in lambdas/kf_profile_manager/index.py [0:0]
def lambda_handler(event, context):
logger.info("event = " + json.dumps(event))
groups = event['request']['userAttributes'][cognito_group_field]
data_groups = event['request']['userAttributes'][cognito_group_field]
groups = data_groups.replace("[", "").replace("]", "").split(", ")
groups = [element.lower() for element in groups];
logger.info("groups = " + json.dumps(groups))
name = event['userName'].split("\\")
if len(name) == 1:
user_name = name[0]
else:
user_name = name[1]
user_email = event['request']['userAttributes']['email']
namespaces = get_ns()
# create the users profile due to restriction in kubeflow
api = client.CustomObjectsApi(api_client)
if not profile_exists(user_email, api):
logger.info(f"creating profile: {user_email}")
create_profile(user_name, user_email, api)
while not profile_exists(user_email, api):
time.sleep(2)
# create the missing namespaces with admin owner
for group in groups:
if not group in namespaces:
logger.info("creating profile:")
create_profile_ns("admin@kubeflow.com", group, api)
else:
logger.info("Profile: " + group + " already exists")
# refresh namespaces
namespaces = get_ns()
for namespace in namespaces:
logger.info(f"Namespace: {namespace}")
group = namespace
if group in groups:
logger.info(
f"ENSURE rolebinding for user={user_name} nsgroup={group} user_email={user_email} namespace={namespace}")
apply_rolebinding(user_name=user_name, user_email=user_email, group=group)
logger.info(
f"ENSURE servicerolebinding for user={user_name} group={group} user_email={user_email} namespace={namespace}")
apply_servicerolebinding(user_name=user_name, user_email=user_email, group=group)
else:
logger.info(f"REVOKE rolebinding user={user_name} in NAMESPACE={namespace}")
remove_rolebinding(user_name=user_name, namespace=namespace)
logger.info(f"REVOKE servicerolebinding user={user_name} in NAMESPACE={namespace}")
remove_servicerolebinding(user_name=user_name, namespace=namespace)
return event