Jupyter spawner web app should use service account delegation to authorize on behalf of user #2271
Comments
|
/assign @vkoukis at his request. |
|
cc |
|
@jlewi I came across this as we are starting to play with multi-user support. |
|
/assign vkoukis |
|
/assign kimwnasptd |
|
I think we can punt for 0.7. I think for 0.6 the web app will just run with a service account which has permission to create notebooks in one ore more namespaces. The web app use the identity access management and service that we are implementing to check whether the specified user should be able to create the notebook in the requested namespace. |
|
@kunmingg @yanniszark @kimwnasptd Any idea what we should aim to do in 0.7? I can think of at least two options
Are there other options? What are the advantages/disadvantages of these two approaches? |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@kimwnasptd and @lluunn Could you summarize what the current state is in the jupyter web app? Is there anything else we need to get done for jupyter to be 1.0 ready? |
|
@kimwnasptd and @lluunn any update? |
|
The jupyter web app is using subject access reviews right now (PR) so I think we can close this issue. |
Background:
#1995 Replace JupyterHub with a simpler web app that creates Jupyter CR resources
Design doc for multi-user Kubeflow: http://bit.ly/kf_jupyter_design_doc.
The Jupyter spawner web app should authenticate to the K8s master by using user impersonation to act as a service account specific to the user it is acting on behalf of.
This is described in more detail in: http://bit.ly/kf_jupyter_design_doc.
The goal is to ensure the web app doesn't allow users to create notebooks in namespaces if they aren't authorized to do so.
The text was updated successfully, but these errors were encountered: