This guide describes how Kubeflow Reception creates an account for a user.
Here’s what you’ll need so that Kubeflow Reception can create an account for the user:
- The user must have logged in with OIDC (Login with OIDC). After logging in, AuthService redirects the user to
reception endpoint with a
?nextquery parameter that includes the original URL that the user attempted to access.
Here is a step-by-step description of Kubeflow Reception creates an account for a user.
User: Request the reception endpoint with the UserID header and the cookie.
Istio Gateway: Forward this request to AuthService.
AuthService: Verify that the request can proceed.
Istio Gateway: Forward the response to Kubeflow Reception.
Reception: Retrieve the UserID from the header and generate the profile name for this user.
The profile name will be
<PROFILE-PREFIX>-<USERID>. All the
@characters will be replaced with
-. In our case the
<USERID>varies. For example, let’s assume a user with email
- if the user logs in with OIDC to Kubeflow then the profile name will
- if the user is using an external Identity Provider (such as PingID)
as an OIDC provider for Kubeflow and has configured
USERID_TRANSORMERS(for example see step 13 of PingID) then the profile name will be
- if the user logs in with OIDC to Kubeflow then the profile name will be
Reception: If there is not a profile for this profile name then request from the Kubernetes API Server to create a resource of type
Profilefor this user.
Kubernetes: Create a resource of type
Profile Controller: Watch Kubernetes API Server for
Profile Controller: Create a new namespace for this new
Profileresource. Create two service accounts for this user. Create the respective RoleBindings to enforce the proper permissions for this user.
Regarding the service accounts and the RoleBindings, Profile Controller sets the editor and view permissions of this user respectively.
For more information see the following guides:
Kubernetes: Create the requested service accounts and the RoleBindings.
Reception: Wait for the user to be bound to the new profile.
Reception: Retrieve the original URL that the user attempted to request (before logging in) from the
?nextquery parameter of the URL. Redirect the user to this URL.
If, for example, AuthService redirected the user to
/reception?next=%2Fnotebook%2Fkubeflow-user%2Fmytest%2Flab, then Kubeflow Reception will grab the
?nextquery parameter from the URL and will respond with a relative redirect to
Istio Gateway: Forward the response to the user.
In this guide you gained insight on how Kubeflow Reception creates an account for a user.
The next guide presents how AuthService performs authentication with Kubernetes Service Accounts.