Skip to content

Commit

Permalink
Fetch correct cluster admin list for the notebook controller admin panel
Browse files Browse the repository at this point in the history
  • Loading branch information
DaoDaoNoCode committed Dec 6, 2024
1 parent 966c055 commit 7844f27
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 4 deletions.
5 changes: 5 additions & 0 deletions backend/src/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1254,3 +1254,8 @@ export type NIMAccountKind = K8sResourceCommon & {
conditions?: K8sCondition[];
};
};

export type ResourceAccessReviewResponse = {
groups?: string[];
users?: string[];
};
35 changes: 31 additions & 4 deletions backend/src/utils/adminUtils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ import {
V1ClusterRoleBinding,
V1ClusterRoleBindingList,
} from '@kubernetes/client-node';
import { KubeFastifyInstance } from '../types';
import { KubeFastifyInstance, ResourceAccessReviewResponse } from '../types';
import { getAdminGroups, getAllGroupsByUser, getAllowedGroups, getGroup } from './groupsUtils';
import { flatten, uniq } from 'lodash';
import { getNamespaces } from '../utils/notebookUtils';

const SYSTEM_AUTHENTICATED = 'system:authenticated';
/** Usernames with invalid characters can start with `b64:` to keep their unwanted characters */
Expand All @@ -14,10 +15,11 @@ export const KUBE_SAFE_PREFIX = 'b64:';
const getGroupUserList = async (
fastify: KubeFastifyInstance,
groupListNames: string[],
additionalUsers: string[] = [],
): Promise<string[]> => {
const customObjectApi = fastify.kube.customObjectsApi;
return Promise.all(groupListNames.map((group) => getGroup(customObjectApi, group))).then(
(usersPerGroup: string[][]) => uniq(flatten(usersPerGroup)),
(usersPerGroup: string[][]) => uniq([...flatten(usersPerGroup), ...additionalUsers]),
);
};

Expand All @@ -26,8 +28,33 @@ export const getAdminUserList = async (fastify: KubeFastifyInstance): Promise<st
const adminGroupsList = adminGroups
.split(',')
.filter((groupName) => groupName && !groupName.startsWith('system:')); // Handle edge-cases and ignore k8s defaults
adminGroupsList.push('cluster-admins');
return getGroupUserList(fastify, adminGroupsList);

// fetch all the users and groups who have cluster-admin role and put them into the admin user list
const { notebookNamespace } = getNamespaces(fastify);
const clusterAdminUsersAndGroups = await fastify.kube.customObjectsApi
// This is not actually fetching all the groups who have admin access to the notebook resources
// But only the cluster admins
// The "*" in the verb field is more like a placeholder
.createClusterCustomObject('authorization.openshift.io', 'v1', 'resourceaccessreviews', {
resource: 'notebooks',
resourceAPIGroup: 'kubeflow.org',
resourceAPIVersion: 'v1',
verb: '*',
namespace: notebookNamespace,
})
.then((rar) => rar.body as ResourceAccessReviewResponse)
.catch((e) => {
fastify.log.error(`Failure to fetch cluster admin users and groups: ${e.response.body}`);
return { users: [], groups: [] };
});
const clusterAdminUsers = clusterAdminUsersAndGroups.users || [];
const clusterAdminGroups = clusterAdminUsersAndGroups.groups || [];
const filteredClusterAdminGroups = clusterAdminGroups.filter(
(group) => !group.startsWith('system:') && !adminGroupsList.includes(group),
);
const filteredClusterAdminUsers = clusterAdminUsers.filter((user) => !user.startsWith('system:'));
adminGroupsList.push(...filteredClusterAdminGroups);
return getGroupUserList(fastify, adminGroupsList, filteredClusterAdminUsers);
};

export const getAllowedUserList = async (fastify: KubeFastifyInstance): Promise<string[]> => {
Expand Down

0 comments on commit 7844f27

Please sign in to comment.