WIP, port RBAC

Author: jenny-s51

clients/ui/frontend/src/app/api/service.ts

@@ -19,6 +19,7 @@ import {
 import { APIOptions } from '~/shared/api/types';
 import { handleRestFailures } from '~/shared/api/errorUtils';
 import { bumpRegisteredModelTimestamp } from '~/app/api/updateTimestamps';
+import { ModelRegistryKind } from "~/shared/k8sTypes";
 
 export const createRegisteredModel =
   (hostPath: string, queryParams: Record<string, unknown> = {}) =>

clients/ui/frontend/src/app/pages/settings/ModelRegistriesPermissions.tsx

@@ -0,0 +1,184 @@
+import React from 'react';
+import {
+  Breadcrumb,
+  BreadcrumbItem,
+  ClipboardCopy,
+  Tab,
+  TabContent,
+  TabContentBody,
+  Tabs,
+} from '@patternfly/react-core';
+import { Link } from 'react-router-dom';
+import { Navigate, useParams } from 'react-router';
+import { useGroups } from '~/api';
+// import { useContextResourceData } from '~/utilities/useContextResourceData';
+// import { SupportedArea } from '~/concepts/areas';
+import { RoleBindingPermissionsRoleType } from '~/shared/types';
+import ApplicationsPage from '~/shared/components/ApplicationsPage';
+import { ModelRegistryKind } from '~/shared/k8sTypes';
+import RoleBindingPermissions from "~/concepts/roleBinding/roleBindingPermissions";
+// import ProjectsSettingsTab from "./ProjectsTab/ProjectSettingsTab";
+// import { useModelRegistryNamespaceCR } from '~/concepts/modelRegistry/context/useModelRegistryNamespaceCR';
+// import { AreaContext } from '~/concepts/areas/AreaContext';
+// import {
+//   createModelRegistryRoleBinding,
+//   deleteModelRegistryRoleBinding,
+// } from '~/services/modelRegistrySettingsService';
+// import RedirectErrorState from '~/pages/external/RedirectErrorState';
+// import useModelRegistryRoleBindings from './useModelRegistryRoleBindings';
+
+const ModelRegistriesManagePermissions: React.FC = () => {
+  //   const { dscStatus } = React.useContext(AreaContext);
+  //   const modelRegistryNamespace = dscStatus?.components?.modelregistry?.registriesNamespace;
+  const [activeTabKey, setActiveTabKey] = React.useState('users');
+  const [ownerReference, setOwnerReference] = React.useState<ModelRegistryKind>();
+  const [groups] = useGroups();
+  //   const roleBindings = useContextResourceData<RoleBindingKind>(useModelRegistryRoleBindings());
+  const { mrName } = useParams<{ mrName: string }>();
+  //   const state = useModelRegistryNamespaceCR(modelRegistryNamespace, mrName || '');
+  const state = '';
+  const [modelRegistryCR, crLoaded] = state;
+  //   const filteredRoleBindings = roleBindings.data.filter(
+  //     (rb) => rb.metadata.labels?.['app.kubernetes.io/name'] === mrName,
+  //   );
+
+  //   const error = !modelRegistryNamespace
+  //     ? new Error('No registries namespace could be found')
+  //     : null;
+
+  //   React.useEffect(() => {
+  //     if (modelRegistryCR) {
+  //       setOwnerReference(modelRegistryCR);
+  //     } else {
+  //       setOwnerReference(undefined);
+  //     }
+  //   }, [modelRegistryCR]);
+
+  //   if (!modelRegistryNamespace) {
+  //     return (
+  //       <ApplicationsPage loaded empty={false}>
+  //         <RedirectErrorState title="Could not load component state" errorMessage={error?.message} />
+  //       </ApplicationsPage>
+  //     );
+  //   }
+
+  if (
+    // (roleBindings.loaded && filteredRoleBindings.length === 0) ||
+    crLoaded &&
+    !modelRegistryCR
+  ) {
+    return <Navigate to="/modelRegistrySettings" replace />;
+  }
+
+  return (
+    <ApplicationsPage
+      title={`Manage ${mrName ?? ''} permissions`}
+      description="Manage access to this model registry for individual users and user groups, and for service accounts in a project."
+      breadcrumb={
+        <Breadcrumb>
+          <BreadcrumbItem
+            render={() => <Link to="/modelRegistrySettings">Model registry settings</Link>}
+          />
+          <BreadcrumbItem isActive>Manage Permissions</BreadcrumbItem>
+        </Breadcrumb>
+      }
+      loaded
+      empty={false}
+      provideChildrenPadding
+    >
+      <Tabs
+        activeKey={activeTabKey}
+        onSelect={(e, tabKey) => {
+          setActiveTabKey(tabKey.toString());
+        }}
+      >
+        <Tab eventKey="users" title="Users" id="users-tab" tabContentId="users-tab-content" />
+        <Tab
+          eventKey="projects"
+          title="Projects"
+          id="projects-tab"
+          data-testid="projects-tab"
+          tabContentId="projects-tab-content"
+        />
+      </Tabs>
+      <div>
+        <TabContent
+          id="users-tab-content"
+          eventKey="users"
+          hidden={activeTabKey !== 'users'}
+          data-testid="users-tab-content"
+        >
+          <TabContentBody>
+            <RoleBindingPermissions
+              ownerReference={ownerReference}
+              defaultRoleBindingName={`${mrName ?? ''}-users`}
+              isGroupFirst
+              permissionOptions={[
+                {
+                  type: RoleBindingPermissionsRoleType.DEFAULT,
+                  description: 'Default role for all users',
+                },
+              ]}
+              roleRefKind="Role"
+              roleRefName={`registry-user-${mrName ?? ''}`}
+              //   labels={{
+              //     [KnownLabels.DASHBOARD_RESOURCE]: 'true',
+              //     app: mrName || '',
+              //     'app.kubernetes.io/component': SupportedArea.MODEL_REGISTRY,
+              //     'app.kubernetes.io/part-of': SupportedArea.MODEL_REGISTRY,
+              //     'app.kubernetes.io/name': mrName || '',
+              //     component: SupportedArea.MODEL_REGISTRY,
+              //   }}
+              //   projectName={modelRegistryNamespace}
+              description={
+                <>
+                  To enable access for all cluster users, add{' '}
+                  <ClipboardCopy variant="inline-compact">system:authenticated</ClipboardCopy> to
+                  the group list.
+                </>
+              }
+              //   roleBindingPermissionsRB={{ ...roleBindings, data: filteredRoleBindings }}
+              groups={groups}
+              createRoleBinding={createModelRegistryRoleBinding}
+              deleteRoleBinding={deleteModelRegistryRoleBinding}
+            />
+          </TabContentBody>
+        </TabContent>
+        <TabContent
+          id="projects-tab-content"
+          eventKey="projects"
+          data-testid="projects-tab-content"
+          hidden={activeTabKey !== 'projects'}
+        >
+          {/* <TabContentBody>
+            <ProjectsSettingsTab
+              ownerReference={ownerReference}
+              permissionOptions={[
+                {
+                  type: RoleBindingPermissionsRoleType.DEFAULT,
+                  description: 'Default role for all projects',
+                },
+              ]}
+              description="To enable access for all service accounts in a project, add the project name to the projects list."
+              roleRefName={`registry-user-${mrName ?? ''}`}
+              labels={{
+                [KnownLabels.DASHBOARD_RESOURCE]: 'true',
+                [KnownLabels.PROJECT_SUBJECT]: 'true',
+                app: mrName || '',
+                'app.kubernetes.io/component': SupportedArea.MODEL_REGISTRY,
+                'app.kubernetes.io/part-of': SupportedArea.MODEL_REGISTRY,
+                'app.kubernetes.io/name': mrName || '',
+                component: SupportedArea.MODEL_REGISTRY,
+              }}
+              //   projectName={modelRegistryNamespace}
+              isProjectSubject={activeTabKey === 'projects'}
+              //   roleBindingPermissionsRB={{ ...roleBindings, data: filteredRoleBindings }}
+            />
+          </TabContentBody> */}
+        </TabContent>
+      </div>
+    </ApplicationsPage>
+  );
+};
+
+export default ModelRegistriesManagePermissions;

clients/ui/frontend/src/app/pages/settings/ModelRegistriesTableRow.tsx

@@ -44,47 +44,47 @@ const ModelRegistriesTableRow: React.FC<ModelRegistriesTableRowProps> = ({
           ]}
         />
       </Td>
-      {isPlatformDefault() && (
-        <Td modifier="fitContent">
-          {filteredRoleBindings.length === 0 ? (
-            <Tooltip content="You can manage permissions when the model registry becomes available.">
-              <Button isAriaDisabled variant="link">
-                Manage permissions
-              </Button>
-            </Tooltip>
-          ) : (
-            <Button
-              variant="link"
-              onClick={() => navigate(`/model-registry-settings/permissions/${mr.name}`)}
-            >
+      {/* {isPlatformDefault() && ( */}
+      <Td modifier="fitContent">
+        {/* {filteredRoleBindings.length === 0 ? (
+          <Tooltip content="You can manage permissions when the model registry becomes available.">
+            <Button isAriaDisabled variant="link">
               Manage permissions
             </Button>
-          )}
-        </Td>
-      )}
-      {isPlatformDefault() && (
-        <Td isActionCell>
-          <ActionsColumn
-            disabled={!isPlatformDefault()}
-            items={[
-              {
-                title: 'Edit model registry',
-                disabled: !isPlatformDefault(),
-                onClick: () => {
-                  onEditRegistry(mr);
-                },
+          </Tooltip>
+        ) : ( */}
+        <Button
+          variant="link"
+          onClick={() => navigate(`/model-registry-settings/permissions/${mr.name}`)}
+        >
+          Manage permissions
+        </Button>
+        {/* )} */}
+      </Td>
+      {/* )} */}
+      {/* {isPlatformDefault() && ( */}
+      <Td isActionCell>
+        <ActionsColumn
+          disabled={!isPlatformDefault()}
+          items={[
+            {
+              title: 'Edit model registry',
+              disabled: !isPlatformDefault(),
+              onClick: () => {
+                onEditRegistry(mr);
               },
-              {
-                title: 'Delete model registry',
-                disabled: !isPlatformDefault(),
-                onClick: () => {
-                  onDeleteRegistry(mr);
-                },
+            },
+            {
+              title: 'Delete model registry',
+              disabled: !isPlatformDefault(),
+              onClick: () => {
+                onDeleteRegistry(mr);
               },
-            ]}
-          />
-        </Td>
-      )}
+            },
+          ]}
+        />
+      </Td>
+      {/* )} */}
     </Tr>
   );
 };

clients/ui/frontend/src/app/pages/settings/ModelRegistrySettingsRoutes.tsx

@@ -1,11 +1,13 @@
 import * as React from 'react';
 import { Navigate, Routes, Route } from 'react-router-dom';
 import ModelRegistrySettings from './ModelRegistrySettings';
+import ModelRegistriesPermissions from './ModelRegistriesPermissions';
 
 const ModelRegistrySettingsRoutes: React.FC = () => (
   <Routes>
     <Route path="/" element={<ModelRegistrySettings />} />
     <Route path="*" element={<Navigate to="/" />} />
+    <Route path="/permissions" element={<ModelRegistriesPermissions />} />
   </Routes>
 );
 

clients/ui/frontend/src/concepts/roleBinding/filterRoleBindingSubjects.tsx

@@ -0,0 +1,51 @@
+import { capitalize } from '@patternfly/react-core';
+import { ProjectKind, RoleBindingKind } from '~/k8sTypes';
+import { namespaceToProjectDisplayName } from '~/concepts/projects/utils';
+import { RoleBindingPermissionsRBType, RoleBindingPermissionsRoleType } from './types';
+
+export const filterRoleBindingSubjects = (
+  roleBindings: RoleBindingKind[],
+  type: RoleBindingPermissionsRBType,
+  isProjectSubject?: boolean,
+): RoleBindingKind[] =>
+  roleBindings.filter(
+    (roles) =>
+      roles.subjects[0]?.kind === type &&
+      (isProjectSubject
+        ? roles.metadata.labels?.['opendatahub.io/rb-project-subject'] === 'true'
+        : !(roles.metadata.labels?.['opendatahub.io/rb-project-subject'] === 'true')),
+  );
+
+export const castRoleBindingPermissionsRoleType = (
+  role: string,
+): RoleBindingPermissionsRoleType => {
+  if (role === RoleBindingPermissionsRoleType.ADMIN) {
+    return RoleBindingPermissionsRoleType.ADMIN;
+  }
+  if (role === RoleBindingPermissionsRoleType.EDIT) {
+    return RoleBindingPermissionsRoleType.EDIT;
+  }
+  return RoleBindingPermissionsRoleType.DEFAULT;
+};
+
+export const firstSubject = (
+  roleBinding: RoleBindingKind,
+  isProjectSubject?: boolean,
+  project?: ProjectKind[],
+): string =>
+  (isProjectSubject && project
+    ? namespaceToProjectDisplayName(
+        roleBinding.subjects[0]?.name.replace(/^system:serviceaccounts:/, ''),
+        project,
+      )
+    : roleBinding.subjects[0]?.name) || '';
+
+export const roleLabel = (value: RoleBindingPermissionsRoleType): string => {
+  if (value === RoleBindingPermissionsRoleType.EDIT) {
+    return 'Contributor';
+  }
+  return capitalize(value);
+};
+
+export const removePrefix = (roleBindings: RoleBindingKind[]): string[] =>
+  roleBindings.map((rb) => rb.subjects[0]?.name.replace(/^system:serviceaccounts:/, ''));