From daecbcf37497b1b8b4e3f0f52667ababf3c023ad Mon Sep 17 00:00:00 2001 From: Christopher Ostrouchov Date: Mon, 10 Apr 2023 16:57:55 -0400 Subject: [PATCH] Adding newest conda-store 0.4.14 along with superadmin credentials (#1701) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- nebari/constants.py | 2 +- nebari/stages/input_vars.py | 3 +- .../permissions.tf | 48 +++++++++++++++++++ .../07-kubernetes-services/conda-store.tf | 2 +- .../conda-store/config/conda_store_config.py | 16 ++++++- .../kubernetes/services/conda-store/server.tf | 7 +-- 6 files changed, 71 insertions(+), 7 deletions(-) create mode 100644 nebari/template/stages/06-kubernetes-keycloak-configuration/permissions.tf diff --git a/nebari/constants.py b/nebari/constants.py index 4f47aee792..1fb8c8ba59 100644 --- a/nebari/constants.py +++ b/nebari/constants.py @@ -8,6 +8,6 @@ DEFAULT_NEBARI_DASK_VERSION = "2023.1.1" DEFAULT_NEBARI_IMAGE_TAG = "2023.1.1" -DEFAULT_CONDA_STORE_IMAGE_TAG = "v0.4.12" +DEFAULT_CONDA_STORE_IMAGE_TAG = "v0.4.14" LATEST_SUPPORTED_PYTHON_VERSION = "3.10" diff --git a/nebari/stages/input_vars.py b/nebari/stages/input_vars.py index dbaf92e95f..6b8a1d388b 100644 --- a/nebari/stages/input_vars.py +++ b/nebari/stages/input_vars.py @@ -240,7 +240,8 @@ def stage_06_kubernetes_keycloak_configuration(stage_outputs, config): .get("keycloak", {}) .get("realm_display_name", realm_id), "authentication": config["security"]["authentication"], - "keycloak_groups": ["admin", "developer", "analyst"] + users_group, + "keycloak_groups": ["superadmin", "admin", "developer", "analyst"] + + users_group, "default_groups": ["analyst"] + users_group, } diff --git a/nebari/template/stages/06-kubernetes-keycloak-configuration/permissions.tf b/nebari/template/stages/06-kubernetes-keycloak-configuration/permissions.tf new file mode 100644 index 0000000000..cce54d0720 --- /dev/null +++ b/nebari/template/stages/06-kubernetes-keycloak-configuration/permissions.tf @@ -0,0 +1,48 @@ +data "keycloak_openid_client" "realm_management" { + realm_id = keycloak_realm.main.id + client_id = "realm-management" +} + +data "keycloak_role" "manage-users" { + realm_id = keycloak_realm.main.id + client_id = data.keycloak_openid_client.realm_management.id + name = "manage-users" +} + +data "keycloak_role" "query-users" { + realm_id = keycloak_realm.main.id + client_id = data.keycloak_openid_client.realm_management.id + name = "query-users" +} + +data "keycloak_role" "query-groups" { + realm_id = keycloak_realm.main.id + client_id = data.keycloak_openid_client.realm_management.id + name = "query-groups" +} + +data "keycloak_role" "realm-admin" { + realm_id = keycloak_realm.main.id + client_id = data.keycloak_openid_client.realm_management.id + name = "realm-admin" +} + +resource "keycloak_group_roles" "admin_roles" { + realm_id = keycloak_realm.main.id + group_id = keycloak_group.groups["admin"].id + role_ids = [ + data.keycloak_role.query-users.id, + data.keycloak_role.query-groups.id, + data.keycloak_role.manage-users.id + ] + + exhaustive = false +} + +resource "keycloak_group_roles" "superadmin_roles" { + realm_id = keycloak_realm.main.id + group_id = keycloak_group.groups["superadmin"].id + role_ids = [data.keycloak_role.realm-admin.id] + + exhaustive = false +} diff --git a/nebari/template/stages/07-kubernetes-services/conda-store.tf b/nebari/template/stages/07-kubernetes-services/conda-store.tf index a93f30eabf..330901ec13 100644 --- a/nebari/template/stages/07-kubernetes-services/conda-store.tf +++ b/nebari/template/stages/07-kubernetes-services/conda-store.tf @@ -36,7 +36,7 @@ variable "conda-store-image" { variable "conda-store-image-tag" { description = "Version of conda-store to use" type = string - default = "v0.4.12" + default = "v0.4.14" } # ====================== RESOURCES ======================= diff --git a/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/config/conda_store_config.py b/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/config/conda_store_config.py index bef11f492a..dda59ae95f 100644 --- a/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/config/conda_store_config.py +++ b/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/config/conda_store_config.py @@ -43,6 +43,12 @@ def conda_store_config(path="/var/lib/conda-store/config.json"): c.CondaStore.default_namespace = "global" c.CondaStore.filesystem_namespace = config["default-namespace"] +c.CondaStore.conda_allowed_channels = [] # allow all channels +c.CondaStore.conda_indexed_channels = [ + "main", + "conda-forge", + "https://repo.anaconda.com/pkgs/main", +] # ================================== # server settings @@ -93,6 +99,15 @@ async def authenticate(self, request): response.raise_for_status() user_data = response.json() + username = user_data["preferred_username"] + + # superadmin gets access to everything + if "conda_store_superadmin" in user_data.get("roles", []): + return schema.AuthenticationToken( + primary_namespace=username, + role_bindings={"*/*": {"admin"}}, + ) + role_mappings = { "conda_store_admin": "admin", "conda_store_developer": "developer", @@ -103,7 +118,6 @@ async def authenticate(self, request): for role in user_data.get("roles", []) if role in role_mappings } - username = user_data["preferred_username"] default_namespace = config["default-namespace"] namespaces = {username, "global", default_namespace} role_bindings = { diff --git a/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/server.tf b/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/server.tf index d88e8853d8..ec9e4f73b5 100644 --- a/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/server.tf +++ b/nebari/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/server.tf @@ -55,9 +55,10 @@ module "conda-store-openid-client" { client_id = "conda_store" external-url = var.external-url role_mapping = { - "admin" = ["conda_store_admin"] - "developer" = ["conda_store_developer"] - "analyst" = ["conda_store_developer"] + "superadmin" = ["conda_store_superadmin"] + "admin" = ["conda_store_admin"] + "developer" = ["conda_store_developer"] + "analyst" = ["conda_store_developer"] } callback-url-paths = [ "https://${var.external-url}/conda-store/oauth_callback"