Account Creation¶
This guide describes how Kubeflow Reception creates an account for a user.
Here’s what you’ll need so that Kubeflow Reception can create an account for the user:
- The user must have logged in with OIDC (Login with OIDC). After logging in, AuthService redirects the user to
reception endpoint with a
?next
query parameter that includes the original URL that the user attempted to access.
Step-by-Step Analysis¶
Here is a step-by-step description of Kubeflow Reception creates an account for a user.
User: Request the reception endpoint with the UserID header and the cookie.
Istio Gateway: Forward this request to AuthService.
AuthService: Verify that the request can proceed.
Istio Gateway: Forward the response to Kubeflow Reception.
Reception: Retrieve the UserID from the header and generate the profile name for this user.
Note
The profile name will be
<PROFILE-PREFIX>-<USERID>
. All the.
and@
characters will be replaced with-
. In our case the<PROFILE-PREFIX>
will bekubeflow
. The<USERID>
varies. For example, let’s assume a user with emailuser@example.com
:- if the user logs in with OIDC to Kubeflow then the profile name will
be
kubeflow-user-example-com
. - if the user is using an external Identity Provider (such as PingID)
as an OIDC provider for Kubeflow and has configured
USERID_TRANSORMERS
(for example see step 13 of PingID) then the profile name will bekubeflow-user
.
- if the user logs in with OIDC to Kubeflow then the profile name will
be
Reception: If there is not a profile for this profile name then request from the Kubernetes API Server to create a resource of type
Profile
for this user.Kubernetes: Create a resource of type
Profile
.Profile Controller: Watch Kubernetes API Server for
Profile
resources.Profile Controller: Create a new namespace for this new
Profile
resource. Create two service accounts for this user. Create the respective RoleBindings to enforce the proper permissions for this user.Note
Regarding the service accounts and the RoleBindings, Profile Controller sets the editor and view permissions of this user respectively.
See also
For more information see the following guides:
Kubernetes: Create the requested service accounts and the RoleBindings.
Reception: Wait for the user to be bound to the new profile.
Reception: Retrieve the original URL that the user attempted to request (before logging in) from the
?next
query parameter of the URL. Redirect the user to this URL.Note
If, for example, AuthService redirected the user to
/reception?next=%2Fnotebook%2Fkubeflow-user%2Fmytest%2Flab
, then Kubeflow Reception will grab the?next
query parameter from the URL and will respond with a relative redirect to/notebook/kubeflow-user/mytest/lab
.Istio Gateway: Forward the response to the user.
Summary¶
In this guide you gained insight on how Kubeflow Reception creates an account for a user.
What’s Next¶
The next guide presents how AuthService performs authentication with Kubernetes Service Accounts.