nebari-dev / jhub-apps

Application creator and general launcher for JupyterHub
https://jhub-apps.nebari.dev/
BSD 3-Clause "New" or "Revised" License
27 stars 12 forks source link

[ENH] - Implement App permissions/Sharing #11

Open aktech opened 1 year ago

aktech commented 1 year ago

Feature Description

Fine-grained permissions on the ability to create and share an app.

Possible Permissions

App Sharing

App Creation

Notes:

Implementation Steps / Tasks

Notes

kcpevey commented 9 months ago

REDACTED - The scope of this issue now includes the suggestion from this comment. I've removed it here to keep this issue readable/less confusing.

kcpevey commented 8 months ago

If a user is shared an app, they have the ability to start it in case its stopped (e.g. idle culled), but have no permissions to edit the app, i.e. the app will be started with same configuration as it was created with.

To make this a little more clear - If an app has been shared with a user, they will have the ability to restart it in case its stopped (e.g. idle culled). The user will have no permissions to edit the app, i.e. the app will be started with same configuration as it was created with.

A user can create an app

Do we want the ability to control this at the group level as well? Or is that a v2.0 implementation?

krassowski commented 8 months ago

Cross linking previous discussion in https://github.com/nebari-dev/jhub-apps/issues/110

I do not see anything about impersonation. Do I correctly assume that users visiting shared apps will still be able to act as the author of the shared app and their activity will be logged as that person (rather as themselves?). My understanding was that using "collaborative users" is required to solve impersonation, but if the proposal in here solves it by itself its even better!

aktech commented 8 months ago

I do not see anything about impersonation.

It's probably not very explicit, as mentioned in the notes above: "All the shared apps, will always be running as the user who created the app."

Do I correctly assume that users visiting shared apps will still be able to act as the author of the shared app and their activity will be logged as that person (rather as themselves?)

Yes correct, regarding the activity logging, I am not sure will have be check JupyterHub's sharing docs.

My understanding was that using "collaborative users" is required to solve impersonation, but if the proposal in here solves it by itself its even better!

We're not solving impersonation (as in shared notebook apps) yet, as that's beyond the scope. The main use case of app sharing is to share panel, streamlit, bokeh, custom, etc apps and not jupyter notebook server. What we saw in #110 was consequence of #138, the original intention was never to share notebook server/app (even though it is possible to do so by creating a custom jupyter notebook server app and sharing that).

When we are sharing panel, streamlit types apps the user with whom the app is shared is actually indeed impersonating in the sense that those apps have access to the original author's data (home directory in Nebari).

aktech commented 8 months ago

Do we want the ability to control this at the group level as well? Or is that a v2.0 implementation?

All permissions will be configurable at user as well as group level, made it explicit now.

aktech commented 8 months ago

As per @dharhas

Unless someone is an admin they will only be able to share to people in the groups they belong to Non admins should not be able to share to an individual who is not in a common group with them.

I was thinking that someone in non-admin group can potentially have permissions (granted explicitly) to share in a group other than the group they are present in, like say

Say superadmin and admin both are able to share apps to people in any group and say developer can have permission to share to people in analyst group.

dharhas commented 8 months ago

Actually, we need to move away from overarching groups like developer, analyst etc. And moves to groups and roles within groups.

Let's take an example of a user called Mary. Mary belongs to three groups - research, data-science and project-orion

Mary has app sharing permission in the research and data-science groups but does not have permission to share apps in the project-orion group.

When she chooses to share an app she will be able to select any combination of the following.

She should not be able to share with:

From the UI/UX pov, the backend will make available the available groups that can be shared with and probably a way to search for individuals. The exact logic of fetching those lists will be in the backend.

aktech commented 7 months ago

Actually, we need to move away from overarching groups like developer, analyst etc.

This is beyond the scope of this ticket, the relevant issue is: https://github.com/nebari-dev/nebari/issues/2304 The groups I mentioned in the example are only for demonstration purpose, not implying them as the ones we're going to have them.

And moves to groups and roles within groups.

Same, the implementation for this will be proposed in https://github.com/nebari-dev/nebari/issues/2304

Your example seems to be echoing what I said in the above comment (ignore the group names and assume all permissions are explicitly specified as in a group/individual is explicitly given permission to share in a group)

From the UI/UX pov, the backend will make available the available groups that can be shared with and probably a way to search for individuals. The exact logic of fetching those lists will be in the backend.

Yes correct, see 4th todo in the "Implementation Steps / Tasks" section in the issue description.