feat: allow auth overrides in debug menu

andyatmiami · claude · andyatmiami · commit a288dc1d0f05 · 2026-05-21T10:46:31.000-04:00
Backend auth is enabled by default in the Tilt dev environment
(DISABLE_AUTH=false). Contributors need a way to set the kubeflow-userid
and kubeflow-groups request headers from the frontend UI, and the dev
cluster needs RBAC and access logging infrastructure to support
end-to-end auth testing.

Frontend (debug auth menu):
- Add devAuth.ts utility with localStorage helpers and Axios interceptor
- Add DebugAuthSection component with User/Groups form fields
- Replace Debug page placeholder with the new auth section
- Register interceptor on all API instances in notebookApisImpl
- Add unit tests for all devAuth utility functions (12 tests)

Dev infrastructure (developing/):
- Add RBAC manifests for two dev users: "admin" (cluster-wide via
  kubeflow-workspaces-admin + supplement) and "user" (namespace-scoped
  in default via kubeflow-workspaces-edit + supplement), using the
  controller-defined ClusterRoles for realistic Kubeflow RBAC behavior
- Add Istio access logging with structured JSON output including
  kubeflow-userid and kubeflow-groups headers, using MeshConfig
  extension provider and Telemetry API
- Extract istioctl install flags into IstioOperator values file
  (developing/manifests/istio-install-values.yaml)
- Move kind.yaml from scripts/ to manifests/ alongside other config
- Update Tiltfile with dev-rbac and istio-gateway-logging resources
- Document RBAC users and access logging in DEVELOPMENT_GUIDE.md

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Signed-off-by: Andy Stoneberg &lt;astonebe@redhat.com&gt;
diff --git a/DEVELOPMENT_GUIDE.md b/DEVELOPMENT_GUIDE.md
@@ -144,6 +144,40 @@ Access the components through the Istio ingress gateway:
 
 You can now make changes to the codebase, and Tilt will automatically rebuild and redeploy the affected components.
 
+### Tilt - Authentication & RBAC
+
+Tilt deploys RBAC bindings for two dev users from [`developing/manifests/rbac/`](developing/manifests/rbac/).
+The backend authenticates requests via `kubeflow-userid` and `kubeflow-groups` headers, then authorizes each API call with a Kubernetes [SubjectAccessReview](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access).
+
+| User | Scope | Description |
+|------|-------|-------------|
+| `admin` | Cluster-wide | Bound to `kubeflow-workspaces-admin` (workspaces) plus a supplement for WorkspaceKinds, PVCs, secrets, and namespaces. Full access to all resources. |
+| `user` | `default` namespace | Bound to `kubeflow-workspaces-edit` in `default` plus a supplement for PVCs and secrets. Cannot manage WorkspaceKinds or access other namespaces. |
+
+These bindings use the same `kubeflow-workspaces-*` ClusterRoles that are defined by the [controller manifests](workspaces/controller/manifests/kustomize/base/manager/user_cluster_roles.yaml), so they reflect realistic Kubeflow RBAC behavior.
+
+> [!TIP]
+>
+> You can switch between users from the **Debug** page in the frontend UI.
+> The default user is `admin`. Switch to `user` to test non-admin behavior (e.g., namespace-scoped permissions, 403 responses on admin-only pages).
+
+### Tilt - Access Logging
+
+Istio access logging is enabled on the ingress gateway, producing structured JSON logs that include authentication headers.
+This is useful for verifying that `kubeflow-userid` and `kubeflow-groups` headers flow correctly from the frontend through Istio to the backend.
+
+To tail the access logs:
+
+```bash
+kubectl logs -n istio-system -l app=istio-ingressgateway -f
+```
+
+Example log entry:
+
+```json
+{"duration":105,"kubeflow_groups":null,"kubeflow_userid":"admin","method":"GET","path":"/workspaces/api/v1/workspaces/default","response_code":200,"timestamp":"2026-05-21T14:12:11.965Z","upstream":"10.244.1.9:4000"}
+```
+
 ### Tilt - Clean Up
 
 When you are done developing with Tilt, you can stop it and clean up the resources.
diff --git a/developing/Tiltfile b/developing/Tiltfile
@@ -62,6 +62,37 @@ k8s_resource(
 )
 
 
+# ============================================================================
+# Dev RBAC
+# ============================================================================
+# Create RBAC bindings for dev users (admin, user).
+# Uses the kubeflow-workspaces-* ClusterRoles from controller manifests,
+# plus dev-only supplements for resources the backend also checks (PVCs, secrets, etc).
+
+rbac_path = os.path.join(tilt_root, "manifests/rbac")
+k8s_yaml(
+    kustomize(rbac_path, kustomize_bin=kustomize_bin),
+    allow_duplicates=True,
+)
+
+k8s_resource(
+    objects=[
+        "dev-admin-workspaces:clusterrolebinding",
+        "dev-admin-supplement:clusterrole",
+        "dev-admin-supplement:clusterrolebinding",
+        "dev-user-workspaces:rolebinding",
+        "dev-user-global-read:clusterrole",
+        "dev-user-global-read:clusterrolebinding",
+        "dev-user-resources:role",
+        "dev-user-resources:rolebinding",
+    ],
+    new_name="dev-rbac",
+    resource_deps=["workspaces-controller"],
+    pod_readiness="ignore",
+    labels=["rbac"],
+)
+
+
 # ============================================================================
 # Backend
 # ============================================================================
@@ -94,7 +125,7 @@ for o in backend_objects:
             "SWAGGER_SCHEME": "https",
             "SWAGGER_HOST": "localhost:8443",
             "SWAGGER_BASE_PATH": "/workspaces/api/v1",
-            "DISABLE_AUTH": "true",
+            "DISABLE_AUTH": "false",
         }
 
         # Replace existing keys and add missing ones
@@ -262,6 +293,7 @@ k8s_resource(
         "selfsigned-issuer:clusterissuer",
         "gateway-tls:certificate",
         "kubeflow-gateway:gateway",
+        "gateway-access-logging:telemetry",
     ],
     new_name="istio-gateway",
     pod_readiness="ignore",
diff --git a/developing/manifests/istio-gateway/kustomization.yaml b/developing/manifests/istio-gateway/kustomization.yaml
@@ -4,4 +4,5 @@ kind: Kustomization
 resources:
 - namespace.yaml
 - gateway-cert.yaml
-- gateway.yaml
+- gateway.yaml
+- telemetry.yaml
diff --git a/developing/manifests/istio-gateway/telemetry.yaml b/developing/manifests/istio-gateway/telemetry.yaml
@@ -0,0 +1,12 @@
+apiVersion: telemetry.istio.io/v1
+kind: Telemetry
+metadata:
+  name: gateway-access-logging
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  accessLogging:
+    - providers:
+        - name: dev-access-log
diff --git a/developing/manifests/istio-install-values.yaml b/developing/manifests/istio-install-values.yaml
@@ -0,0 +1,22 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: default
+  components:
+    cni:
+      enabled: true
+  meshConfig:
+    extensionProviders:
+      - name: dev-access-log
+        envoyFileAccessLog:
+          path: /dev/stdout
+          logFormat:
+            labels:
+              timestamp: "%START_TIME%"
+              method: "%REQ(:METHOD)%"
+              path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
+              response_code: "%RESPONSE_CODE%"
+              kubeflow_userid: "%REQ(KUBEFLOW-USERID)%"
+              kubeflow_groups: "%REQ(KUBEFLOW-GROUPS)%"
+              upstream: "%UPSTREAM_HOST%"
+              duration: "%DURATION%"
diff --git a/developing/manifests/kind.yaml b/developing/manifests/kind.yaml
diff --git a/developing/manifests/rbac/admin.yaml b/developing/manifests/rbac/admin.yaml
@@ -0,0 +1,47 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dev-admin-workspaces
+subjects:
+  - kind: User
+    name: admin
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: kubeflow-workspaces-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+# Dev supplement: resources the backend checks via SubjectAccessReview
+# that kubeflow-workspaces-admin doesn't cover.
+# Note: storageclasses "list" is omitted because the frontend always passes a
+# namespace query param, which triggers a "create PVCs" check instead.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dev-admin-supplement
+rules:
+  - apiGroups: [""]
+    resources: [namespaces]
+    verbs: [list]
+  - apiGroups: [""]
+    resources: [persistentvolumeclaims]
+    verbs: [create, delete, get, list]
+  - apiGroups: [""]
+    resources: [secrets]
+    verbs: [create, delete, get, list, update]
+  - apiGroups: [kubeflow.org]
+    resources: [workspacekinds]
+    verbs: [create, delete, get, list, update]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dev-admin-supplement
+subjects:
+  - kind: User
+    name: admin
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: dev-admin-supplement
+  apiGroup: rbac.authorization.k8s.io
diff --git a/developing/manifests/rbac/kustomization.yaml b/developing/manifests/rbac/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - admin.yaml
+  - user.yaml
diff --git a/developing/manifests/rbac/user.yaml b/developing/manifests/rbac/user.yaml
@@ -0,0 +1,67 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dev-user-workspaces
+  namespace: default
+subjects:
+  - kind: User
+    name: user
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: kubeflow-workspaces-edit
+  apiGroup: rbac.authorization.k8s.io
+---
+# Dev supplement: cluster-scoped namespace listing for the namespace selector.
+# Other cluster-wide permissions (workspacekinds, storageclasses) are NOT needed
+# because the frontend passes namespace context to those endpoints, which triggers
+# namespace-scoped checks (e.g., "create PVCs" instead of "list storageclasses").
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dev-user-global-read
+rules:
+  - apiGroups: [""]
+    resources: [namespaces]
+    verbs: [list]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dev-user-global-read
+subjects:
+  - kind: User
+    name: user
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: dev-user-global-read
+  apiGroup: rbac.authorization.k8s.io
+---
+# Dev supplement: PVC and secret management in default namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dev-user-resources
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: [persistentvolumeclaims]
+    verbs: [create, delete, get, list]
+  - apiGroups: [""]
+    resources: [secrets]
+    verbs: [create, delete, get, list, update]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dev-user-resources
+  namespace: default
+subjects:
+  - kind: User
+    name: user
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: dev-user-resources
+  apiGroup: rbac.authorization.k8s.io
diff --git a/developing/scripts/setup-istio.sh b/developing/scripts/setup-istio.sh
@@ -26,7 +26,9 @@ if "${ISTIOCTL}" verify-install >/dev/null 2>&1; then
   echo "Istio is already installed"
 else
   echo "Installing Istio with default profile and CNI plugin..."
-  "${ISTIOCTL}" install --set profile=default --set components.cni.enabled=true -y
+  "${ISTIOCTL}" install \
+    -f "${DEVELOPING_DIR}/manifests/istio-install-values.yaml" \
+    -y
 fi
 
 echo "Waiting for Istio control plane to be ready..."
diff --git a/developing/scripts/setup-kind.sh b/developing/scripts/setup-kind.sh
@@ -6,7 +6,8 @@ set -euo pipefail
 
 CLUSTER_NAME="tilt"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-KIND_CONFIG="${SCRIPT_DIR}/kind.yaml"
+DEVELOPING_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+KIND_CONFIG="${DEVELOPING_DIR}/manifests/kind.yaml"
 
 # Check if kind command exists
 if ! command -v kind >/dev/null 2>&1; then
diff --git a/workspaces/frontend/src/app/pages/Debug/Debug.tsx b/workspaces/frontend/src/app/pages/Debug/Debug.tsx
@@ -1,30 +1,17 @@
 import React from 'react';
-import { CubesIcon } from '@patternfly/react-icons/dist/esm/icons/cubes-icon';
-import { Button } from '@patternfly/react-core/dist/esm/components/Button';
-import {
-  EmptyState,
-  EmptyStateBody,
-  EmptyStateVariant,
-  EmptyStateFooter,
-} from '@patternfly/react-core/dist/esm/components/EmptyState';
 import { PageSection } from '@patternfly/react-core/dist/esm/components/Page';
+import { Title } from '@patternfly/react-core/dist/esm/components/Title';
+import { DebugAuthSection } from './DebugAuthSection';
 
 const Debug: React.FunctionComponent = () => (
-  <PageSection>
-    <EmptyState
-      variant={EmptyStateVariant.full}
-      titleText="Debug page (for development only)"
-      icon={CubesIcon}
-    >
-      <EmptyStateBody>
-        This represents an the empty state pattern in Patternfly 6. Hopefully it&apos;s simple
-        enough to use but flexible enough to meet a variety of needs.
-      </EmptyStateBody>
-      <EmptyStateFooter>
-        <Button variant="primary">Primary Action</Button>
-      </EmptyStateFooter>
-    </EmptyState>
-  </PageSection>
+  <>
+    <PageSection data-testid="debug-page">
+      <Title headingLevel="h1">Debug Settings</Title>
+    </PageSection>
+    <PageSection>
+      <DebugAuthSection />
+    </PageSection>
+  </>
 );
 
 export { Debug };
diff --git a/workspaces/frontend/src/app/pages/Debug/DebugAuthSection.tsx b/workspaces/frontend/src/app/pages/Debug/DebugAuthSection.tsx
diff --git a/workspaces/frontend/src/shared/api/notebookApi.ts b/workspaces/frontend/src/shared/api/notebookApi.ts
diff --git a/workspaces/frontend/src/shared/utilities/__tests__/devAuth.spec.ts b/workspaces/frontend/src/shared/utilities/__tests__/devAuth.spec.ts
diff --git a/workspaces/frontend/src/shared/utilities/devAuth.ts b/workspaces/frontend/src/shared/utilities/devAuth.ts
