Fetch correct cluster admin list for the notebook controller admin panel

[DaoDaoNoCode]

JIRA: https://issues.redhat.com/browse/RHOAIENG-16434

Description

Use ResourceAccessReview API as described here to fetch the cluster admin users and groups instead of arbitrarily push cluster-admins group to the list and fetch it. This could also avoid the error mentioned in the JIRA where we are fetching a non-exist user group.

How Has This Been Tested?

1. Create some user groups
2. Bind them to the cluster-admin role
3. Add some users to those groups separately
4. Go to the Jupyter notebook controller admin panel, make sure those users are there and shown as Admin

Test Impact

N/A

Request review criteria:

Self checklist (all need to be checked):

• The developer has manually tested the changes and verified that the changes work
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

• Included any necessary screenshots or gifs if it was a UI change.
• Included tags to the UX team if it was a UI/UX change.

After the PR is posted & before it merges:

• The developer has tested their solution on a cluster by using the image produced by the PR to main

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.55%. Comparing base (4b8c2bf) to head (2386efb).
Report is 11 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3538      +/-   ##
==========================================
- Coverage   85.55%   85.55%   -0.01%     
==========================================
  Files        1372     1372              
  Lines       31211    31211              
  Branches     8741     8741              
==========================================
- Hits        26704    26703       -1     
- Misses       4507     4508       +1     

see 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 966c055...2386efb. Read the comment docs.

[Gkrumbach07]

I am not sure if this is a concern but

before a admin user would see this from /status/{namespace}/allowedusers. I am logged in as adminuser1 that does not have cluster admin privileges but has odh admin privileges

[
    {
        "username": "adminuser1",
        "privilege": "Admin",
        "lastActivity": null
    },

]

but now they can see every user that has cluster admin role on the cluster. for example clusteradminuser1 is a cluster admin but is not part of the groups for cluster-admin or odh-admin

[
    {
        "username": "clusteradminuser1",
        "privilege": "Admin",
        "lastActivity": null
    },
    {
        "username": "adminuser1",
        "privilege": "Admin",
        "lastActivity": null
    }
]

@andrewballantyne I remember you saying this is something we want to avoid, or maybe I am misremembering it.

[DaoDaoNoCode]

IMO any users or groups that are bound with the cluster-admin role should have the same access. If we allowed users in the cluster-admins group to be viewed as Admin here, then the users who bind to the same role should have the same behavior.

[andrewballantyne]

@Gkrumbach07 @DaoDaoNoCode it's interesting -- without a notebook, it's hard to say who is and who isn't going to be using the Dashboard's Jupyter Tile.

The whole feature is kinda problematic... I think we want to make sure anyone who has a notebook is reflected clearly as either an admin or a user -- after that it's a bit uncharted. Cluster-admins can be IT or SRE and not at all users of the app. It seems that would be undesirable.

I feel since the Jira didn't specifically say I want to see cluster-admins, and is just more concerned with admins being called users... is there anyway we can not show all cluster admins, and just the cluster admins that have had a notebook (aka last activity)?

[DaoDaoNoCode]

@andrewballantyne I believe so. I will double check and update the PR.

[DaoDaoNoCode]

@Gkrumbach07 @andrewballantyne Hi, I updated the PR (see my second commit), now it only shows the cluster admins that have a Notebook resource in the notebook namespace (which means they ever try to use the KFNBC) in the admin panel and make sure the role column is Admin instead of User. If a cluster admin never touches the KFNBC, it won't be seen in the list. Please check it again and let me know if there is anything I need to update, thanks!

[Gkrumbach07]

/lgtm

allowed users is not showing other cluster admins now

[
    {
        "username": "adminuser1",
        "privilege": "Admin",
        "lastActivity": null
    },
    {
        "username": "kubeadmin",
        "privilege": "Admin",
        "lastActivity": null
    }
]

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Gkrumbach07

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Gkrumbach07]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment