Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add extraPolicyStatements for embedded MinIO (define user access) #69

Open
thesuperzapper opened this issue Dec 14, 2023 · 0 comments · May be fixed by #68
Open

Add extraPolicyStatements for embedded MinIO (define user access) #69

thesuperzapper opened this issue Dec 14, 2023 · 0 comments · May be fixed by #68
Labels
kind/enhancement kind - new features or changes priority/low priority - work on this when we get time status/help-wanted status - this needs contributions

Comments

@thesuperzapper
Copy link
Member

Originally posted by @thesuperzapper in #64 (comment) replying to @Diddy42

While it's a bit dangerous to encourage usage of the embedded MinIO, I am open to accepting a contribution that lets you define extraPolicyStatements, as we don't currently provide a way to extend the policies we automatically generate for each user defined in deploykf_core.deploykf_profiles_generator.users.

For example, we could add a value like deploykf_opt.deploykf_minio.extraPolicyStatements:

deploykf_opt:
  deploykf_minio:

    ## a list of extra policy statements to add to the default policy
    ## generated for each user in `deploykf_core.deploykf_profiles_generator.users`
    extraPolicyStatements:

      ## additional policy statements for 'user-1' 
      - user: user-1
        statements:
          ## allow 'user-1' to see MY_BUCKET_NAME
          - Effect: Allow
            Action:
              - s3:GetBucketLocation
              - s3:ListBucket
            Resource:
              - arn:aws:s3:::MY_BUCKET_NAME

      ## additional policy statements for each member of 'team-1' group
      - group: team-1
        statements:
          ## allow members of 'team-1' to see MY_BUCKET_NAME
          - Effect: Allow
            Action:
              - s3:GetBucketLocation
              - s3:ListBucket
            Resource:
              - arn:aws:s3:::MY_BUCKET_NAME
          
          ## allow members of 'team-1' to read/write under MY_BUCKET_NAME/some-prefix/*
          - Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:DeleteObject
            Resource:
              - arn:aws:s3:::MY_BUCKET_NAME/some-prefix/*

The way this would be implemented would be by extending the automatically generated deploykf_opt.deploykf_minio.policies which are defined here:

deployKF/generator/templates/manifests/deploykf-opt/deploykf-minio/values.yaml

Lines 210 to 240 in 80b6483

## minio access policies
## - these policies are created and/or updated by a post-install job
##
{{<- $policies := .Values.deploykf_opt.deploykf_minio.policies | default coll.Slice >}}
{{<- if and .Values.kubeflow_tools.pipelines.enabled (not .Values.kubeflow_tools.pipelines.objectStore.useExternal) >}}
{{<- if eq .Values.deploykf_opt.deploykf_minio.identity.openid.policyClaim "email" >}}
{{<- $users_id_mapping := tmpl.Exec "runtime/deploykf_profiles__users_id_mapping_json" | json >}}
{{<- $users_profiles_access_mapping := tmpl.Exec "runtime/deploykf_profiles__users_profiles_access_mapping_json" | json >}}
{{<- $bucket_name := .Values.kubeflow_tools.pipelines.bucket.name >}}
{{<- range $user_id, $profiles_access_mapping := $users_profiles_access_mapping >}}
{{<- /* get the minio policy name */ ->}}
{{<- $user := index $users_id_mapping $user_id >}}
{{<- $policy_name := $user.email >}}
{{<- /* get the minio policy document */ ->}}
{{<- $edit_profiles := coll.Slice >}}
{{<- $view_profiles := coll.Slice >}}
{{<- range $profile_name, $user_access := $profiles_access_mapping >}}
{{<- if eq $user_access.role "edit" >}}
{{<- $edit_profiles = $edit_profiles | append $profile_name >}}
{{<- else if eq $user_access.role "view" >}}
{{<- $view_profiles = $view_profiles | append $profile_name >}}
{{<- end >}}
{{<- end >}}
{{<- $policy := tmpl.Exec "kubeflow_pipelines.object_store.user.minio_policy" (dict "edit_profiles" $edit_profiles "view_profiles" $view_profiles "bucket_name" $bucket_name) | yaml >}}
{{<- /* add the minio policy to the list of policies */ ->}}
{{<- $policies = $policies | append (dict "name" $policy_name "policy" $policy) >}}
{{<- end >}}
{{<- end >}}
{{<- end >}}

Some of the important templates which are called in the above section are:

You would also need to use the group -> user mapping JSON template, to get the list of users in a group:
@thesuperzapper thesuperzapper added status/help-wanted status - this needs contributions kind/enhancement kind - new features or changes priority/low priority - work on this when we get time labels Dec 14, 2023
@Diddy42 Diddy42 linked a pull request Dec 18, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement kind - new features or changes priority/low priority - work on this when we get time status/help-wanted status - this needs contributions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add value for extending minio policies Diddy42/deployKF
1 participant
@thesuperzapper