Account Creation

This guide describes how Kubeflow Reception creates an account for a user.

Here’s what you’ll need so that Kubeflow Reception can create an account for the user:

  • The user must have logged in with OIDC (Login with OIDC). After logging in, AuthService redirects the user to reception endpoint with a ?next query parameter that includes the original URL that the user attempted to access.

Step-by-Step Analysis

Here is a step-by-step description of Kubeflow Reception creates an account for a user.

  1. User: Request the reception endpoint with the UserID header and the cookie.

  2. Istio Gateway: Forward this request to AuthService.

  3. AuthService: Verify that the request can proceed.

  4. Istio Gateway: Forward the response to Kubeflow Reception.

  5. Reception: Retrieve the UserID from the header and generate the profile name for this user.

    Note

    The profile name will be <PROFILE-PREFIX>-<USERID>. All the . and @ characters will be replaced with -. In our case the <PROFILE-PREFIX> will be kubeflow. The <USERID> varies. For example, let’s assume a user with email user@example.com:

    • if the user logs in with OIDC to Kubeflow then the profile name will be kubeflow-user-example-com.
    • if the user is using an external Identity Provider (such as PingID) as an OIDC provider for Kubeflow and has configured USERID_TRANSORMERS (for example see step 13 of PingID) then the profile name will be kubeflow-user.
  6. Reception: If there is not a profile for this profile name then request from the Kubernetes API Server to create a resource of type Profile for this user.

  7. Kubernetes: Create a resource of type Profile.

  8. Profile Controller: Watch Kubernetes API Server for Profile resources.

  9. Profile Controller: Create a new namespace for this new Profile resource. Create two service accounts for this user. Create the respective RoleBindings to enforce the proper permissions for this user.

    Note

    Regarding the service accounts and the RoleBindings, Profile Controller sets the editor and view permissions of this user respectively.

    See also

    For more information see the following guides:

  10. Kubernetes: Create the requested service accounts and the RoleBindings.

  11. Reception: Wait for the user to be bound to the new profile.

  12. Reception: Retrieve the original URL that the user attempted to request (before logging in) from the ?next query parameter of the URL. Redirect the user to this URL.

    Note

    If, for example, AuthService redirected the user to /reception?next=%2Fnotebook%2Fkubeflow-user%2Fmytest%2Flab, then Kubeflow Reception will grab the ?next query parameter from the URL and will respond with a relative redirect to /notebook/kubeflow-user/mytest/lab.

  13. Istio Gateway: Forward the response to the user.

Summary

In this guide you gained insight on how Kubeflow Reception creates an account for a user.

What’s Next

The next guide presents how AuthService performs authentication with Kubernetes Service Accounts.