[META] - Review and Update permissions docs around available services on Nebari

[viniciusdc]

Preliminary Checks

• [X] This issue is not a question, feature request, RFC, or anything other than a bug report. Please post those things in GitHub Discussions: https://github.com/nebari-dev/nebari/discussions

Summary

After the recent update on how permissions are consumed from Keycloak resources to each service, we must ensure our documentation is clear and current.

• [ ] #509

Steps to Resolve this Issue

1. Review current permissions logic
2. Update relevant notes ...

[kcpevey]

Some permission settings I'd be interested to learn about:

• conda-store
  • how do I give a user permission to read/write environments per group?
  • what is the conda-store specific equivalent of the current super-admin access - i.e. able to view and edit everything
• jupyter-scheduler
  • Permissions reqd to use it (can submit jobs)
  • permissions reqd for admins (can delete others' jobs)
• argo
  • Permissions reqd to use it (can submit jobs)
  • permissions reqd for admins (can delete others' jobs)
• dask
  • permissions reqd to use it
• jhub-apps
  • permissions required for viewing apps, sharing apps, creating apps, editing other users' apps (i.e. as an admin)

In general, I think we need to use the fine grained permissions to move towards removal of "super admin". To that end, we need to think through all the equivalent permissions required for the individual services.

[dharhas]

Can we also remove the developer and analyst groups.

[viniciusdc]

As of reference, I am also adding our current docs about the matter:

• https://www.nebari.dev/docs/how-tos/configuring-keycloak#in-depth-look-at-roles-and-groups
• https://www.nebari.dev/docs/how-tos/fine-grained-permissions/

[dharhas]

Issues from recent demo.

Adding argo-admin and argo-developer did not enable Jupyter-Scheduler for me, we had to add me to the developer group to give me access.

There is a permission that was required before I could see dashboards that were shared with me. I thin @marcelovilla said it was allow-app_sharing role which seems badly named. Because I don't need to share an app just to see an app that was shared with me.

[viniciusdc]

It seems to be missing a significant factor in our docs regarding a general overview/breakdown of what each permission does and what are their associated roles/scopes:

conda_store_developer
dask_developer
jupyterhub_developer
argo_developer
grafana_developer

[kcpevey]

For jhub-apps deployments: Sharing apps is only added to the admin group by default. In order for non admins to be able to share apps, the user must have the role allow-app-sharing-role. Users with this role can share apps with anyone else. The users viewing the app do not need this role.

The role is under Clients/jupyterhub/Roles/allow-app-sharing-role

Note that the "Create App" form allows you to select sharing options even if you do not have permissions to do so. We are working to disable these options if you don't have proper permissions.