[DOC] - Review and document conda-store implementation

[kcpevey]

Preliminary Checks

• This issue is not a question, feature request, RFC, or anything other than a bug report. Please post those things in GitHub Discussions: https://github.com/nebari-dev/nebari/discussions

Summary

The Nebari documentation does not have sufficient information about how conda-store is implemented. There is some confusion about how it functions within Nebari as this is slightly different than the standalone version of conda-store.

Some things to review

• conda-store namespaces - The Nebari concept of namespaces translates into shared conda-store namespaces, but Nebari also abuses namespaces to make "users" (conda-store has no concept of a user)
• permissions on nebari vs permissions on conda-store.
  • A nebari user in the admin group has read/write permission to all nebari namespaces they belong to
  • non-admin nebari users only have read access to shared nebari namespaces
  • the keycloak conda-store groups do not appear to be populating properly
  • we need to understand how the RBAC from conda-store maps to available keycloak roles
• conda-store logout does not work. This appears to be a nebari-specific related to the way nebari is handling the conda-store authentication.

Steps to Resolve this Issue

Review the current implementation and document so that Nebari users have a better understanding of how the tools work together.

Also note that a more broad look at permissions is also happening so it would be best to coordinate those efforts.

[dcmcand]

@kcpevey for clarification

conda-store namespaces - The Nebari concept of namespaces translates into shared conda-store namespaces, but Nebari also abuses namespaces to make "users" (conda-store has no concept of a user)

What do we need here specifically? Docs around conda-store namespaces and how they relate to Nebari users?

permissions on nebari vs permissions on conda-store.
A nebari user in the admin group has read/write permission to all nebari namespaces they belong to
non-admin nebari users only have read access to shared nebari namespaces
nebari-dev/nebari#2716
we need to understand how the RBAC from conda-store maps to available keycloak roles

Is the idea here to create follow on tickets for each of these once the issue is better understood?

[kcpevey]

Docs around conda-store namespaces and how they relate to Nebari users?

Yes, I think that is a good start. Effectively, nebari devs and conda-store devs are using similar/overlapping terms with different meanings. Its like speaking in different languages and its creating an issue with cross-collaboration. I'd like to ensure that Nebari docs include basic information about the underlying mechanisms/terms/concepts of conda-store and how they apply to Nebari.

Is the idea here to create follow on tickets for each of these once the issue is better understood?

The ask here is to first gain an understanding of what is currently in place. Then document all of that knowledge. Initial summary can rough (i.e. if you want to do a brain dump here and then have me open a formal docs PR that's fine).