5:53 p.m.
Hi All,
Here is an interesting scenario I am looking to set up.
I have an instance of ODH that I have modified to user Azure AD, rather
than OpenShift. The use case is that the process here for getting an
OpenShift login can be a little time-consuming, and Azure AD is integrated
with their on-prem AD so it's just all-around smoother.
Anyway, users are creating Notebook images that only certain users should
have access to. They would come pre-installed with certain ipynb files that
only particular AD Groups can use. The notebooks in this case function as
applications.
I would like to have a single hub, but different users should have access
to different sets of images, restricted by the AD group they are a part of.
I can think of two ways of handling this:
1. Restrict the list of images the user is able to see when at the
'spawn' page
2. Restrict the startup of the notebook server itself to users of a
particular AD Group
I am guessing there hasn't been much work by the ODH team with Azure
integration since the product is meant to work with OpenShift OAuth, but I
am wondering, has anyone worked on generally restricting access to certain
notebook images on a per-user or per-group basis, using whitelisting or
some other means?
Thanks,
Alex
3:12 a.m.
Hi Alex,
No we have not looked into this, but it is definitely interesting use case.
My way around it would be, as you described, to limit the list of images
based on a group somehow - images are loaded from image streams in ODH, and
the image streak can have labels and annotations and you could filter based
on that - something like:
annotatons:
io.opendatahub/azuread.group: foo
Where "foo" is the group name and just add a condition to the form
generation in jupyterhub_config.py
It could also make sense to do it more systematically and add this to the
jupyterhub-singleuser-profiles where you could provide a callback for
filtering the list of images and the callback would be your function doing
the filtering based on the Azure AD group. This way we could potentially
reuse it for OpenShift groups or generally any filtering in the future.
What do you think?
Cheers,
V.
On Tue, Apr 16, 2019 at 1:09 AM Alexander Feiszli <afeiszli(a)redhat.com>
wrote:
Hi All,
Here is an interesting scenario I am looking to set up.
I have an instance of ODH that I have modified to user Azure AD, rather
than OpenShift. The use case is that the process here for getting an
OpenShift login can be a little time-consuming, and Azure AD is integrated
with their on-prem AD so it's just all-around smoother.
Anyway, users are creating Notebook images that only certain users should
have access to. They would come pre-installed with certain ipynb files that
only particular AD Groups can use. The notebooks in this case function as
applications.
I would like to have a single hub, but different users should have access
to different sets of images, restricted by the AD group they are a part of.
I can think of two ways of handling this:
1. Restrict the list of images the user is able to see when at the
'spawn' page
2. Restrict the startup of the notebook server itself to users of a
particular AD Group
I am guessing there hasn't been much work by the ODH team with Azure
integration since the product is meant to work with OpenShift OAuth, but I
am wondering, has anyone worked on generally restricting access to certain
notebook images on a per-user or per-group basis, using whitelisting or
some other means?
Thanks,
Alex
_______________________________________________
Contributors mailing list -- contributors(a)lists.opendatahub.io
To unsubscribe send an email to contributors-leave(a)lists.opendatahub.io
--
AI CoE, Office of CTO, Red Hat
Brno, Czech Republic
Phone: +420 739 666 824
1834
days inactive
1835
days old
contributors@lists.opendatahub.io
1 comments
2 participants
participants (2)
-
Alexander Feiszli -
Václav Pavlín