If it's possible to do authorization on kubeflow API

[emilyyujieli]

Background
After user login in kubeflow through Single-Sign-On, user can get his/her cookie from browser easily.
Then they can use this cookie sending request to multiple kubeflow api to get/create many kubeflow resources in each namespace even they don't got access to those namespace.
Example
[user A] is not contributor in kubeflow [namespace B]. Normally only namespace owner can add contributor through UI.
However [user A] can do those behaviors below to add himself as contributor in [namespace B]

1. login kubeflow through sso
2. Open browser inspect -> Click notebook in UI -> Find Name 'notebooks' in network -> Copy Cookie in request header
3. Use postman or other API testing tool call API
   url:https://kubeflow.domain/api/workgroup/add-contributors/namespace-B
   request.header: cookies: "*******"
   method: post
   body: {"contributor":"user A's email address"}
4. [user A] will be added in [namespace B] and he can visit notebook or even create other resources in [namespace B].
   Question
   If there is any way do authorization on kubeflow API to prevent [user A] using api to do any behavior in any other namespace unless [user A] is contributor of those namespaces)?

[juliusvonkohout]

Can you please join the next security working group meeting or reach out on slack?

[juliusvonkohout]

Is it maybe kubeflow/kubeflow#7032 ?

[juliusvonkohout]

/transfer dashboard

[juliusvonkohout]

Is this really still possible in Kubeflow 1.9.1? I know it was possible in 1.5 or so.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[juliusvonkohout]

/lifecycle frozen