Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload pipeline from URL - PermissionDenied #54

Closed
Barteus opened this issue Feb 8, 2022 · 19 comments
Closed

Upload pipeline from URL - PermissionDenied #54

Barteus opened this issue Feb 8, 2022 · 19 comments
Labels
bug Something isn't working Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release

Comments

@Barteus
Copy link

Barteus commented Feb 8, 2022

When creating the pipeline using the UI - import by URL, there is an error message:

{"error":"Failed to authorize with API resource references: PermissionDenied: User 'admin' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:,Verb:create,Group:,Version:,Resource:pipelines,Subresource:,Name:,}): Unauthorized access","code":7,"message":"Failed to authorize with API resource references: PermissionDenied: User 'admin' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:,Verb:create,Group:,Version:,Resource:pipelines,Subresource:,Name:,}): Unauthorized access","details":[{"@type":"type.googleapis.com/api.Error","error_message":"User 'admin' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:,Verb:create,Group:,Version:,Resource:pipelines,Subresource:,Name:,})","error_details":"Failed to authorize with API resource references: PermissionDenied: User 'admin' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:,Verb:create,Group:,Version:,Resource:pipelines,Subresource:,Name:,}): Unauthorized access"}]}

image

Expected
The pipeline was successfully created.

Reproduce
Go to Pipelines in Kubeflow UI, fill in the name and description.
Import from URL - https://raw.githubusercontent.com/canonical/bundle-kubeflow/master/docs/examples/mnist.yaml
Press Create
@Barteus
Copy link
Author

Barteus commented Feb 8, 2022
edited
Loading

Creating a pipeline using the file (downloaded from the same link) works.

@VariableDeclared
Copy link
Contributor

VariableDeclared commented Feb 8, 2022
edited
Loading

I was unable to replicate this with the https://pastebin.canonical.com/p/wY7WwSBbGw/, maybe im missing something?

I had to remove description elements from the YAML, I was then able to upload the YAML, I was unable to use the YAML URL method due to issues with parsing YAML

image

@Barteus
Copy link
Author

Barteus commented Feb 8, 2022

Maybe the problem is with the link - I will try with different one

@VariableDeclared
Copy link
Contributor

thanks @Barteus I forgot to caveat that I am running this on microk8s. I will try again with AKS

@DomFleischmann
Copy link
Contributor

@Barteus did a different work? If not, is it possible this is related to AKS?

@DomFleischmann DomFleischmann added the question Further information is requested label Feb 9, 2022
@Barteus
Copy link
Author

Barteus commented Feb 9, 2022

@VariableDeclared did you have RBAC enabled in microk8s? I have it enabled in the AKS cluster.

@VariableDeclared
Copy link
Contributor

indeed, Microk8s has it disabled by default. Enabled it now, restarting

@VariableDeclared
Copy link
Contributor

okay, I am now able to replicate the issue after ensuring RBAC is enabled on Microk8s

@ca-scribner ca-scribner added bug Something isn't working and removed question Further information is requested labels Feb 17, 2022
@DnPlas
Copy link
Contributor

DnPlas commented Aug 10, 2022

I was able to reproduce this issue with our latest/edge versions. FYI, there is an upstream bug (kubeflow/pipelines#7196), and we'll follow up with upstream to see if this is fixed in Kubeflow 1.6.

@DnPlas DnPlas mentioned this issue Aug 11, 2022
Closed
@i-chvets
Copy link
Contributor

i-chvets commented Oct 5, 2022

Jira

@DnPlas DnPlas added the Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release label Feb 28, 2023
@NohaIhab
Copy link
Contributor

A similar error message came up in 1.7, when creating a pipeline from file

Experiment creation failed
{"error":"Failed to authorize the request: Failed to authorize with API resource references: PermissionDenied: User 'test' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:test,Verb:create,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:testexp,}): Unauthorized access","code":7,"message":"Failed to authorize the request: Failed to authorize with API resource references: PermissionDenied: User 'test' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:test,Verb:create,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:testexp,}): Unauthorized access","details":[{"@type":"type.googleapis.com/api.Error","error_message":"User 'test' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:test,Verb:create,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:testexp,})","error_details":"Failed to authorize the request: Failed to authorize with API resource references: PermissionDenied: User 'test' is not authorized with reason:  (request: \u0026ResourceAttributes{Namespace:test,Verb:create,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:testexp,}): Unauthorized access"}]}

@ca-scribner
Copy link
Contributor

to clarify @NohaIhab's message, we see this in a pre-release version of 1.7 that we're currently testing.

@NohaIhab your issue may be related to this issue, but it might also be that we're failed to deploy some RBAC. Can you show what permissions test user has? I wonder if we've somehow lost the kfp roles that are bound to each user

@NohaIhab
Copy link
Contributor

NohaIhab commented Mar 1, 2023

@ca-scribner running kubectl get ClusterRole -n test | grep pipeline I got:

aggregate-to-kubeflow-pipelines-edit                                   2023-02-27T11:35:27Z
aggregate-to-kubeflow-pipelines-view                                   2023-02-27T11:35:27Z

when describing aggregate-to-kubeflow-pipelines-edit:

kubectl describe ClusterRole aggregate-to-kubeflow-pipelines-edit
Name:         aggregate-to-kubeflow-pipelines-edit
Labels:       app.juju.is/created-by=kubeflow-roles
              app.kubernetes.io/component=ml-pipeline
              app.kubernetes.io/name=kubeflow-pipelines
              application-crd-id=kubeflow-pipelines
              rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit=true
...

I think we've missed the kubeflow-pipelines-edit ClusterRole during upgrades of kubeflow-roles, same goes for kubeflow-pipelines-view

@NohaIhab
Copy link
Contributor

NohaIhab commented Mar 2, 2023

Concluding that the issue discussed above is not the same as this issue. Filed #156 and moving conversation there.

@NohaIhab NohaIhab removed the Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release label Mar 2, 2023
@DnPlas DnPlas added the Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release label Mar 7, 2023
@DnPlas
Copy link
Contributor

DnPlas commented Mar 7, 2023

Hi @Barteus, I checked the status of this issue in our latest version (1.7, soon to be released), and I could not reproduce. Please note I had to use a different Workflow, as the one you are linking in the description cannot be applied anymore due to pipelines being unable to recognize certain fields (maybe too old?).

I will update the issue once 1.7 is released, in the meantime, would you be able to provide another URL that we can use to ensure this error is not present anymore?

@Barteus
Copy link
Author

Barteus commented Mar 7, 2023

I have used this URL: https://raw.githubusercontent.com/canonical/bundle-kubeflow/master/docs/examples/mnist.yaml

@DnPlas DnPlas closed this as completed Mar 13, 2023
@DnPlas DnPlas reopened this Mar 13, 2023
@NohaIhab
Copy link
Contributor

Findings:

  • Namespace attribute is empty in the request: Namespace:,Verb:create,Group:,Version:,Resource:pipelines,Subresource:,Name:,, meanwhile it's correctly filled when creating pipeline from file.

  • upload from url works when adding to an existing pipeline i.e. Create a new pipeline version under an existing pipeline

@NohaIhab
Copy link
Contributor

I just testing with Charmed Kubeflow 1.8/stable and I no longer see this issue.
Using the mnist-workflow that @Barteus was using, the pipeline was created successfully from URL, but the run failed at the Load task step with:

URL fetch failure on https://github.com/canonical/bundle-kubeflow/raw/test-artifacts/tests/pipelines/artifacts/train-images-idx3-ubyte.gz: 404 -- Not Found

this is just due to changes done in the bundle-kubeflow repository so the link to the data is now broken. I'll file an issue in bundle-kubeflow repo to handle the mnist.yaml example.
Using the map-reduce workflow created the pipeline and I was able to create a successful run.

@NohaIhab
Copy link
Contributor

closing this as it was resolved in ckf 1.8 and we cannot fix it in 1.7 because it's due to an upstream bug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release
Projects
MLOps Solution Issues
Status: Done
Milestone
No milestone
Development

No branches or pull requests
7 participants
@VariableDeclared @DnPlas @DomFleischmann @Barteus @ca-scribner @NohaIhab @i-chvets