why was Prefect removed? we are working to put it back in

[verhulstm]

for our use case we need Prefect. it is interesting that it was removed

[viniciusdc]

Back then, Prefect had a bigger misalignment with our setup in terms of the user RBAC structure and secret management. The underlying lib for the workflows was not as polished as it is right now.

[verhulstm]

@viniciusdc can point me to a current example with RBAC and docker?

[verhulstm]

@viniciusdc how do i create a custom nebari extension in flask that uses RBAC to auth a user with keycloak?

[viniciusdc]

Hey @verhulstm, I can try finding that, but we need to look into the git history from when nebari was called qhub. So that may take some time, until I can have the time to search for it.

On the other hand, if you need authentication with keycloak all you need is that your application accepts the OpenID protocol. You can create a Client under the Keycloak admin UI and use the client's information to sync with your app. Usually, I prefer to have an OAuth2 proxy in front of my pod/container to reduce the burden of maintaining the authentication logic myself.

In your Flask, example you should be able to see an option to enable authentication within the Flask app In their docs, look for something around openID -- I can try to wrap an example of this when I have some time.

[viniciusdc]

here's an example I found in the web :
(source: integrating-keycloak-authentication-into-a-flask-application )

import os
from flask import Flask, redirect, url_for, session, render_template_string
from authlib.integrations.flask_client import OAuth
from dotenv import load_dotenv
import requests

load_dotenv()

app = Flask(__name__)
app.secret_key = os.getenv("FLASK_SECRET_KEY")

oauth = OAuth(app)
oauth.register(
    name="keycloak",
    client_id=os.getenv("KEYCLOAK_CLIENT_ID"),
    client_secret=os.getenv("KEYCLOAK_CLIENT_SECRET"),
    server_metadata_url=os.getenv("KEYCLOAK_SERVER_METADATA_URL"),
    client_kwargs={"scope": "openid profile email"},
)

@app.route("/")
def index():
    user = session.get("user")
    if user:        
        return render_template_string('''
            <h1>Welcome, {{ user['name'] }}!</h1>
            <form action="{{ url_for('logout') }}" method="post">
                <button type="submit">Logout</button>
            </form>
        ''', user=user)
    else:        
        return render_template_string('''
            <h1>Hello, you are not logged in.</h1>
            <form action="{{ url_for('login') }}" method="post">
                <button type="submit">Login</button>
            </form>
        ''')

# Login page
@app.route("/login", methods=["POST"])
def login():
    redirect_uri = url_for("auth", _external=True)
    return oauth.keycloak.authorize_redirect(redirect_uri)

# Auth callback
@app.route("/auth")
def auth():
    token = oauth.keycloak.authorize_access_token()
    session["user"] = oauth.keycloak.parse_id_token(token)
    return redirect("/")

# Logout
@app.route("/logout", methods=["POST"])
def logout():
    session.pop("user", None)
    logout_url = f"{os.getenv('KEYCLOAK_LOGOUT_URL')}?redirect_uri={url_for('index', _external=True)}"
    return redirect(logout_url)

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5000)

you would just need to adapt it to properly use the keycloak's client information. If you are installing your app trough nebari's helm extension mechanism, you can try creating a kuberntes secret and use that to mount into your pod with the clients info

[viniciusdc]

for the helm stuf, you can check our example here https://www.nebari.dev/docs/explanations/custom-overrides-configuration#helm-extensions, injecting the code can be done trough k8s secrets (here's an example https://www.nebari.dev/docs/explanations/custom-overrides-configuration#helm-extensions). I think that should be all you need. If you end up running this POC, it would be great example for our docs, so consider opening a PR there if you get that working :)

[verhulstm]

@viniciusdc i am trying to learn from this https://github.com/MetroStar/nebari-label-studio
but it does not work

also,

https://github.com/nebari-dev/nebari-self-registration

has much of the tf code i want and it runs a docker server (and it mostly works) but it does not have RBAC

Can you help me add RBAC into /nebari-self-registration?

[viniciusdc]

Hey @verhulstm is your code public?, if you could transform that into a open repository I can have a look. Can you just refresh my memmory about what you want to do again?

[verhulstm]

@viniciusdc i am working on this https://github.com/verhulstm/nebari-lite/tree/lite

I made a new branch called "lite". i removed a lot of stuff (in order to learn). this is an ultra experimental branch of my fork.

I tying to learn how grafana implements RBAC in nebari

[viniciusdc]

gotcha, I will try to have a look by the end of the week. One thing to not though, for Grafana especificay the community version (open-source) that nebari uses does not allow for RBAC, it only supports admin x developer x reader roles. If you are looking for custom roles I would look into jupyterhub instead. Now, if you just need to know more about linking keycloak with an app, then that should be enough -- I also suggest you to look into the keycloak client module https://github.com/verhulstm/nebari-lite/tree/lite/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/keycloak-client