Setting up Multi-user Isolation

[hoangtnm]

Hi, does anyone have experience with Charmed Kubeflow’s Multi-user Isolation. Actually, I tried to follow docs, but when access http://10.64.140.43.nip.io/ to login, the dashboard requires password, which the docs doesn’t clarify. Therefore, I’m not so sure how to setup password for a profile

[ca-scribner]

Hi @hoangtnm!

Good questions. For charmed kubeflow, there's a little extra configuration needed. Check out the install guide step 6 and [accessing the dashboard](Set URL in authentication methods ) step 1. The tl/dr on those is you need to do something like:

juju config dex-auth public-url=http://10.64.140.43.nip.io/
juju config oidc-gatekeeper public-url=http://10.64.140.43.nip.io/
juju config dex-auth static-username=admin
juju config dex-auth static-password=admin

where the public-url is whatever shows as an external IP for your loadbalancer (see kubectl get svc).

The above instructions will set up a multi-tenancy Kubeflow, but only a single tenant (admin). And the login page will only have that one account. That's because the intent is for others to connect their own authentication, where this is more a simplified demo for getting started quickly. If you're setting up a full multi-tenant system where you do want additional users, you need to connect your authentication system to the dex charm.

Hope this helps!

[hoangtnm]

@ca-scribner thank you for your response. By the way, in order to connect Charmed Kubeflow's authentication system to the dex charm, is there any existing document or tutorial for this purpose?

[ca-scribner]

@hoangtnm you're welcome!

Good timing, I just noticed these authentication and authorisation docs. They add a bit more detail. The first gives a little more detail on how to use the dex connectors. Does this help?

[ca-scribner]

Or possibly this LDAP guide.

[DomFleischmann]

Hello @hoangtnm is this issue fixed now?

[hoangtnm]

Hi @DomFleischmann, I tried the LDAP guide. However, at the end, it seems that the guide hasn't provided details about how to connect created user(s) with their corresponding Profile or namespace, as weel as how to configure/limit resources that each user can allocate such as GPU(s). Therefore, the issue hasn't been fixed now.

[hoangtnm]

@ca-scribner Btw, the LDAP guide seems a little bit complex, so I wonder if there is any way that we can skip LDAP and use the same original Dex auth as the original auth method?

[hoangtnm]

@DomFleischmann @ca-scribner btw, I met this error when finishing the LDAP guide. Actually, I followed the QuickStart guide to install Charmed Kubeflow v1.6 and then follow the LDAP guide directly. This error happens when I type username/password and then click Login. Moreover, I tried to reinstall Ubuntu Server 20.04 LTS multiple times and this error still happens. Therefore, I think this might a bug inside Charmed Kubeflow, right?

[hoangtnm]

Hi @DomFleischmann @ca-scribner, do you meet the LDAP error I'm experiencing?

[DomFleischmann]

Hello @hoangtnm we haven't ran into this error before, but also don't test the LDAP integration frequently, it is possible that this might be a bug. Just to be sure, is the IP mentioned in the error message an IP that exists in your setup? There seems to be an issue with DNS.

[hoangtnm]

Hi @DomFleischmann, I followed exactly the Quick start guide and LDAP guide after installing a new Ubuntu Server 20.04. These is the steps I use to setup Charmed Kubeflow:

sudo snap install microk8s --classic --channel=1.22/stable
sudo snap install juju --classic
sudo snap alias microk8s.kubectl kubectl

sudo usermod -aG microk8s $USER
newgrp microk8s
mkdir ~/.kube
microk8s config > ~/.kube/config
sudo chown -f -R $USER ~/.kube

microk8s enable dns storage ingress metallb:10.64.140.43-10.64.140.49
juju bootstrap microk8s
juju add-model kubeflow
juju deploy kubeflow --trust --channel 1.6/stable

I don't specify that IP address in my setup, so I think it is a fixed IP inside the Charmed Kubeflow code. Therefore, this might be a bug of Charmed Kubeflow. By the way, if your side doesn't test the LDAP integration frequently, is there any way to implement multi-tenancy that has been tested carefully?

[DomFleischmann]

Hello @hoangtnm I'm sorry you are running into these issues, we will work on this in the following weeks.