feat: Support data manager role for volumes (#106)

Volumes are read-write for those users with the Data-Manager role for the context being evaluated. The name Data-Manager role can be configured. Related: https://support.d4science.org/issues/25256
EGI-Federation · Jun 23, 2023 · 26fed8c · 26fed8c
1 parent 70ffd4f
commit 26fed8c
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/egi_notebooks_hub/d4science.py b/egi_notebooks_hub/d4science.py
@@ -205,6 +205,10 @@ async def authenticate(self, handler, data=None):
         ws_token, _ = await self.get_uma_token(context, context, access_token)
         permissions = decoded_token["authorization"]["permissions"]
         self.log.debug("Permissions: %s", permissions)
+        roles = (
+            decoded_token.get("resource_access", {}).get(context, {}).get("roles", [])
+        )
+        self.log.debug("Roles: %s", roles)
         resources = await self.get_resources(ws_token)
         self.log.debug("Resources: %s", resources)
         user_data["auth_state"].update(
@@ -213,6 +217,7 @@ async def authenticate(self, handler, data=None):
                 "permissions": permissions,
                 "context": context,
                 "resources": resources,
+                "roles": roles,
             }
         )
         # get WPS endpoint in also
@@ -285,6 +290,11 @@ class D4ScienceSpawner(KubeSpawner):
         config=True,
         help="""Prefix for naming the servers""",
     )
+    data_manager_role = Unicode(
+        "Data-Manager",
+        config=True,
+        help="""Name of the data manager role in D4Science""",
+    )
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -318,6 +328,8 @@ async def auth_state_hook(self, spawner, auth_state):
             return
         # just get from the authenticator
         permissions = auth_state.get("permissions", [])
+        roles = auth_state.get("roles", [])
+        self.log.debug("Roles at hook: %s", roles)
         self.allowed_profiles = [claim["rsname"] for claim in permissions]
         resources = auth_state.get("resources", {})
         self.server_options = {}
@@ -352,11 +364,19 @@ async def auth_state_hook(self, spawner, auth_state):
                 vol = {"name": (vol_name)}
                 vol.update(self.volume_mappings[name]["volume"])
                 self.volumes.append(vol)
+                read_write = (permission == "Read-Write") or (
+                    self.data_manager_role in roles
+                )
+                self.log.debug(
+                    "permission: %s, data-manager: %s",
+                    permission,
+                    self.data_manager_role in roles,
+                )
                 self.volume_mounts.append(
                     {
                         "name": vol_name,
                         "mountPath": self.volume_mappings[name]["mount_path"],
-                        "readOnly": permission == "Read-only",
+                        "readOnly": not read_write,
                     },
                 )
         self.log.debug("allowed: %s", self.allowed_profiles)