Skip to content

User Authorization and Profile Management

Learn how to manage profiles and assign users to them in deployKF.

Related Guides

Users are identified and selected into profiles by an email-like string which is verified by the authentication system. Before reading this guide, you may want to define static user credentials or connect with an external identity provider.


Introduction

A deployKF profile has a 1:1 relationship with a Kubernetes namespace. The profiles which users are members of determine their level of access to resources/tools in the cluster.

The core entities of the profile system are:

Entity
(Click for Details)
Description
User User entities are identified by email address, and may be assigned to groups or profiles.
Group Group entities are logical collections of users, and may be assigned to profiles.
Profile Profiles define the access level for the users/groups assigned to them.

No Profile = No Access

If a user is not a member of any profiles, they will NOT have any access, even though they may be able to log in.


User Entities

The deploykf_core.deploykf_profiles_generator.users value defines "user" entities.

Email Address

Users are identified by the email address which is provided by the identity provider or static account.

This means that each email must be unique and only associated to a single id.

For example, you might use the following values to define three users:

deploykf_core:
  deploykf_profiles_generator:
    users:
      - id: user-1
        email: "user1@example.com"

      - id: user-2
        email: "user2@example.com"

      - id: user-3
        email: "user3@example.com"

Group Entities

The deploykf_core.deploykf_profiles_generator.groups value defines "group" entities, which are logical collections of "user" entities.

Groups from Identity Providers

Currently, deployKF can NOT use any groups sent by your external identity provider. You must manually define the groups and their members in the deploykf_profiles_generator values.

For example, you might use the following values to define two groups:

deploykf_core:
  deploykf_profiles_generator:
    groups:
      - id: team-1--admins
        users:
          - user-1

      - id: team-1--users
        users:
          - user-1
          - user-2
          - user-3

Profile Definitions

The deploykf_core.deploykf_profiles_generator.profiles value defines the profiles (namespaces) to create, and the groups/users to assign to them.

Highest Level of Access

If a user has multiple memberships in the same profile, the highest level of access will be used.

Use Profile Generator Only

You must ONLY use the deploykf_core.deploykf_profiles_generator values to manage profile definitions or user assignments. Any manual changes using the UI or other manifests will result in undefined behaviour.

For example, you might use the following values to define two profiles:

deploykf_core:
  deploykf_profiles_generator:
    profiles:
      - name: team-1
        members:
          - group: team-1--users
            access:
              role: edit
              notebooksAccess: true

      - name: team-1-prod
        members:
          - group: team-1--admins
            access:
              role: edit
              notebooksAccess: true

          - group: team-1--users
            access:
              role: view
              notebooksAccess: false

Profile Owners

DO NOT set or change the owner of any profile:

  • It is NEVER nessasary to be an owner of a profile, being an owner grants no useful permissions and actually prevents you from accessing the MinIO and Argo Server UIs.
  • It is NOT possible to change the owner of a profile once it is created (kubeflow/kubeflow#6576).
  • By default, "admin@example.com" is the "owner" of all profiles, we recommend that you leave the default owner as admin@example.com.

In a future release, any email which is the owner of a profile will be blocked from logging in.
Until then, we reccomend you remove the deploykf_core.deploykf_auth.dex.staticPasswords entry for "admin@example.com", so it can never be used to log in.


Last update: 2024-04-13
Created: 2023-08-16