Only show cluster admins with notebooks

DaoDaoNoCode · Dec 6, 2024 · 2386efb · 2386efb
1 parent 7844f27
commit 2386efb
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/backend/src/routes/api/status/adminAllowedUsers.ts b/backend/src/routes/api/status/adminAllowedUsers.ts
@@ -4,6 +4,7 @@ import { getUserInfo } from '../../../utils/userUtils';
 import {
   getAdminUserList,
   getAllowedUserList,
+  getClusterAdminUserList,
   isUserAdmin,
   KUBE_SAFE_PREFIX,
 } from '../../../utils/adminUtils';
@@ -77,22 +78,34 @@ export const getAllowedUsers = async (
     return [];
   }
 
+  const activityMap = await getUserActivityFromNotebook(fastify, namespace);
+
+  const withNotebookUsers = Object.keys(activityMap);
   const adminUsers = await getAdminUserList(fastify);
   const allowedUsers = await getAllowedUserList(fastify);
-  const activityMap = await getUserActivityFromNotebook(fastify, namespace);
+  // get cluster admins that have a notebook
+  const clusterAdminUsers = (await getClusterAdminUserList(fastify)).filter((user) =>
+    withNotebookUsers.includes(user),
+  );
 
   const usersWithNotebooksMap: AllowedUserMap = convertUserListToMap(
-    Object.keys(activityMap),
+    withNotebookUsers,
     'User',
     activityMap,
   );
   const allowedUsersMap: AllowedUserMap = convertUserListToMap(allowedUsers, 'User', activityMap);
   const adminUsersMap: AllowedUserMap = convertUserListToMap(adminUsers, 'Admin', activityMap);
+  const clusterAdminUsersMap: AllowedUserMap = convertUserListToMap(
+    clusterAdminUsers,
+    'Admin',
+    activityMap,
+  );
 
   const returnUsers: AllowedUserMap = {
     ...usersWithNotebooksMap,
     ...allowedUsersMap,
     ...adminUsersMap,
+    ...clusterAdminUsersMap,
   };
   return Object.values(returnUsers);
 };
diff --git a/backend/src/utils/adminUtils.ts b/backend/src/utils/adminUtils.ts
@@ -29,6 +29,10 @@ export const getAdminUserList = async (fastify: KubeFastifyInstance): Promise<st
     .split(',')
     .filter((groupName) => groupName && !groupName.startsWith('system:')); // Handle edge-cases and ignore k8s defaults
 
+  return getGroupUserList(fastify, adminGroupsList);
+};
+
+export const getClusterAdminUserList = async (fastify: KubeFastifyInstance): Promise<string[]> => {
   // fetch all the users and groups who have cluster-admin role and put them into the admin user list
   const { notebookNamespace } = getNamespaces(fastify);
   const clusterAdminUsersAndGroups = await fastify.kube.customObjectsApi
@@ -50,11 +54,10 @@ export const getAdminUserList = async (fastify: KubeFastifyInstance): Promise<st
   const clusterAdminUsers = clusterAdminUsersAndGroups.users || [];
   const clusterAdminGroups = clusterAdminUsersAndGroups.groups || [];
   const filteredClusterAdminGroups = clusterAdminGroups.filter(
-    (group) => !group.startsWith('system:') && !adminGroupsList.includes(group),
+    (group) => !group.startsWith('system:'),
   );
   const filteredClusterAdminUsers = clusterAdminUsers.filter((user) => !user.startsWith('system:'));
-  adminGroupsList.push(...filteredClusterAdminGroups);
-  return getGroupUserList(fastify, adminGroupsList, filteredClusterAdminUsers);
+  return getGroupUserList(fastify, filteredClusterAdminGroups, filteredClusterAdminUsers);
 };
 
 export const getAllowedUserList = async (fastify: KubeFastifyInstance): Promise<string[]> => {