Hi Alex,

No we have not looked into this, but it is definitely interesting use case.

My way around it would be, as you described, to limit the list of images based on a group somehow - images are loaded from image streams in ODH, and the image streak can have labels and annotations and you could filter based on that - something like:

annotatons:
 io.opendatahub/azuread.group: foo

Where "foo" is the group name and just add a condition to the form generation in jupyterhub_config.py

It could also make sense to do it more systematically and add this to the jupyterhub-singleuser-profiles where you could provide a callback for filtering the list of images and the callback would be your function doing the filtering based on the Azure AD group. This way we could potentially reuse it for OpenShift groups or generally any filtering in the future.

What do you think?

Cheers,
V.

On Tue, Apr 16, 2019 at 1:09 AM Alexander Feiszli <afeiszli@redhat.com> wrote:
Hi All,

Here is an interesting scenario I am looking to set up. 

I have an instance of ODH that I have modified to user Azure AD, rather than OpenShift. The use case is that the process here for getting an OpenShift login can be a little time-consuming, and Azure AD is integrated with their on-prem AD so it's just all-around smoother.

Anyway, users are creating Notebook images that only certain users should have access to. They would come pre-installed with certain ipynb files that only particular AD Groups can use. The notebooks in this case function as applications.

I would like to have a single hub, but different users should have access to different sets of images, restricted by the AD group they are a part of.

I can think of two ways of handling this: 
   1. Restrict the list of images the user is able to see when at the 'spawn' page
   2. Restrict the startup of the notebook server itself to users of a particular AD Group

I am guessing there hasn't been much work by the ODH team with Azure integration since the product is meant to work with OpenShift OAuth, but I am wondering, has anyone worked on generally restricting access to certain notebook images on a per-user or per-group basis, using whitelisting or some other means?

Thanks,
Alex

_______________________________________________
Contributors mailing list -- contributors@lists.opendatahub.io
To unsubscribe send an email to contributors-leave@lists.opendatahub.io


--
AI CoE, Office of CTO, Red Hat
Brno, Czech Republic
Phone: +420 739 666 824