Closed choldgraf closed 2 years ago
Update from meeting with Karan:
The main thing we need to do is more the binderhub project outside of Karan's org (which is a Google org account) and into some other org. I don't think it matters what org this is, because the billing account (attached to Fernando) should stay the same regardless.
A few options:
berkeley.edu
Google Cloud org
jupyter.org
Google Cloud org
2i2c.org
Google Cloud org
Also just another note, we have about $60,000 in credits remaining, and we have until December 22nd to spend them.
My vote is to create a jupyter.org Google Cloud Org, and move it there. However, maybe you need a google workspace account to 'create' an org?
Also the current binderhub project is not under any organization:
So I'm not sure what Karan means?
On Sun, Aug 8, 2021 at 11:51 PM Yuvi Panda @.***> wrote:
My vote is to create a jupyter.org Google Cloud Org, and move it there. Orgs are free, so we should 'just do it'.
Yup, that sounds like a good plan! Even if for now it's mostly a single-task account for binder, it could come in handy in the future to manage other Jupyter services hosted on GCP. We're gradually organizing working groups around various areas better in Jupyter itself (see e.g. the security stuff recently led by Rollin, Rick and Tiffany). This goes in that same direction, so +1 from me.
for creating a jupyter.org GCP org, what is the pathway to doing this? Does it need to be done by a specific person (e.g. who has access to the Jupyter Google Workspaces account or something)? @fperez perhaps this is something to discuss with the governance team?
Could somebody please point me in a direction here? We are getting close to the end-date of the current credits, and it's not going to look good if we still haven't satisfied Karan's request by then.
I need guidance on: how can I create a Project Jupyter
Google cloud org? I would like to create this organization, provide "owner" status to members of the JupyterHub team, and then migrate the binder
GCP project to this org.
I've also updated the top comment with (I think) the next steps that need to happen
@choldgraf to create a GCP organization, this is a starting point I think.
PS: GCP organization names can have a display name and an id that must be unique. I like the idea of using the id jupyter-org
, the id must be lower case and can't contain .
or spaces if I recall correctly. This won't be seen by end users so it's not really important, not even the display name will be seen by end users I think. I think the id
will be unchangable, but that the display name will be possible to change.
I'd love to learn about the project migration process so I'd be very happy to take part of this in any way.
I'd like to propose the following actions, I welcome guidance from others to let me know if we should instead open up a JEP about this:
jupyter-org
organization on Google Cloudgke.mybinder.org
project underneath this organizationDo we need more 👍 on https://github.com/jupyterhub/team-compass/issues/427#issuecomment-943554401? To me it looks like enough people have said yes and we have people who want to implement it. That means the next step is to work on it. Is that how everyone else sees it as well or is there something else we need to take care of first?
Thanks for nudging this onwards @betatim!
@choldgraf should we try get some work done with regards to this today? We may require control of the jupyter.org domain to do this, but I'm not sure. What domain registration service is used to manage jupyter.org currently? I think we may need access to it in order to set a TXT entry or similar to proove ownership to GCP as part of this.
@consideRatio DNS recoreds for jupyter.org are managed via cloudflare. Although I don't use lastpass, it was what was used to share the password with me. I've added your email to lastpass so you should have access to this as well.
Thanks @yuvipanda, I've verified access and I'm all set!
@betatim i do have the same impression. @consideRatio I'd love to have a quick session today to understand whether it will be complicated or not.
OK @consideRatio and I just spent several hours trying to figure this out (thank you so much @consideRatio) and we made some progress but hit some roadblocks. Here's an update:
Create a Google Cloud Organization for the domain jupyter.org
.
Added a TXT record to jupyter.org
with the value google-site-verification=<SOMECODE>
. This is what Google Workspaces uses to confirm that we control jupyter.org
Create a Google Cloud Identity that was the first user for the org above. It has these credentials:
admin@jupyter.org
Granted Project Owner
and Organizational Administrator
roles to the people that were on the email with Karan (listed below). We should add others once we confirm that these roles are the correct thing to do w/ Karan:
We also granted Project Owner
role to Karan and to admin@jupyter.org
with the binderhub
GCP project
Tried to migrate the binderhub
GCP project, but ran into a "permission denied" response.
Tried a million permutations of giving as much permissions as possible to ourselves on both projects, but none of these worked :-(
We think that the problem is that the Billing Account powering the GCP project is linked to the berkeley.edu
GCP organization, and this has much more restrictive policies that disallow migrating projects associated with their accounts. I really doubt that we will get Berkeley to change these policies.
So I've sent an email to Karan giving him an update about the same steps above, and asking if he can help us figure out the next step.
I think out optimal outcome here would be:
jupyter.org
GCP organization for all GCP-related Jupyter cloud infrastructurebinderhub
project to use this billing account instead of the Berkeley.edu one (perhaps in December when the credits are about to expire).That way, we can have a GCP organizational account that is tied to "The Jupyter Project's DNS record", instead of to UC Berkeley.
We think that the problem is that the Billing Account powering the GCP project is linked to the berkeley.edu GCP organization, and this has much more restrictive policies that disallow migrating projects associated with their accounts. I really doubt that we will get Berkeley to change these policies.
Do you have more information on this? I don't see any link between the project and berkeley with the access I have. Berkeley also doesn't have any requirements around projects being funded by them required to be in the berkeley.edu org (the data8x hub is funded with a chart string and isn't in their org, and that isn't a requirement).
@consideRatio and I spent another hour talking to some GCP folks this morning, and we confirmed a few things and also have some more next steps.
Where the binderhub
GCP project currently lives: In a Google Cloud organization called gcp.solutions
. This is the org that we need to move away from.
Where is the billing account for the binderhub
project?: In a GCP Billing account linked to UC Berkeley under Fernando's name.
Why can't we just move the binderhub
project to the jupyter.org
GCP organization we created?: Because the billing account is under Berkeley's access policy and this prohibits people from transferring projects without explicit approval, even if the project is not under the UC Berkeley organization (in this case, only the billing account is).
Here are a few options that we could follow:
jupyter.org
account. Doing this will require getting permission from a UC Berkeley administrator, adding a Binder team member as a billing account administrator, and then moving the account over.There is an extra consideration they brought up about where to move the project. Apparently running our own Google Cloud organization will make us lose some benefits that the academic organizations get - this would primarily by (1) lower egress fees, (2) a 20% discount, and (3) more dedicated support. However, speaking with @consideRatio, it seems like none of these would be deal-breakers, and the benefits of using a jupyter-specific organization probably outweigh the costs.
I think that these are the next steps
binderhub
approved for moving the billing account outside of the university.The rationale here is that it'd be nice if we can get Berkeley to let us move accounts, but it will be catastrophic if Binder runs out of credits on GCP. So we should focus on that, and only put time into transferring our pre-existing credits if we know it will be worth it.
I'll update #463 with more information about next steps there.
🙏 THANK YOU @consideRatio for joining these conversations!
This is now completed! Close by https://github.com/jupyterhub/team-compass/pull/470
Heroic! Thanks for persevering.
Nice!
The one thing that I've lost track of is: has the project moved or not? The "closed by #470" made me think "aha that issue will explain it to me" but from a quick look the issue is about updating contact info but I couldn't work out what that meant in terms of "did we move or not?"
The GCP org is created, the binderhub GCP project moved, and the associated billing account is moved! We are entirely based on in the GCP organization called jupyter.org
now!
Whoop!
Can you add betatim@gmail.com to the jupyter.org
org?
Done! See gitter for a link of relevance!
Naive question: what is the difference between being a member of a GCP org vs a project? I believe the permissions of the binderhub project haven't changed at all, but we should make sure that all team members have access to the things they had before! Are there other folks we need to add to the org?
Confirming that my old link to the project still works and I can still see the clusters and I don't believe I have been added to the new org
I don't think much happens at the org level other than enforcing policies and quotas that we probably won't use. I think the main thing is that a project must have an owner that's either a person or an org, just like a GitHub repo.
I think the main thing we'll do at the org level is probably create new projects, and potentially billing accounts, depending on funding situations. ~everything else happens at the project level.
Background
Google is supplying us credits to power mybinder.org, these are currently run off of the Google Research Team's project, which is powering gke.mybinder.org. Recently Karan reached out and said it would be better if this project were under @fperez's account rather than theirs, so that we have more control over it.
I'm meeting with Karan on Friday to make this transfer. Will post the meeting time below in case anybody else would like to join (if so, let me know here or in a DM!)
Implementation details
I think the best path forward would be to create a
Project Jupyter
Google Cloud org, and then move this project underneath that organization. We could give ownership access to any member of the JupyterHub team that wanted it.Tasks