_mount_path.format(group=group),
                 "name": "shared" if home_pvc_name != shared_pvc_name else "home",
                 "subPath": pvc_shared_mount_path.format(group=group),
             }
-            for group in groups
+            for group in relevant_groups
         ]
     }
 
     MKDIR_OWN_DIRECTORY = "mkdir -p /mnt/{path} && chmod 777 /mnt/{path}"
     command = " && ".join(
         [
             MKDIR_OWN_DIRECTORY.format(path=pvc_shared_mount_path.format(group=group))
-            for group in groups
+            for group in relevant_groups
         ]
     )
     init_containers = [
@@ -133,7 +141,7 @@ def base_profile_shared_mounts(groups):
                     "name": "shared" if home_pvc_name != shared_pvc_name else "home",
                     "subPath": pvc_shared_mount_path.format(group=group),
                 }
-                for group in groups
+                for group in relevant_groups
             ],
         }
     ]
@@ -475,7 +483,7 @@ def profile_conda_store_viewer_token():
     }
 
 
-def render_profile(profile, username, groups, keycloak_profilenames):
+def render_profile(profile, username, groups, keycloak_profilenames, group_roles):
     """Render each profile for user.
 
     If profile is not available for given username, groups returns
@@ -513,7 +521,7 @@ def render_profile(profile, username, groups, keycloak_profilenames):
         deep_merge,
         [
             base_profile_home_mounts(username),
-            base_profile_shared_mounts(groups),
+            base_profile_shared_mounts(groups, group_roles),
             profile_conda_store_mounts(username, groups),
             base_profile_extra_mounts(),
             configure_user(username, groups),
@@ -543,13 +551,35 @@ def preserve_envvars(spawner):
     return profile
 
 
+def parse_roles(data):
+    parsed_roles = {}
+
+    for role in data:
+        for group in role["groups"]:
+            # group = str(group).replace("/", "")
+            group_name = Path(group).name
+            if group_name not in parsed_roles:
+                parsed_roles[group_name] = []
+
+            role_info = {
+                "description": role["description"],
+                "name": role["name"],
+                "attributes": role["attributes"],
+            }
+
+            parsed_roles[group_name].append(role_info)
+
+    return parsed_roles
+
+
 @gen.coroutine
 def render_profiles(spawner):
     # jupyterhub does not yet manage groups but it will soon
     # so for now we rely on auth_state from the keycloak
     # userinfo request to have the groups in the key
     # "auth_state.oauth_user.groups"
     auth_state = yield spawner.user.get_auth_state()
+    group_roles = parse_roles(spawner.authenticator.group_roles_map)
 
     username = auth_state["oauth_user"]["preferred_username"]
     # only return the lowest level group name
@@ -566,7 +596,7 @@ def render_profiles(spawner):
         filter(
             None,
             [
-                render_profile(p, username, groups, keycloak_profilenames)
+                render_profile(p, username, groups, keycloak_profilenames, group_roles)
                 for p in profile_list
             ],
         )

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/04-auth.py

@@ -7,7 +7,7 @@
 from jupyterhub import scopes
 from jupyterhub.traitlets import Callable
 from oauthenticator.generic import GenericOAuthenticator
-from traitlets import Bool, Unicode, Union
+from traitlets import Bool, List, Unicode, Union
 
 
 class KeyCloakOAuthenticator(GenericOAuthenticator):
@@ -27,6 +27,11 @@ class KeyCloakOAuthenticator(GenericOAuthenticator):
         config=True, help="""The keycloak REST API URL for the realm."""
     )
 
+    group_roles_map = List(
+        config=False,
+        help="""A mapping of roles to groups based on the user's assigned roles.""",
+    )
+
     reset_managed_roles_on_startup = Bool(True)
 
     async def update_auth_model(self, auth_model):
@@ -55,6 +60,11 @@ async def update_auth_model(self, auth_model):
         user_roles_rich = await self._get_roles_with_attributes(
             roles=user_roles, client_id=jupyterhub_client_id, token=token
         )
+        self.group_roles_map = await self._fetch_and_map_roles(
+            roles=user_roles_rich,
+            token=token,
+            url=f"clients/{jupyterhub_client_id}/roles/{{role_name}}",
+        )
         keycloak_api_call_time_taken = time.time() - keycloak_api_call_start
         user_roles_rich_names = {role["name"] for role in user_roles_rich}
         user_roles_non_jhub_client = [
@@ -154,17 +164,36 @@ async def load_managed_roles(self):
 
         return list(roles.values())
 
-    def _get_scope_from_role(self, role):
+    def _get_scope_from_role(self, role, component_filter=["jupyterhub"]):
         """Return scopes from role if the component is jupyterhub"""
         role_scopes = role.get("attributes", {}).get("scopes", [])
         component = role.get("attributes", {}).get("component")
         # Attributes are returned as a single-element array, unless `##` delimiter is used in Keycloak
         # See this: https://stackoverflow.com/questions/68954733/keycloak-client-role-attribute-array
-        if component == ["jupyterhub"] and role_scopes:
+        if component == component_filter and role_scopes:
             return self.validate_scopes(role_scopes[0].split(","))
+        elif component_filter is None:
+            return self.validate_scopes(role_scopes)
         else:
             return []
 
+    async def _fetch_and_map_roles(self, roles, token, url, group_name_key="path"):
+        # we could use either `name` (e.g. "developer") or `path` ("/developer");
+        # since the default claim key returns `path`, it seems preferable.
+
+        self.log.info("Mapping roles with groups and users..")
+
+        for role in roles:
+            role_name = role["name"]
+            # fetch role assignments to groups
+            base_url = url.format(role_name=role_name)
+            groups = await self._fetch_api(f"{base_url}/groups", token=token)
+            role["groups"] = [group[group_name_key] for group in groups]
+            users = await self._fetch_api(f"{base_url}/users", token=token)
+            role["users"] = [user["username"] for user in users]
+
+        return roles
+
     def validate_scopes(self, role_scopes):
         """Validate role scopes to sanity check user provided scopes from keycloak"""
         self.log.info(f"Validating role scopes: {role_scopes}")

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf

@@ -304,6 +304,17 @@ module "jupyterhub-openid-client" {
         "component" : "jupyterhub"
       }
     },
+    {
+      "name" : "allow-group-directory-creation-role",
+      "description" : "Grants a group the ability to manage the creation of its corresponding mounted directory.",
+      # Adding it to analyst group such that it's applied to every user.
+      "groups" : ["admin", "analyst", "developer"],
+      "attributes" : {
+        # grants permissions to read services
+        "scopes" : "write:shared-mount",
+        "component" : "shared-directory"
+      }
+    },
   ]
   callback-url-paths = [
     "https://${var.external-url}/hub/oauth_callback",