Open Data Hub logo
DOCS
BLOG
COMMUNITY
GITHUB
GET STARTED

Managing users

Adding users

Users with administrator access to OpenShift Container Platform can add, modify, and remove user permissions for Open Data Hub.

Overview of user types and permissions

Table 1 describes the Open Data Hub user types.

Table 1. User types
User Type Permissions

Data scientists

Data scientists can access and use individual components of Open Data Hub, such as Jupyter.

Administrators

In addition to the actions permitted to a data scientist, administrators can perform these actions:

  • Configure Open Data Hub settings.

  • Access and manage notebook servers.

Optionally, if you want to restrict access to your Open Data Hub deployment, you can create specialized user groups for users and administrators.

If you decide to restrict access, and you already have user groups defined in your configured identity provider, you can add these user groups to your Open Data Hub deployment. If you decide to use specialized user groups without adding these groups from an identity provider, you must create the groups in OpenShift Container Platform and then add users to them.

There are some operations relevant to Open Data Hub that require the cluster-admin role. Those operations include:

  • Adding users to the Open Data Hub user and administrator groups, if you are using specialized groups.

  • Removing users from the Open Data Hub user and administrator groups, if you are using specialized groups.

  • Managing custom environment and storage configuration for users in OpenShift Container Platform, such as Jupyter notebook resources, ConfigMaps, and persistent volume claims (PVCs).

Important

Although users of Open Data Hub and its components are authenticated through OpenShift, session management is separate from authentication. This means that logging out of OpenShift Container Platform or Open Data Hub does not affect a logged in Jupyter session running on those platforms. This means that when a user’s permissions change, that user must log out of all current sessions in order for the changes to take effect.

Defining Open Data Hub administrator and user groups

By default, all users authenticated in OpenShift can access Open Data Hub.

You can define additional administrator and user groups by using the Open Data Hub dashboard.

Prerequisites
Procedure

  1. From the Open Data Hub dashboard, click SettingsUser management.

  2. Define your Open Data Hub admin groups: Under Data science administrator groups, click the text box and select an OpenShift group. Repeat this process to define multiple admin groups.

  3. Define your Open Data Hub user groups: Under Data science user groups, click the text box and select an OpenShift group. Repeat this process to define multiple user groups.

    Important
    		 The system:authenticated setting allows all users authenticated in OpenShift to access Open Data Hub.

  4. Click Save changes.

Verification

  • Administrator users can successfully log in to Open Data Hub and perform administrative functions.

  • Non-administrator users can successfully log in to Open Data Hub. They can also access and use individual components, such as Jupyter.

Adding users to specialized Open Data Hub user groups

By default, all OpenShift users have access to Open Data Hub.

Optionally, you can restrict user access to your Open Data Hub instance by defining specialized user groups. You must grant users permission to access Open Data Hub by adding user accounts to the Open Data Hub user group, administrator group, or both. You can either use the default group name, or specify a group name that already exists in your identity provider.

The user group provides the user with access to developer functions in the Open Data Hub dashboard, and associated services, such as Jupyter.

The administrator group provides the user with access to developer and administrator functions in the Open Data Hub dashboard and associated services, such as Jupyter.

If you restrict access by using specialized user groups, users that are not in the Open Data Hub user group or administrator group cannot view the dashboard and use associated services, such as Jupyter. They are also unable to access the Cluster settings page.

Important

If you are using LDAP as your identity provider, you need to configure LDAP syncing to OpenShift Container Platform. For more information, see link: Syncing LDAP groups.

Follow the steps in this section to add users to your specialized Open Data Hub administrator and user groups.

Note: You can add users in Open Data Hub but you must manage the user lists in the OpenShift Container Platform web console.

Prerequisites

  • You have configured a supported identity provider for OpenShift Container Platform.

  • You are assigned the cluster-admin role in OpenShift Container Platform.

  • You have defined an administrator group and user group for Open Data Hub.

Procedure

  1. In the OpenShift Container Platform web console, click User ManagementGroups.

  2. Click the name of the group you want to add users to.

    • For administrative users, click the administrator group, for example, {oai-admin-group}.

    • For normal users, click the user group, for example, {oai-user-group}.

      The Group details page for that group appears.

  3. Click ActionsAdd Users.

    The Add Users dialog appears.

  4. In the Users field, enter the relevant user name to add to the group.

  5. Click Save.

Verification

  • Click the Details tab for each group and confirm that the Users section contains the user names that you added.

Viewing Open Data Hub users

If you have defined specialized user groups for Open Data Hub, you can view the users that belong to these groups.

Prerequisites

  • The Open Data Hub user group, administrator group, or both exist.

  • You have the cluster-admin role in OpenShift Container Platform.

  • You have configured a supported identity provider for OpenShift Container Platform.

Procedure

  1. In the OpenShift Container Platform web console, click User ManagementGroups.

  2. Click the name of the group containing the users that you want to view.

    • For administrative users, click the name of your administrator group. for example, odh-admins.

    • For normal users, click the name of your user group, for example, odh-users.

      The Group details page for the group appears.

Verification

  • In the Users section for the relevant group, you can view the users who have permission to access Open Data Hub.

Deleting users and their resources

About deleting users and their resources

If you have administrator access to OpenShift Container Platform, you can revoke a user’s access to Jupyter and delete the user’s resources from Open Data Hub.

Deleting a user and the user’s resources involves the following tasks:

  • Before you delete a user from Open Data Hub, it is good practice to back up the data on your persistent volume claims (PVCs).

  • Stop notebook servers owned by the user.

  • Revoke user access to Jupyter.

  • Remove the user from the allowed group in your OpenShift identity provider.

  • After you delete a user, delete their associated configuration files from OpenShift Container Platform.

Backing up storage data

It is a best practice to back up the data on your persistent volume claims (PVCs) regularly.

Backing up your data is particularly important before you delete a user and before you uninstall Open Data Hub, as all PVCs are deleted when Open Data Hub is uninstalled.

See the documentation for your cluster platform for more information about backing up your PVCs.

Additional resources

Stopping notebook servers owned by other users

Administrators can stop notebook servers that are owned by other users to reduce resource consumption on the cluster, or as part of removing a user and their resources from the cluster.

Prerequisites

  • If you are using specialized Open Data Hub groups, you are part of the administrator group (for example, odh-admins). If you are not using specialized groups, you are part of the OpenShift Container Platform administrator group.

  • You have launched the Jupyter application, as described in Launching Jupyter and starting a notebook server.

  • The notebook server that you want to stop is running.

Procedure

  1. On the page that opens when you launch Jupyter, click the Administration tab.

  2. Stop one or more servers.

    • If you want to stop one or more specific servers, perform the following actions:

      1. In the Users section, locate the user that the notebook server belongs to.

      2. To stop the notebook server, perform one of the following actions:

        • Click the action menu () beside the relevant user and select Stop server.

        • Click View server beside the relevant user and then click Stop notebook server.

          The Stop server dialog box appears.

      3. Click Stop server.

    • If you want to stop all servers, perform the following actions:

      1. Click the Stop all servers button.

      2. Click OK to confirm stopping all servers.

Verification

  • The Stop server link beside each server changes to a Start server link when the notebook server has stopped.

Revoking user access to Jupyter

You can revoke a user’s access to Jupyter by removing the user from the specialized user groups that define access to Open Data Hub. When you remove a user from the specialized user groups, the user is prevented from accessing the Open Data Hub dashboard and from using associated services that consume resources in your cluster.

Important
 Follow these steps only if you have implemented specialized user groups to restrict access to Open Data Hub. To completely remove a user from Open Data Hub, you must remove them from the allowed group in your OpenShift identity provider.
Prerequisites

  • You have stopped any notebook servers owned by the user you want to delete.

  • You are using specialized user groups for Open Data Hub, and the user is part of the specialized user group, administrator group, or both.

Procedure

  1. In the OpenShift Container Platform web console, click User ManagementGroups.

  2. Click the name of the group that you want to remove the user from.

    • For administrative users, click the name of your administrator group, for example, {oai-admin-group}.

    • For non-administrator users, click the name of your user group, for example, {oai-user-group}.

    The Group details page for the group appears.

  3. In the Users section on the Details tab, locate the user that you want to remove.

  4. Click the action menu () beside the user that you want to remove and click Remove user.

Verification

  • Check the Users section on the Details tab and confirm that the user that you removed is not visible.

  • In the rhods-notebooks project, check under WorkloadsPods and ensure that there is no notebook server pod for this user. If you see a pod named jupyter-nb-<username>-* for the user that you have removed, delete that pod to ensure that the deleted user is not consuming resources on the cluster.

  • In the Open Data Hub dashboard, check the list of data science projects. Delete any projects that belong to the user.

Cleaning up after deleting users

After you remove a user’s access to Open Data Hub or Jupyter, you must also delete the configuration files for the user from OpenShift Container Platform. Red Hat recommends that you back up the user’s data before removing their configuration files.

Prerequisites

  • (Optional) If you want to completely remove the user’s access to Open Data Hub, you have removed their credentials from your identity provider.

  • You have revoked the user’s access to Jupyter.

  • You have logged in to the OpenShift Container Platform web console.

  • You have logged in to Open Data Hub.

Procedure

  1. Delete the user’s persistent volume claim (PVC).

    1. Click StoragePersistentVolumeClaims.

    2. If it is not already selected, select the rhods-notebooks project from the project list.

    3. Locate the jupyter-nb-<username> PVC.

      Replace <username> with the relevant user name.

    4. Click the action menu (⋮) and select Delete PersistentVolumeClaim from the list.

      The Delete PersistentVolumeClaim dialog appears.

    5. Inspect the dialog and confirm that you are deleting the correct PVC.

    6. Click Delete.

  2. Delete the user’s ConfigMap.

    1. Click WorkloadsConfigMaps.

    2. If it is not already selected, select the rhods-notebooks project from the project list.

    3. Locate the jupyterhub-singleuser-profile-<username> ConfigMap.

      Replace <username> with the relevant user name.

    4. Click the action menu (⋮) and select Delete ConfigMap from the list.

      The Delete ConfigMap dialog appears.

    5. Inspect the dialog and confirm that you are deleting the correct ConfigMap.

    6. Click Delete.

Verification

  • The user cannot access Jupyter any more, and sees an "Access permission needed" message if they try.

  • The user’s single-user profile, persistent volume claim (PVC), and ConfigMap are not visible in OpenShift Container Platform.