Update to include limitations and integrations (kubeflow#1047)

numerology · Aug 8, 2019 · 0b03ae0 · 0b03ae0
1 parent beefae9
commit 0b03ae0
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/content/docs/other-guides/multi-user-overview.md b/content/docs/other-guides/multi-user-overview.md
@@ -196,6 +196,28 @@ with another user in the system.
 
 -->
 
+## Current Integration and Limitations
+
+The Jupyter notebooks service is the first application to be fully integrated with
+multi-user isolation. Access to the notebooks and the creation of notebooks is 
+controlled by the profile access policies set by the Administrator or the owners
+of the profiles. Resources created by the notebooks (eg. Training jobs and
+deployments) will also inherit the same access.
+
+Metadata and Pipelines or any other applications currently don't have full
+fledged integration with isolation, though they will have access to the user
+identity through the headers of the incoming requests. It's upto the individual
+applications to leverage the available identity and create isolation stories
+that make sense for them.
+
+On GCP, the authentication and identify token is generated by GCP IAM and carried
+through the requests as a JWT Token in header. Other cloud providers can have a
+similar header to provide identity information.
+
+For on-premise deployments, Kubeflow leverages Dex as a federated OpenID connection
+provider and can be integrated with LDAP or Active Directory to provide authentication
+and identity services.
+