Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Remove the default 'users' group?
See original GitHub issueDescription
Before Keycloak was added to QHub (now available in main branch), users and groups were specified in the qhub-config.yaml file. Every user had a primary_group key (plus optional secondary_groups). Every QHub installation was expected to have a group named users, and typically every user would be a member of this group. This wasn’t enforced programmatically.
A uid had to be supplied for each user, and a primary gid was important under that system, due to Linux file permissions rules.
The new Keycloak functionality also includes a change that gives every user the name jovyan on the shared NFS disk, so every user has the same uid/gid and all files are owned by that user. Additionally, shared folders are mounted only corresponding to groups the user belongs to, so files can be shared privately amongst group members. (Previously, a shared folder was available for members of each group, but access was managed by Linux permissions.)
The uid and primary gid are now determined by the Docker image for JupyterLab.
As it stands in the new Keycloak functionality, a group named users will always be created, and it is set as a default group so all new Keycloak users will be members of it. Thus, the users folder will be available to everyone.
However, that requires extra configuration to be maintained. And it is no longer essential for users to be a member of at least one group.
My suggestion is to remove the automatic creation of the users group, so it is possible for a user to be a member of no groups.
Existing QHub installations that already have a users group would likely import that group when they upgrade to Keycloak. We would add documentation explaining that it can be set as a ‘default group’ in Keycloak if they want all new users to be added to that group automatically.
Note we would still add the admin group automatically for all QHub installations, new and old.
Value/benefit
This proposal removes unnecessary configuration and the legacy requirement for users to be a member of one group for Linux permissions purposes. For admins, it increases flexibility over groups and file sharing.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I think that makes some sense, but really it would be more consistent to say that a global shared folder should be implemented as having a group called
usersthat all users are automatically members of!That way all shared folders can be treated the same and its clear how access is controlled to all of them.
The sum of these ideas would be to make the
usersgroup optional and defaulting to off. The point is it would be controlled as a bespoke entry inqhub-config.yaml(where it will not be possible to add other arbitrary groups). And as you suggest, it can be a question in theqhub initprocess if we think that it is worthwhile to interrupt the flow to ask them. (Command-line flags should also be available of course.)For migrations from existing QHubs,
usersshould be migrated as a ‘default group’ (i.e. all new users become a member) - that is, we assume that existing QHubs already had this setup and would want to preserve it by default.It would definitely be best to have an answer to this before 0.4 since it is a natural fit as part of the Keycloak transition.