User Authorization and Profile Management¶
Learn how to manage profiles and assign users to them in deployKF.
Related Guides
Users are identified and selected into profiles by an email-like string which is verified by the authentication system. Before reading this guide, you may want to define static user credentials or connect with an external identity provider.
Introduction¶
A deployKF profile has a 1:1 relationship with a Kubernetes namespace. The profiles which users are members of determine their level of access to resources/tools in the cluster.
The core entities of the profile system are:
| Entity (Click for Details) | Description |
|---|---|
| User | User entities are identified by email address, and may be assigned to groups or profiles. |
| Group | Group entities are logical collections of users, and may be assigned to profiles. |
| Profile | Profiles define the access level for the users/groups assigned to them. |
No Profile = No Access
If a user is not a member of any profiles, they will NOT have any access, even though they may be able to log in.
User Entities¶
The deploykf_core.deploykf_profiles_generator.users value defines "user" entities.
Email Address
Users are identified by the email address which is provided by the identity provider or static account.
This means that each email must be unique and only associated to a single id.
For example, you might use the following values to define three users:
deploykf_core:
deploykf_profiles_generator:
users:
- id: user-1
email: "user1@example.com"
- id: user-2
email: "user2@example.com"
- id: user-3
email: "user3@example.com"
Group Entities¶
The deploykf_core.deploykf_profiles_generator.groups value defines "group" entities, which are logical collections of "user" entities.
Groups from Identity Providers
Currently, deployKF can NOT use any groups sent by your external identity provider. You must manually define the groups and their members in the deploykf_profiles_generator values.
For example, you might use the following values to define two groups:
deploykf_core:
deploykf_profiles_generator:
groups:
- id: team-1--admins
users:
- user-1
- id: team-1--users
users:
- user-1
- user-2
- user-3
Profile Definitions¶
The deploykf_core.deploykf_profiles_generator.profiles value defines the profiles (namespaces) to create, and the groups/users to assign to them.
Highest Level of Access
If a user has multiple memberships in the same profile, the highest level of access will be used.
Use Profile Generator Only
You must ONLY use the deploykf_core.deploykf_profiles_generator values to manage profile definitions or user assignments. Any manual changes using the UI or other manifests will result in undefined behaviour.
For example, you might use the following values to define two profiles:
deploykf_core:
deploykf_profiles_generator:
profiles:
- name: team-1
members:
- group: team-1--users
access:
role: edit
notebooksAccess: true
- name: team-1-prod
members:
- group: team-1--admins
access:
role: edit
notebooksAccess: true
- group: team-1--users
access:
role: view
notebooksAccess: false
Profile Owners
DO NOT set or change the owner of any profile:
- It is NEVER nessasary to be an owner of a profile, being an owner grants no useful permissions and actually prevents you from accessing the MinIO and Argo Server UIs.
- It is NOT possible to change the owner of a profile once it is created (
kubeflow/kubeflow#6576). - By default,
"admin@example.com"is the "owner" of all profiles, we recommend that you leave the default owner asadmin@example.com.
In a future release, any email which is the owner of a profile will be blocked from logging in.
Until then, we reccomend you remove the deploykf_core.deploykf_auth.dex.staticPasswords entry for "admin@example.com", so it can never be used to log in.
Created: 2023-08-16