search

kubeflow / notebooks

Kubeflow Notebooks lets you run web-based development environments on your Kubernetes cluster by running them inside Pods.
Apache License 2.0
20 stars 21 forks source link

Notebook Sharing for Review, View Edit capabilities #103

Open asahalyft opened 2 years ago

asahalyft commented 2 years ago

/kind feature

Why you need this feature: RBAC for notebooks sharing.

Our users need to review and share each others notebooks. Only certain users can view certain users notebooks. Also, only certain users should be able to edit other's notebooks.

Describe the solution you'd like: I am following https://www.kubeflow.org/docs/components/multi-tenancy/getting-started/ to create two profiles Alice & Bob and checking the collaborations. Alice should be able to Edit Bob's notebook, but Bob can only View Alice's notebook. Alice is the manager of Bob.

image (3)

I created the following two User profiles:

apiVersion: kubeflow.org/v1
kind: Profile
metadata:
  name: kubeflow-alice-example-com   # replace with the name of profile you want
spec:
  owner:
    kind: User
    name: alice@example.com   # replace with the email of the user
---
apiVersion: kubeflow.org/v1
kind: Profile
metadata:
  name: kubeflow-bob-example-com   # replace with the name of profile you want
spec:
  owner:
    kind: User
    name: bob@example.com   # replace with the email of the user

I created the following contributors.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    role: edit
    user: alice@example.com 
  name: user-alice-example-com-clusterrole-edit
  namespace: kubeflow-bob-example-com
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeflow-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: alice@example.com
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    role: view
    user: bob@example.com
  name: user-bob-example-com-clusterrole-view
  namespace: kubeflow-alice-example-com
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeflow-view
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: bob@example.com
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  annotations:
    role: edit
    user: alice@example.com
  name: user-alice-example-com-clusterrole-edit
  namespace: kubeflow-bob-example-com
spec:
  action: ALLOW
  rules:
  - when:
    - key: request.headers[kubeflow-userid] # for GCP, use x-goog-authenticated-user-email instead of kubeflow-userid for authentication purpose
      values:
      - alice@example.com
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  annotations:
    role: view
    user: bob@example.com
  name: user-bob-example-com-clusterrole-view
  namespace: kubeflow-alice-example-com
spec:
  action: ALLOW
  rules:
  - when:
    - key: request.headers[kubeflow-userid] # for GCP, use x-goog-authenticated-user-email instead of kubeflow-userid for authentication purpose
      values:
      - bob@example.com   # replace with the email of the user from your Active Directory case sensitive

But, I see Bob can both View & Edit Alice's Notebook.

We confirmed here https://kubeflow.slack.com/archives/CKBA5D0MU/p1664649279686759 that binding to kubeflow-view != read-only permissions.

What is the equivalent functionality in Kubeflow ?

andreyvelich commented 3 weeks ago

/transfer notebooks

google-oss-prow[bot] commented 3 weeks ago

@asahalyft: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to [this](https://github.com/kubeflow/notebooks/issues/103): >/kind feature > >**Why you need this feature:** >RBAC for notebooks sharing. > >Our users need to review and share each others notebooks. Only certain users can view certain users notebooks. Also, only certain users should be able to edit other's notebooks. > > >**Describe the solution you'd like:** >I am following https://www.kubeflow.org/docs/components/multi-tenancy/getting-started/ to create two profiles Alice & Bob and checking the collaborations. Alice should be able to Edit Bob's notebook, but Bob can only View Alice's notebook. Alice is the manager of Bob. > >![image (3)](https://user-images.githubusercontent.com/48966647/194971792-8ca77f48-2162-49b6-af20-bd9689e8614f.png) > > >I created the following two User profiles: >``` >apiVersion: kubeflow.org/v1 >kind: Profile >metadata: > name: kubeflow-alice-example-com # replace with the name of profile you want >spec: > owner: > kind: User > name: alice@example.com # replace with the email of the user >--- >apiVersion: kubeflow.org/v1 >kind: Profile >metadata: > name: kubeflow-bob-example-com # replace with the name of profile you want >spec: > owner: > kind: User > name: bob@example.com # replace with the email of the user >``` > >I created the following contributors.yaml > >``` >apiVersion: rbac.authorization.k8s.io/v1 >kind: RoleBinding >metadata: > annotations: > role: edit > user: alice@example.com > name: user-alice-example-com-clusterrole-edit > namespace: kubeflow-bob-example-com >roleRef: > apiGroup: rbac.authorization.k8s.io > kind: ClusterRole > name: kubeflow-edit >subjects: >- apiGroup: rbac.authorization.k8s.io > kind: User > name: alice@example.com >--- >apiVersion: rbac.authorization.k8s.io/v1 >kind: RoleBinding >metadata: > annotations: > role: view > user: bob@example.com > name: user-bob-example-com-clusterrole-view > namespace: kubeflow-alice-example-com >roleRef: > apiGroup: rbac.authorization.k8s.io > kind: ClusterRole > name: kubeflow-view >subjects: >- apiGroup: rbac.authorization.k8s.io > kind: User > name: bob@example.com >--- >apiVersion: security.istio.io/v1beta1 >kind: AuthorizationPolicy >metadata: > annotations: > role: edit > user: alice@example.com > name: user-alice-example-com-clusterrole-edit > namespace: kubeflow-bob-example-com >spec: > action: ALLOW > rules: > - when: > - key: request.headers[kubeflow-userid] # for GCP, use x-goog-authenticated-user-email instead of kubeflow-userid for authentication purpose > values: > - alice@example.com >--- >apiVersion: security.istio.io/v1beta1 >kind: AuthorizationPolicy >metadata: > annotations: > role: view > user: bob@example.com > name: user-bob-example-com-clusterrole-view > namespace: kubeflow-alice-example-com >spec: > action: ALLOW > rules: > - when: > - key: request.headers[kubeflow-userid] # for GCP, use x-goog-authenticated-user-email instead of kubeflow-userid for authentication purpose > values: > - bob@example.com # replace with the email of the user from your Active Directory case sensitive >``` > >But, I see Bob can both View & Edit Alice's Notebook. > >We confirmed here https://kubeflow.slack.com/archives/CKBA5D0MU/p1664649279686759 that binding to kubeflow-view != read-only permissions. > >What is the equivalent functionality in Kubeflow ? Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.