From a8925d526a635f0b9d907ec70e8a3a3e6db9a666 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 26 Jun 2023 20:08:02 -0700 Subject: [PATCH] Add docs on how to enable extra_admin_members --- docs/howto/features/buckets.md | 44 +++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/docs/howto/features/buckets.md b/docs/howto/features/buckets.md index 2342bb2f4d..dd8efa0617 100644 --- a/docs/howto/features/buckets.md +++ b/docs/howto/features/buckets.md @@ -80,4 +80,46 @@ on why users want this! You can also add other env vars pointing to other buckets users requested. 5. Get this change deployed, and users should now be able to use the buckets! - Currently running users might have to restart their pods for the change to take effect. \ No newline at end of file + Currently running users might have to restart their pods for the change to take effect. + + +## Allowing access to buckets from outside the JupyterHub + +### GCP + +Some hub users want to be able to write to the bucket from outside the hub, +primarily for large data transfer from on-premise systems. Since +[Google Groups](https://groups.google.com) can be used to control access to +GCS buckets, it can be used to allow arbitrary users to write to the bucket! + +1. With your `2i2c.org` google account, go to [Google Groups](https://groups.google.com) and create a new Google Group with the name + "-writers", where "" is the name of the bucket + we are going to grant write access to. + +2. Grant "Group Owner" access to the community champion requesting this feature. + They will be able to add / remove users from the group as necessary, and + thus manage access without needing to involve 2i2c engineers. + +3. In the `user_buckets` definition for the bucket in question, add the group + name as an `extra_admin_members`: + + ```terraform + user_buckets = { + "persistent": { + "delete_after": null, + "extra_admin_members": [ + "group:@googlegroups.com" + ] + } + } + ``` + + Apply this terraform change to create the appropriate permissions for members + of the group to have full read/write access to that GCS bucket. + +4. We want the community champions to handle granting / revoking access to + this google group, as well as produce community specific documentation on + how to actually upload data here. We currently do not have a template of + how end users can use this, but something can be stolen from the + [documentation for LEAP users](https://leap-stc.github.io/leap-pangeo/jupyterhub.html#i-have-a-dataset-and-want-to-work-with-it-on-the-hub-how-do-i-upload-it) +