Chapter 8. Deleting users and user resources

Users with administrator access to OpenShift Dedicated can revoke user access to Jupyter and delete user resources from Red Hat OpenShift Data Science.

Important

To completely remove a user from OpenShift Data Science, you must remove them from the allowed group in your OpenShift identity provider.

8.1. Backing up storage data from Amazon EBS

Red Hat recommends that you back up the data on your persistent volume claims (PVCs) regularly. Backing up your data is particularly important before deleting a user and before uninstalling OpenShift Data Science, as all PVCs are deleted when OpenShift Data Science is uninstalled.

Prerequisites

  • You have credentials for OpenShift Cluster Manager (https://console.redhat.com/openshift/).
  • You have administrator access to the OpenShift Dedicated cluster.
  • You have credentials for the Amazon Web Services (AWS) account that the OpenShift Dedicated cluster is deployed under.

Procedure

  1. Determine the IDs of the persistent volumes (PVs) that you want to back up.

    1. In the OpenShift Dedicated web console, change into the Administrator perspective.
    2. Click HomeProjects.
    3. Click the rhods-notebooks project.

      The Details page for the project opens.

    4. Click the PersistentVolumeClaims in the Inventory section.

      The PersistentVolumeClaims page opens.

    5. Note the ID of the persistent volume (PV) that you want to back up.

      Note

      The persistent volumes (PV) that you make a note of are required to identify the correct EBS volume to back up in your AWS instance.

  2. Locate the EBS volume containing the PVs that you want to back up.

    See Amazon Web Services documentation: Create Amazon EBS snapshots for more information.

    1. Log in to AWS (https://aws.amazon.com) and ensure that you are viewing the region that your OpenShift Dedicated cluster is deployed in.
    2. Click Services.
    3. Click ComputeEC2.
    4. Click Elastic Block StorageVolumes in the side navigation.

      The Volumes page opens.

    5. In the search bar, enter the ID of the persistent volume (PV) that you made a note of earlier.

      The Volumes page reloads to display the search results.

    6. Click on the volume shown and verify that any kubernetes.io/created-for/pvc/namespace tags contain the value rhods-notebooks, and any kubernetes.io/created-for/pvc/name tags match the name of the persistent volume that the EC2 volume is being used for, for example, jupyter-nb-user1-pvc.
  3. Back up the EBS volume that contains your persistent volume (PV).

    1. Right-click on the volume that you want to back up and select Create Snapshot from the list.

      The Create Snapshot page opens.

    2. Enter a Description for the volume.
    3. Click Create Snapshot.

      The snapshot of the volume is created.

    4. Click Close.

Verification

  • The snapshot that you created is visible on the Snapshots page in AWS.

8.2. Backing up storage data from Google Persistent Disk

Red Hat recommends that you back up the data on your persistent volume claims (PVCs) regularly. Backing up your data is particularly important before deleting a user and before uninstalling OpenShift Data Science, as all PVCs are deleted when OpenShift Data Science is uninstalled.

Prerequisites

  • You have credentials for OpenShift Cluster Manager (https://console.redhat.com/openshift/).
  • You have administrator access to the OpenShift Dedicated cluster.
  • You have credentials for the Google Cloud Platform (GCP) account that the OpenShift Dedicated cluster is deployed under.

Procedure

  1. Determine the IDs of the persistent volumes (PVs) that you want to back up.

    1. In the OpenShift Dedicated web console, change into the Administrator perspective.
    2. Click HomeProjects.
    3. Click the rhods-notebooks project.

      The Details page for the project opens.

    4. Click the PersistentVolumeClaims in the Inventory section.

      The PersistentVolumeClaims page opens.

    5. Note the ID of the persistent volume (PV) that you want to back up.

      The persistent volume (PV) IDs are required to identify the correct persistent disk to back up in your GCP instance.

  2. Locate the persistent disk containing the PVs that you want to back up.

    1. Log in to the Google Cloud console (https://console.cloud.google.com) and ensure that you are viewing the region that your OpenShift Dedicated cluster is deployed in.
    2. Click the navigation menu (≡) and then click Compute Engine.
    3. From the side navigation, under Storage, click Disks.

      The Disks page opens.

    4. In the Filter query box, enter the ID of the persistent volume (PV) that you made a note of earlier.

      The Disks page reloads to display the search results.

    5. Click on the disk shown and verify that any kubernetes.io/created-for/pvc/namespace tags contain the value rhods-notebooks, and any kubernetes.io/created-for/pvc/name tags match the name of the persistent volume that the persistent disk is being used for, for example, jupyterhub-nb-user1-pvc.
  3. Back up the persistent disk that contains your persistent volume (PV).

    1. Select CREATE SNAPSHOT from the top navigation.

      The Create a snapshot page opens.

    2. Enter a unique Name for the snapshot.
    3. Under Source disk, verify the persistent disk you want to back up is displayed.
    4. Change any optional settings as needed.
    5. Click CREATE.

      The snapshot of the persistent disk is created.

Verification

  • The snapshot that you created is visible on the Snapshots page in GCP.

8.3. Stopping notebook servers owned by other users

Administrators can stop notebook servers that are owned by other users to reduce resource consumption on the cluster, or as part of removing a user and their resources from the cluster.

Prerequisites

  • You are part of the OpenShift Dedicated administrator group. See Adding administrative users for OpenShift Dedicated for more information.
  • You have opened the Notebook server control panel.
  • The notebook server that you want to stop is running (started).

Procedure

  1. In the Notebook server control panel, click the Administration tab.
  2. Stop one or more servers.

    • If you want to stop one or more specific servers:

      1. In the Users section, locate the user that the notebook server belongs to.
      2. Click Stop server beside the relevant user.

        The Stop server dialog box appears.

      3. Click Stop server.
    • If you want to stop all servers:

      1. Click the Stop all servers button.
      2. Click OK to confirm stopping all servers.

Verification

  • The Stop server link beside each server changes to a Start server link when the notebook server has stopped.

8.4. Revoking user access to Jupyter

You can revoke a user’s access to Jupyter to prevent them from running notebook servers and consuming resources in your cluster through Jupyter, while still allowing them access to OpenShift Data Science and other services that use OpenShift’s identity provider for authentication.

Important

Follow these steps only if you have restricted access to OpenShift Data Science using specialized user groups. To completely remove a user from OpenShift Data Science, you must remove them from the allowed group in your OpenShift identity provider.

Prerequisites

  • You have stopped any notebook servers owned by the user you want to delete.
  • You are part of the dedicated-admins user group in OpenShift Dedicated.
  • If you are using specialized OpenShift Data Science user groups, the user is part of the OpenShift Data Science user group, administrator group, or both.

Procedure

  1. In the OpenShift Dedicated web console, click User ManagementGroups.
  2. Click the name of the group that you want to remove the user from.

    • For administrative users, click the name of your administrator group, for example, rhods-admins.
    • For normal users, click the name of your user group, for example, rhods-users.

    The Group details page for the group appears.

  3. In the Users section on the Details tab, locate the user that you want to remove.
  4. Click the action menu () beside the user that you want to remove and click Remove user.

Verification

  • Check the Users section on the Details tab and confirm that the user that you removed is not visible.
  • In the rhods-notebooks project, check under WorkloadPods and ensure that there is no notebook server pod for this user. If you can see a pod named jupyter-nb-<username>-* for the user that you have removed, delete that pod to ensure that the deleted user is not consuming resources on the cluster.

8.5. Cleaning up after deleting users

After removing a user’s access to Red Hat OpenShift Data Science or Jupyter, you must also delete their associated configuration files from OpenShift Dedicated. It is recommended that you back up the user’s data and profile before removing their configuration files.

Prerequisites

  • (Optional) If you want to completely remove the user’s access to OpenShift Data Science, you have removed their credentials from your identity provider.
  • You have revoked the user’s access to Jupyter.
  • You have backed up the user’s storage data from Amazon EBS or Google Persistent Disk.
  • You are part of the dedicated-admins user group in OpenShift Dedicated.
  • You are part of the rhods-admins user group in OpenShift Dedicated.
  • You have logged in to the OpenShift Dedicated web console.
  • You have logged in to OpenShift Data Science.

Procedure

  1. Back up the user’s single-user profile.

    1. Click WorkloadsConfigMaps in the OpenShift Dedicated web console.
    2. If it is not already selected, select the redhat-ods-applications project from the project list.
    3. Click the jupyterhub-singleuser-profile-<username> ConfigMap.

      Replace <username> with relevant user name.

    4. In the Data section, click the Copy button ( osd copy ) to copy the user’s data profile to the clipboard.
    5. Save the contents of the user’s data profile to a file.
    6. Confirm that the file contents are an accurate backup of the user’s data profile.
  2. Delete the user’s persistent volume claim (PVC).

    1. Click StoragePersistentVolumeClaims.
    2. If it is not already selected, select the redhat-ods-applications project from the project list.
    3. Locate the jupyter-nb-<username> PVC.

      Replace <username> with the relevant user name.

    4. Click the action menu (⋮) and select Delete PersistentVolumeClaim from the list.

      The Delete PersistentVolumeClaim dialog appears.

    5. Inspect the dialog and confirm that you are deleting the correct PVC.
    6. Click Delete.
  3. Delete the user’s ConfigMap.

    1. Click WorkloadsConfigMaps.
    2. If it is not already selected, select the redhat-ods-applications project from the project list.
    3. Locate the jupyterhub-singleuser-profile-<username> ConfigMap.

      Replace <username> with the relevant user name.

    4. Click the action menu (⋮) and select Delete ConfigMap from the list.

      The Delete ConfigMap dialog appears.

    5. Inspect the dialog and confirm that you are deleting the correct ConfigMap.
    6. Click Delete.

Verification

  • The user cannot access Jupyter any more, and sees a 403 Forbidden error if they try. Note that the user’s name remains visible in the Jupyter administration interface because of a bug in the user deletion process. This is planned for correction in future releases.
  • The user’s single-user profile, persistent volume claim (PVC), and ConfigMap are not visible in OpenShift Dedicated.