[BUG] - Defining invalid roles in keycloak prevents JupyterHub spawm

nebari-dev / nebari

🪴 Nebari - your open source data science platform

https://nebari.dev

BSD 3-Clause "New" or "Revised" License

279 stars 89 forks source link

[BUG] - Defining invalid roles in keycloak prevents JupyterHub spawm #2487

Open krassowski opened 4 months ago

krassowski commented 4 months ago

Describe the bug

Defining an invalid role in Keycloak may prevent JupyterHub from spawning:

│     jupyterhub.roles.InvalidNameError: Invalid role name: 'xx'. Role names must:                                                                                                                                                                                                                                                                                                                                                       │
│      - be 3-255 characters                                                                                                                                                                                                                                                                                                                                                                                                             │
│      - contain only lowercase ascii letters, numbers, and URL unreserved special characters '-.~_'                                                                                                                                                                                                                                                                                                                                     │
│      - start with a letter                                                                                                                                                                                                                                                                                                                                                                                                             │
│      - end with letter or number                                                                                                                                                                                                                                                                                                                                                                                                       │

Expected behavior

Either:

document the required role name format (and fields), or
skip invalid roles and warn instead (if having downtime is more expensive than having admin figure it out)

OS and architecture in which you are running Nebari

How to Reproduce the problem?

Create a role xx

Command output

No response

Versions and dependencies used.

No response

Compute environment

None

Integrations

No response

Anything else?

No response

Adam-D-Lewis commented 4 months ago

It seems like we could possibly do some type of conversion from keycloak roles to jupyterhub roles similar to what we do in https://www.nebari.dev/docs/tutorials/argo-workflows-walkthrough#workflow-labels though that causes some other issues in that 2 different keycloak roles can be mapped to the same jupyterhub role. I think we are planning on creating all the default keycloak/jupyterhub roles in Nebari so it seems like this is mostly an issue for Nebari developers. Is there any other use case you can think of @krassowski for creating a keycloak roles for the jupyterhub client?

I wouldn't be opposed to some docs being adding about this limitation.

krassowski commented 4 months ago

think we are planning on creating all the default keycloak/jupyterhub roles in Nebari so it seems like this is mostly an issue for Nebari developers. Is there any other use case you can think of @krassowski for creating a keycloak roles for the jupyterhub client?

This affects all roles created via keycloak as all of these are currently reflected in JupyterHub. Since any root user with access to keycloak console can create a role in keycloak any one of them can inadvertently break the deployment, which will be true even when we have predefined roles. Also, for larger deployments I imagine the predefined roles will not be sufficient as admins will want to assign roles to groups of users.