Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor role creation for upgrade command path #2795

Merged
merged 8 commits into from
Oct 31, 2024
52 changes: 43 additions & 9 deletions src/_nebari/upgrade.py
Original file line number Diff line number Diff line change
Expand Up @@ -1214,6 +1214,22 @@ class Upgrade_2024_9_1(UpgradeStep):

version = "2024.9.1"

# Nebari version 2024.9.1 has been marked as broken, and will be skipped:
# https://github.com/nebari-dev/nebari/issues/2798
@override
def _version_specific_upgrade(
self, config, start_version, config_filename: Path, *args, **kwargs
):
return config


class Upgrade_2024_11_1(UpgradeStep):
"""
Upgrade step for Nebari version 2024.11.1
"""

version = "2024.11.1"

@override
def _version_specific_upgrade(
self, config, start_version, config_filename: Path, *args, **kwargs
Expand Down Expand Up @@ -1243,16 +1259,16 @@ def _version_specific_upgrade(
Please ensure no users are currently logged in prior to deploying this
update.

Nebari [green]2024.9.1[/green] introduces changes to how group
directories are mounted in JupyterLab pods.
This release introduces changes to how group directories are mounted in
JupyterLab pods.

Previously, every Keycloak group in the Nebari realm automatically created a
shared directory at ~/shared/<group-name>, accessible to all group members
in their JupyterLab pods.

Starting with Nebari [green]2024.9.1[/green], only groups assigned the
JupyterHub client role [magenta]allow-group-directory-creation[/magenta] will have their
directories mounted.
Moving forward, only groups assigned the JupyterHub client role
[magenta]allow-group-directory-creation[/magenta] or its affiliated scope
[magenta]write:shared-mount[/magenta] will have their directories mounted.

By default, the admin, analyst, and developer groups will have this
role assigned during the upgrade. For other groups, you'll now need to
Expand All @@ -1268,7 +1284,7 @@ def _version_specific_upgrade(
# Prompt the user for role assignment (if yes, transforms the response into bool)
assign_roles = (
Prompt.ask(
"[bold]Would you like Nebari to assign the corresponding role to all of your current groups automatically?[/bold]",
"[bold]Would you like Nebari to assign the corresponding role/scopes to all of your current groups automatically?[/bold]",
choices=["y", "N"],
default="N",
).lower()
Expand All @@ -1286,13 +1302,31 @@ def _version_specific_upgrade(
username="root",
password=config["security"]["keycloak"]["initial_root_password"],
)

# Proceed with updating group permissions
# Get client ID as role is bound to the JupyterHub client
client_id = keycloak_admin.get_client_id("jupyterhub")
role_name = "allow-group-directory-creation-role"
role_name = "legacy-group-directory-creation-role"

# Create role with shared scopes
keycloak_admin.create_client_role(
client_role_id=client_id,
skip_exists=True,
payload={
"name": role_name,
"attributes": {
"scopes": ["write:shared-mount"],
"component": ["shared-directory"],
},
"description": (
"Role to allow group directory creation, created as part of the "
"Nebari 2024.11.1 upgrade workflow."
),
},
)

role_id = keycloak_admin.get_client_role_id(
client_id=client_id, role_name=role_name
)

role_representation = keycloak_admin.get_role_by_id(role_id=role_id)

# Fetch all groups and groups with the role
Expand Down
Loading