Skip to main content

RBAC: access denied - error when accessing a Notebook Server as a contributor

Alex Christopher Ramos
  • Updated

Background

Access to a notebook server created on another Profile/namespace, can be shared to another user as a Contributor. Sharing the access gives another user access to the owner's Profile/namespace and also the notebook servers created within.

If you need more information into the basic setup of Kaptain users and Kubeflow Profiles, please see our guide.

Issue

When an unauthorized user tries to browse to the Notebook server's UI, they will receive an error

RBAC: access denied

mceclip0.png

Solution

Contributor access can be provided either via the UI or through the CLI. The official documentation of multi-user isolation in kubeflow can be found here

Through the UI, a contributor user can be added under the "Manage Contributors".

While through the CLI, it can be defined using the following 

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    role: edit
    user: <contributoruser@gmail.com>   # replace with the email of the user from your Active Directory case sensitive
  name: user-userid-email-com-clusterrole-edit
  # Ex: if the user email is lalith.vaka@kp.org the name should be user-lalith-vaka-kp-org-clusterrole-edit
  # Note: if the user email is Lalith.Vaka@kp.org from your Active Directory, the name should be user-lalith-vaka-kp-org-clusterrole-edit
  namespace: <ownerprofile> # replace with the namespace/profile name that you are adding contributors to
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeflow-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: <contributoruser@gmail.com>   # replace with the email of the user from your Active Directory case sensitive
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  annotations:
    role: edit
    user: <contributoruser@gmail.com> # replace with the email of the user from your Active Directory case sensitive
  name: user-userid-email-com-clusterrole-edit
  namespace: <ownerprofile> # replace with the namespace/profile name that you are adding contributors to
spec:
  action: ALLOW
  rules:
  - when:
    - key: request.headers[kubeflow-userid] # for GCP, use x-goog-authenticated-user-email instead of kubeflow-userid for authentication purpose
      values:
      - <contributoruser@gmail.com>  # replace with the email of the user from your Active Directory case sensitive

Either through UI or CLI, the objects RoleBinding and AuthorizationPolicy will be created on the owner's namespace. Which can be described during troubleshooting.