From 18ddef93b3192537635f4536dc3f6e302fd43a3b Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:13:29 +0200 Subject: [PATCH 01/13] oauthenticator 16: remove shown_idps, allowed_idps now provides that effect --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 2 -- config/clusters/2i2c-uk/staging.values.yaml | 2 -- config/clusters/2i2c/aup.values.yaml | 2 -- config/clusters/2i2c/binder-staging.values.yaml | 2 -- config/clusters/2i2c/dask-staging.values.yaml | 2 -- config/clusters/2i2c/demo.values.yaml | 4 ---- config/clusters/2i2c/imagebuilding-demo.values.yaml | 2 -- config/clusters/2i2c/mtu.values.yaml | 3 --- config/clusters/2i2c/neurohackademy.values.yaml | 2 -- config/clusters/2i2c/staging.values.yaml | 2 -- config/clusters/2i2c/temple.values.yaml | 3 --- config/clusters/2i2c/ucmerced.values.yaml | 3 --- config/clusters/callysto/common.values.yaml | 3 --- config/clusters/carbonplan/common.values.yaml | 2 -- .../catalystproject-latam/unitefa-conicet.values.yaml | 2 -- config/clusters/cloudbank/bcc.values.yaml | 2 -- config/clusters/cloudbank/ccsf.values.yaml | 3 --- config/clusters/cloudbank/csm.values.yaml | 3 --- config/clusters/cloudbank/csulb.values.yaml | 4 ---- config/clusters/cloudbank/demo.values.yaml | 3 --- config/clusters/cloudbank/dvc.values.yaml | 4 ---- config/clusters/cloudbank/elcamino.values.yaml | 3 --- config/clusters/cloudbank/evc.values.yaml | 4 ---- config/clusters/cloudbank/fresno.values.yaml | 4 ---- config/clusters/cloudbank/glendale.values.yaml | 3 --- config/clusters/cloudbank/howard.values.yaml | 3 --- config/clusters/cloudbank/humboldt.values.yaml | 4 ---- config/clusters/cloudbank/lacc.values.yaml | 3 --- config/clusters/cloudbank/laney.values.yaml | 4 ---- config/clusters/cloudbank/mills.values.yaml | 3 --- config/clusters/cloudbank/miracosta.values.yaml | 4 ---- config/clusters/cloudbank/mission.values.yaml | 3 --- config/clusters/cloudbank/norco.values.yaml | 4 ---- config/clusters/cloudbank/palomar.values.yaml | 3 --- config/clusters/cloudbank/pasadena.values.yaml | 3 --- config/clusters/cloudbank/sacramento.values.yaml | 3 --- config/clusters/cloudbank/saddleback.values.yaml | 3 --- config/clusters/cloudbank/santiago.values.yaml | 4 ---- config/clusters/cloudbank/sbcc-dev.values.yaml | 4 ---- config/clusters/cloudbank/sbcc.values.yaml | 4 ---- config/clusters/cloudbank/sjcc.values.yaml | 4 ---- config/clusters/cloudbank/sjsu.values.yaml | 4 ---- config/clusters/cloudbank/skyline.values.yaml | 3 --- config/clusters/cloudbank/srjc.values.yaml | 3 --- config/clusters/cloudbank/staging.values.yaml | 3 --- config/clusters/cloudbank/tuskegee.values.yaml | 3 --- config/clusters/jupyter-meets-the-earth/common.values.yaml | 2 -- config/clusters/meom-ige/common.values.yaml | 2 -- config/clusters/openscapes/common.values.yaml | 2 -- config/clusters/pangeo-hubs/coessing.values.yaml | 2 -- config/clusters/ubc-eoas/common.values.yaml | 3 --- config/clusters/utoronto/common.values.yaml | 2 -- docs/hub-deployment-guide/configure-auth/cilogon.md | 6 ------ 53 files changed, 160 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 77931e0b27..5c060ab0af 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -80,8 +80,6 @@ jupyterhub: - "email" - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/2i2c-uk/staging.values.yaml b/config/clusters/2i2c-uk/staging.values.yaml index 26778efe99..6e6535a155 100644 --- a/config/clusters/2i2c-uk/staging.values.yaml +++ b/config/clusters/2i2c-uk/staging.values.yaml @@ -39,8 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 5165598e51..7fe2a8db21 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -40,8 +40,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index ff4227152d..8bc852e22b 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -83,8 +83,6 @@ binderhub: - yuvipanda@2i2c.org CILogonOAuthenticator: oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index 0a0119ed56..52f380bdf7 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -48,8 +48,6 @@ basehub: - "email" - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml index 134f3c351b..f43990eab6 100644 --- a/config/clusters/2i2c/demo.values.yaml +++ b/config/clusters/2i2c/demo.values.yaml @@ -31,10 +31,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback - shown_idps: - # Allow Google for 2i2c.org anr dmbl - - https://accounts.google.com/o/oauth2/auth - - https://enterprise.login.utexas.edu/idp/shibboleth allowed_idps: # UTexas hub https://enterprise.login.utexas.edu/idp/shibboleth: diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 50f311916e..94e36d083f 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -66,8 +66,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/mtu.values.yaml b/config/clusters/2i2c/mtu.values.yaml index 040b7a27f2..987dec4528 100644 --- a/config/clusters/2i2c/mtu.values.yaml +++ b/config/clusters/2i2c/mtu.values.yaml @@ -39,9 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.mtu.edu/idp/shibboleth allowed_idps: # Allow 2i2c staff to login with Google http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index f5fba70b7f..34d3cbdb8e 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -67,8 +67,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index bd95f724f0..c37f1e6f97 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -56,8 +56,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index 4ee80ae16b..5285b79915 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -34,9 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://fim.temple.edu/idp/shibboleth - - https://accounts.google.com/o/oauth2/auth allowed_idps: https://fim.temple.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/2i2c/ucmerced.values.yaml b/config/clusters/2i2c/ucmerced.values.yaml index 2f6801e162..bfe3f70435 100644 --- a/config/clusters/2i2c/ucmerced.values.yaml +++ b/config/clusters/2i2c/ucmerced.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback - shown_idps: - - urn:mace:incommon:ucmerced.edu - - https://accounts.google.com/o/oauth2/auth allowed_idps: urn:mace:incommon:ucmerced.edu: username_derivation: diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index 045570e4f8..d458fe5809 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -136,9 +136,6 @@ jupyterhub: - "102749090965437723445" # Byron Chu (Cybera) - "115909958579864751636" # Michael Jones (Cybera) - "106951135662332329542" # Elmar Bouwer (Cybera) - shown_idps: - - https://accounts.google.com/o/oauth2/auth - - https://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 28a0dd8685..0da15e048d 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -190,8 +190,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index a2df37b761..700d3b59d9 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -33,8 +33,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index 639ca29399..82efa8756e 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -33,8 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://bcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 33973fe355..133c1ecbbf 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://ccsf.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 240ea4039e..212bb96c36 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csm.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 4ae0342c76..554bac1627 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://its-shib.its.csulb.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index 6fdfc4d9b6..582082b218 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index 2ad2b663a4..d3a1e06dcf 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index c17106e95e..2251ab5601 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -34,9 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://elcamino.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index 2ff4485923..d0b4a04c28 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://evc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index 82b4ae01c4..aa68e5cd00 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://fresno.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://idp.scccd.edu/idp/shibboleth - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: https://idp.scccd.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index 6e2907e48c..e061af47a1 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://glendale.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 47230603e2..fe5d9c4cd3 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://howard.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index b8b5687663..a23fb82f0e 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.humboldt.edu/idp/metadata - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index d0cfb85396..5c3e8e6442 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://lacc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index 635b814676..030a83fda3 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://laney.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index 3ab1ed7d43..aac9ca925a 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://datahub.mills.edu/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 571cf69625..498591ee0c 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://miracosta.fedgw.com/gateway - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 16603ec4cf..8201315abe 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://mission.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index 5d42630565..cfdbaf302a 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://norco.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index ed70944609..81ae2bd4c3 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://palomar.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index 34d3e1f0fb..a2d10d2a68 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://pasadena.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 3ad1eea699..41d5bab610 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sacramento.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index b266acf112..04bb50c6e0 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://saddleback.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index 8b7bb5f559..64584ef345 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://santiago.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index b9a5978e26..56f4cd6d44 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index bc6de536b7..638eb616ba 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index c7e631b968..ea7c8b661c 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index eba295012f..8272328530 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://idp01.sjsu.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 55ba9646aa..6473ee80de 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://skyline.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 55123f9bed..9f94a9a215 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://srjc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 3d2667584c..806d18a453 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 6a2bd2b849..12a0b32027 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://tuskegee.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index ff8a41e278..cc32d97778 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -224,8 +224,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 9b24401572..f331c83a5b 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -88,8 +88,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index cb4feca425..5428b18501 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -56,8 +56,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 5bdcffc433..6a19477097 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -48,8 +48,6 @@ basehub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://coessing.2i2c.cloud/hub/oauth_callback" - shown_idps: - - https://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index fbbbf9ec92..bdf33cc29f 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -42,9 +42,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - shown_idps: - - https://authentication.ubc.ca - - http://google.com/accounts/o8/id allowed_idps: https://authentication.ubc.ca: username_derivation: diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index 984e89b54c..a47175f4f8 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -81,8 +81,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback - shown_idps: - - https://idpz.utorauth.utoronto.ca/shibboleth allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index de91c07245..bb8c7e0790 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -69,10 +69,6 @@ jupyterhub: - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - # Show only the option to login with Google and ANU's provider - shown_idps: - - http://google.com/accounts/o8/id - - https://idp2.anu.edu.au/idp/shibboleth # Allow to only login into the hub using Google or ANU's provider allowed_idps: http://google.com/accounts/o8/id: @@ -122,8 +118,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: From 640660d53ccbfdb8dfb5113a70e68911aa00775b Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:16:10 +0200 Subject: [PATCH 02/13] oauthenticator 16: remove explicit scope, profile is included anyhow The default scope in oauthenticator 16 includes what we need. Let's rely on the default for simplicity. --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 3 --- config/clusters/2i2c/aup.values.yaml | 2 -- config/clusters/2i2c/dask-staging.values.yaml | 3 --- config/clusters/2i2c/neurohackademy.values.yaml | 2 -- config/clusters/carbonplan/common.values.yaml | 2 -- config/clusters/jupyter-meets-the-earth/common.values.yaml | 2 -- config/clusters/meom-ige/common.values.yaml | 2 -- config/clusters/openscapes/common.values.yaml | 2 -- docs/hub-deployment-guide/configure-auth/cilogon.md | 2 -- 9 files changed, 20 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 5c060ab0af..2322f13c54 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -76,9 +76,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback allowed_idps: # The username claim here is used to do *authorization*, for both diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 7fe2a8db21..1fdc4934de 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -37,8 +37,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" allowed_idps: http://github.com/login/oauth/authorize: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index 52f380bdf7..bb4ffaafa7 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -44,9 +44,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" allowed_idps: http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 34d3cbdb8e..70906b73e5 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -64,8 +64,6 @@ jupyterhub: - arokem admin_users: *neurohackademy_users CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 0da15e048d..7cfff01e2e 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -188,8 +188,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index cc32d97778..80415fcdeb 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -222,8 +222,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index f331c83a5b..a873e4a96d 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -86,8 +86,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 5428b18501..adf491db57 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -54,8 +54,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index bb8c7e0790..04a5824843 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -115,8 +115,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: From 435432d26792f1207ad4580112784eeca8bd61e5 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:52:09 +0200 Subject: [PATCH 03/13] oauthenticator 16: add allow_existing_users where allowed_users was configured --- config/clusters/2i2c/aup.values.yaml | 6 ++---- .../clusters/2i2c/neurohackademy.values.yaml | 14 ++++++-------- config/clusters/carbonplan/common.values.yaml | 6 ++---- config/clusters/cloudbank/howard.values.yaml | 6 ++---- config/clusters/cloudbank/lacc.values.yaml | 6 ++---- config/clusters/cloudbank/palomar.values.yaml | 6 ++---- config/clusters/cloudbank/sbcc-dev.values.yaml | 6 ++---- config/clusters/cloudbank/sbcc.values.yaml | 6 ++---- config/clusters/cloudbank/staging.values.yaml | 6 ++---- config/clusters/cloudbank/tuskegee.values.yaml | 6 ++---- config/clusters/gridsst/common.values.yaml | 10 ++++------ .../jupyter-meets-the-earth/common.values.yaml | 6 ++---- config/clusters/meom-ige/common.values.yaml | 6 ++---- config/clusters/openscapes/common.values.yaml | 6 ++---- .../clusters/pangeo-hubs/coessing.values.yaml | 18 ++++++++---------- 15 files changed, 42 insertions(+), 72 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 1fdc4934de..cfc4e743be 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -42,11 +42,9 @@ jupyterhub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &aup_users - swalker - shaolintl diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 70906b73e5..e0c136686f 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -55,20 +55,18 @@ jupyterhub: config: JupyterHub: authenticator_class: cilogon - Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: &neurohackademy_users - - arokem - admin_users: *neurohackademy_users CILogonOAuthenticator: oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True + Authenticator: + allowed_users: &neurohackademy_users + - arokem + admin_users: *neurohackademy_users extraFiles: configurator-schema-default: data: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 7cfff01e2e..8506d67510 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -192,11 +192,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. - # allowed_users: &users - maxrjones admin_users: *users diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index fe5d9c4cd3..32fd25f104 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &howard_users - ericvd@berkeley.edu - gwashington@scs.howard.edu diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index 5c3e8e6442..ca20b076a8 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &lacc_users - PINEDAEM@laccd.edu - LAMKT@laccd.edu diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 81ae2bd4c3..60ba874481 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &palomar_users - aculich@berkeley.edu - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 56f4cd6d44..3443173895 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -39,11 +39,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 638eb616ba..3399eaa550 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -39,11 +39,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 806d18a453..fe109f8f5b 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &staging_users - sean.smorris@berkeley.edu admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 12a0b32027..d6029d98bf 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &tuskegee_users - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index 718e911de3..ec498b3cb5 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -36,18 +36,16 @@ basehub: url: https://science.nasa.gov/earth-science/focus-areas/climate-variability-and-change/ocean-physics hub: config: + JupyterHub: + authenticator_class: github + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. - # allowed_users: &gridsst_users - alisonrgray - nikki-t - dgumustel admin_users: *gridsst_users - JupyterHub: - authenticator_class: github singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 80415fcdeb..f51e95bf2f 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -226,11 +226,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &users # This is just listing a few of the users/admins, a lot of # users has been added manually, see: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index a873e4a96d..1e25b0ce32 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -90,11 +90,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &users - roxyboy - lesommer diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index adf491db57..bedfa62419 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -58,16 +58,14 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: admin_users: &users - amfriesz - jules32 - erinmr - betolink - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: *users dask-gateway: gateway: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 6a19477097..51028b1c58 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -34,16 +34,6 @@ basehub: node.kubernetes.io/instance-type: n1-standard-2 hub: config: - Authenticator: - admin_users: &admin_users - - paigemar@umich.edu - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: *admin_users - # Delete any prior existing users in the db that don't pass username_pattern - delete_invalid_users: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -52,3 +42,11 @@ basehub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True + Authenticator: + admin_users: &admin_users + - paigemar@umich.edu + allowed_users: *admin_users + # Delete any prior existing users in the db that don't pass username_pattern + delete_invalid_users: true From 0da0b3eaed7e2af77e43ff232e778181c869f1e9 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:18:42 +0200 Subject: [PATCH 04/13] oauthenticator 16: remove outdated comment about allowed_users --- .../2i2c-aws-us/dask-staging.values.yaml | 14 ++++------ .../2i2c-aws-us/researchdelight.values.yaml | 4 +-- .../clusters/2i2c-aws-us/staging.values.yaml | 14 ++++------ config/clusters/2i2c-uk/lis.values.yaml | 13 ++++----- config/clusters/awi-ciroh/common.values.yaml | 13 ++++----- config/clusters/leap/common.values.yaml | 13 ++++----- .../clusters/linked-earth/common.values.yaml | 9 ++---- config/clusters/m2lines/common.values.yaml | 13 ++++----- config/clusters/nasa-cryo/common.values.yaml | 28 +++++++++---------- .../clusters/pangeo-hubs/common.values.yaml | 15 ++++------ config/clusters/qcl/common.values.yaml | 11 +++----- .../clusters/smithsonian/common.values.yaml | 3 -- config/clusters/victor/common.values.yaml | 11 +++----- 13 files changed, 62 insertions(+), 99 deletions(-) diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index 49def94b2c..6b2569467d 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -33,15 +33,6 @@ basehub: tag: "2022.06.02" hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: @@ -50,3 +41,8 @@ basehub: - 2i2c-org scope: - read:org + Authenticator: + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index c7163a272c..818ca986dc 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -34,8 +34,6 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - enable_auth_state: true GitHubOAuthenticator: populate_teams_in_auth_state: true allowed_organizations: @@ -43,6 +41,8 @@ basehub: - 2i2c-org:research-delight-team scope: - read:org + Authenticator: + enable_auth_state: true singleuser: image: name: quay.io/2i2c/researchdelight-image diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 13e68094d4..8992c8403c 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -28,15 +28,6 @@ jupyterhub: url: https://2i2c.org hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: @@ -45,3 +36,8 @@ jupyterhub: - 2i2c-org scope: - read:org + Authenticator: + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] diff --git a/config/clusters/2i2c-uk/lis.values.yaml b/config/clusters/2i2c-uk/lis.values.yaml index 87c0ea6207..8c6e3d943b 100644 --- a/config/clusters/2i2c-uk/lis.values.yaml +++ b/config/clusters/2i2c-uk/lis.values.yaml @@ -49,17 +49,14 @@ jupyterhub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - LaCrecerelle - - matthew-brett GitHubOAuthenticator: + oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" allowed_organizations: - 2i2c-org - lisacuk scope: - read:org - oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" + Authenticator: + admin_users: + - LaCrecerelle + - matthew-brett diff --git a/config/clusters/awi-ciroh/common.values.yaml b/config/clusters/awi-ciroh/common.values.yaml index 344f2982cd..e05c6c001d 100644 --- a/config/clusters/awi-ciroh/common.values.yaml +++ b/config/clusters/awi-ciroh/common.values.yaml @@ -33,14 +33,6 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - jameshalgren - - arpita0911patel - - karnesh GitHubOAuthenticator: allowed_organizations: - 2i2c-org @@ -48,6 +40,11 @@ basehub: - NOAA-OWP scope: - read:org + Authenticator: + admin_users: + - jameshalgren + - arpita0911patel + - karnesh singleuser: image: # Image build repo: https://github.com/2i2c-org/awi-ciroh-image diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index bd4d000c24..cdf8aaf208 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -42,14 +42,6 @@ basehub: tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: - Authenticator: - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jbusecke JupyterHub: authenticator_class: github # Announcement is a JupyterHub feature to present messages to users in @@ -76,6 +68,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + enable_auth_state: true + admin_users: + - rabernat + - jbusecke singleuser: image: name: pangeo/pangeo-notebook diff --git a/config/clusters/linked-earth/common.values.yaml b/config/clusters/linked-earth/common.values.yaml index f6c9068305..2f18da08f3 100644 --- a/config/clusters/linked-earth/common.values.yaml +++ b/config/clusters/linked-earth/common.values.yaml @@ -33,18 +33,15 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - khider GitHubOAuthenticator: allowed_organizations: - 2i2c-org - LinkedEarth scope: - read:org + Authenticator: + admin_users: + - khider singleuser: image: # User image repo: https://quay.io/repository/linkedearth/pyleoclim diff --git a/config/clusters/m2lines/common.values.yaml b/config/clusters/m2lines/common.values.yaml index d624a11e24..08ab1f3824 100644 --- a/config/clusters/m2lines/common.values.yaml +++ b/config/clusters/m2lines/common.values.yaml @@ -39,14 +39,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - johannag126 - - jbusecke JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +47,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - johannag126 + - jbusecke singleuser: extraFiles: jupyter_notebook_config.json: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index 53ef4e3997..ed316b6a7d 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -37,21 +37,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # We are restricting profiles based on GitHub Team membership and - # so need to persist auth state - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - tsnow03 - - JessicaS11 - - jdmillstein - - dfelikson - - fperez - - scottyhq - - jomey JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -64,6 +49,19 @@ basehub: - CryoInTheCloud:cryocloudadvanced scope: - read:org + Authenticator: + # We are restricting profiles based on GitHub Team membership and + # so need to persist auth state + enable_auth_state: true + admin_users: + - tsnow03 + - JessicaS11 + - jdmillstein + - dfelikson + - fperez + - scottyhq + - jomey + singleuser: extraFiles: # jupyter_server_config.json is defined by basehub, this entry adds to it diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml index 2c4bef29bf..e9d9dc23b8 100644 --- a/config/clusters/pangeo-hubs/common.values.yaml +++ b/config/clusters/pangeo-hubs/common.values.yaml @@ -38,15 +38,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jhamman - - scottyhq - - TomAugspurger JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +46,12 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - jhamman + - scottyhq + - TomAugspurger singleuser: extraEnv: GH_SCOPED_CREDS_CLIENT_ID: "Iv1.c90ee430400a347f" diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index 2587614226..d6d8863e8b 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -36,13 +36,6 @@ jupyterhub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - gizmo404 - - jtkmckenna JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -51,6 +44,10 @@ jupyterhub: - QuantifiedCarbon:jupyterhub scope: - read:org + Authenticator: + admin_users: + - gizmo404 + - jtkmckenna singleuser: image: # pangeo/pangeo-notebook is maintained at: https://github.com/pangeo-data/pangeo-docker-images diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 499066f1ff..3a8aba9abc 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -48,9 +48,6 @@ basehub: - read:org Authenticator: enable_auth_state: true - # This hub uses GitHub Orgs auth and so we don't set allowed_users in - # order to not deny access to valid members of the listed orgs. These - # people should have admin access though. admin_users: - MikeTrizna # Mike Trizna - rdikow # Rebecca Dikow diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index 568094f27e..5f3827beb2 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -34,13 +34,6 @@ basehub: url: https://people.climate.columbia.edu/projects/sponsor/National%20Science%20Foundation hub: config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - einatlev-ldeo - - SamKrasnoff JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -49,6 +42,10 @@ basehub: - VICTOR-Community:victoraccess scope: - read:org + Authenticator: + admin_users: + - einatlev-ldeo + - SamKrasnoff singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods From 0c43b0c70306aa270e6d2f52d83e441182994036 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:20:18 +0200 Subject: [PATCH 05/13] auth config: remove outdated workaround setting empty admin_users This was fixed in https://github.com/2i2c-org/infrastructure/pull/2299 --- config/clusters/2i2c-aws-us/dask-staging.values.yaml | 5 ----- config/clusters/2i2c-aws-us/staging.values.yaml | 5 ----- 2 files changed, 10 deletions(-) diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index 6b2569467d..ef475a47b1 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -41,8 +41,3 @@ basehub: - 2i2c-org scope: - read:org - Authenticator: - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 8992c8403c..7d839d7b3d 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -36,8 +36,3 @@ jupyterhub: - 2i2c-org scope: - read:org - Authenticator: - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] From 63eabbcbcef3c6b56a4ea6bcbc9c0dac1eaa3cb3 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:33:19 +0200 Subject: [PATCH 06/13] oauthenticator 16: remove redundant spec of allowed_users, add warnings --- config/clusters/2i2c/aup.values.yaml | 27 +++++++++++++++++-- .../clusters/2i2c/neurohackademy.values.yaml | 27 +++++++++++++++++-- config/clusters/carbonplan/common.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/howard.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/lacc.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/palomar.values.yaml | 27 +++++++++++++++++-- .../clusters/cloudbank/sbcc-dev.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/sbcc.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/staging.values.yaml | 27 +++++++++++++++++-- .../clusters/cloudbank/tuskegee.values.yaml | 27 +++++++++++++++++-- config/clusters/gridsst/common.values.yaml | 27 +++++++++++++++++-- .../common.values.yaml | 27 +++++++++++++++++-- config/clusters/meom-ige/common.values.yaml | 27 +++++++++++++++++-- config/clusters/openscapes/common.values.yaml | 27 +++++++++++++++++-- .../clusters/pangeo-hubs/coessing.values.yaml | 27 +++++++++++++++++-- 15 files changed, 375 insertions(+), 30 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index cfc4e743be..8dd38478ca 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -43,9 +43,32 @@ jupyterhub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &aup_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - swalker - shaolintl - admin_users: *aup_users diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index e0c136686f..1cc8148b85 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -62,11 +62,34 @@ jupyterhub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &neurohackademy_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - arokem - admin_users: *neurohackademy_users extraFiles: configurator-schema-default: data: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 8506d67510..a8b907ddcd 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -193,11 +193,34 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - maxrjones - admin_users: *users dask-gateway: traefik: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 32fd25f104..9dbd30268a 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -37,11 +37,34 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &howard_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@berkeley.edu - gwashington@scs.howard.edu - anthony.fgordon64@gmail.com - mikayladorange@gmail.com - admin_users: *howard_users diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index ca20b076a8..a04dba1087 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -37,12 +37,35 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &lacc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - PINEDAEM@laccd.edu - LAMKT@laccd.edu - ericvd@berkeley.edu - k_usovich@berkeley.edu - sean.smorris@berkeley.edu - admin_users: *lacc_users diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 60ba874481..a95b5a6430 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -37,11 +37,34 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &palomar_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - aculich@berkeley.edu - sean.smorris@berkeley.edu - tcanon@palomar.edu - PChen@palomar.edu - admin_users: *palomar_users diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 3443173895..6aee2fa79e 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -40,10 +40,33 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &sbcc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 3399eaa550..e5557cf6ac 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -40,10 +40,33 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &sbcc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index fe109f8f5b..31f42cccc3 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -37,8 +37,31 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &staging_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - sean.smorris@berkeley.edu - admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index d6029d98bf..9c0c746201 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -37,9 +37,33 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &tuskegee_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com - yanlisa@berkeley.edu @@ -47,4 +71,3 @@ jupyterhub: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - sean.smorris@gmail.com - admin_users: *tuskegee_users diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index ec498b3cb5..a858234963 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -39,13 +39,36 @@ basehub: JupyterHub: authenticator_class: github OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &gridsst_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - alisonrgray - nikki-t - dgumustel - admin_users: *gridsst_users singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index f51e95bf2f..5ac108e132 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -227,9 +227,33 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: # This is just listing a few of the users/admins, a lot of # users has been added manually, see: # https://github.com/pangeo-data/jupyter-earth/issues/53 @@ -249,7 +273,6 @@ basehub: - whyjz # Whyjay Zheng - yuvipanda # Yuvi Panda - jonathan-taylor # Jonathan Taylor - admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 1e25b0ce32..1b2adedaab 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -91,13 +91,36 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - roxyboy - lesommer - auraoupa - admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index bedfa62419..2f9a057b7c 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -59,14 +59,37 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - admin_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - amfriesz - jules32 - erinmr - betolink - allowed_users: *users dask-gateway: gateway: extraConfig: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 51028b1c58..3744e2c0c0 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -43,10 +43,33 @@ basehub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - admin_users: &admin_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - paigemar@umich.edu - allowed_users: *admin_users # Delete any prior existing users in the db that don't pass username_pattern delete_invalid_users: true From 7201a88492232e503ee5f749371f11eca42e79c3 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:36:55 +0200 Subject: [PATCH 07/13] auth config: remove temporary config addition --- config/clusters/pangeo-hubs/coessing.values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 3744e2c0c0..d53450e095 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -71,5 +71,3 @@ basehub: # admin_users: - paigemar@umich.edu - # Delete any prior existing users in the db that don't pass username_pattern - delete_invalid_users: true From a3bb00339eef4650ec4aa64050fa698aaeb87b66 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:12:07 +0200 Subject: [PATCH 08/13] basehub: tweak values to avoid formatting conflicts --- helm-charts/basehub/values.yaml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index c58cea667f..1c3c2a8047 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,11 +177,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", - ] + - "sh" + - "-c" + - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan" securityContext: runAsUser: 0 volumeMounts: @@ -394,7 +392,7 @@ jupyterhub: interfaces: - value: "/tree" title: Classic Notebook - description: + description: >- The original single-document interface for creating Jupyter Notebooks. - value: "/lab" @@ -420,8 +418,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -488,8 +486,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -526,7 +524,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.6074.h895181eb" + tag: "0.0.1-0.dev.git.6863.h406a3546" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated From 28cd4f546d724086c4723e2f5e5f97894f99ae82 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:24:16 +0200 Subject: [PATCH 09/13] basehub: refactor, simplify chowning container's command --- config/clusters/2i2c-aws-us/itcoocean.values.yaml | 8 +++----- config/clusters/2i2c/climatematch.values.yaml | 8 +++----- .../clusters/jupyter-meets-the-earth/common.values.yaml | 8 +++----- config/clusters/nasa-cryo/common.values.yaml | 8 +++----- config/clusters/qcl/common.values.yaml | 8 +++----- docs/howto/features/per-user-db.md | 8 +++----- docs/topic/infrastructure/storage-layer.md | 8 +++----- helm-charts/basehub/values.yaml | 6 +++--- 8 files changed, 24 insertions(+), 38 deletions(-) diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index 7a9c19ae54..a2754241fa 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -57,11 +57,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c/climatematch.values.yaml b/config/clusters/2i2c/climatematch.values.yaml index a982022793..5396702629 100644 --- a/config/clusters/2i2c/climatematch.values.yaml +++ b/config/clusters/2i2c/climatematch.values.yaml @@ -39,11 +39,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 5ac108e132..0776b2801d 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -49,11 +49,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index ed316b6a7d..067d059051 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -89,11 +89,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index d6d8863e8b..1d1eddc558 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -228,11 +228,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/howto/features/per-user-db.md b/docs/howto/features/per-user-db.md index 52141691ac..871c843b3f 100644 --- a/docs/howto/features/per-user-db.md +++ b/docs/howto/features/per-user-db.md @@ -60,11 +60,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /var/lib/postgresql/data && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /var/lib/postgresql/data && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/topic/infrastructure/storage-layer.md b/docs/topic/infrastructure/storage-layer.md index 951eb916ca..171b2b0943 100644 --- a/docs/topic/infrastructure/storage-layer.md +++ b/docs/topic/infrastructure/storage-layer.md @@ -118,11 +118,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 1c3c2a8047..0cf20bc475 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,9 +177,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - "sh" - - "-c" - - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan" + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: From 4545ef61bb9d75d692db22069f93962afe094aaa Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:25:36 +0200 Subject: [PATCH 10/13] basehub: upgrade z2jh from 3.0.0-beta.1 to 3.0.2 --- helm-charts/basehub/Chart.yaml | 2 +- helm-charts/chartpress.yaml | 22 ++++++++++++++++------ helm-charts/images/hub/Dockerfile | 6 +++++- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index ff28172b3e..d410964912 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -11,7 +11,7 @@ dependencies: # images/hub/Dockerfile, and will also involve manually building and pushing # the Dockerfile to https://quay.io/2i2c/pilot-hub. Details about this can # be found in the Dockerfile's comments. - version: 3.0.0-beta.1.git.6208.h7b44299a + version: 3.0.2 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service version: 0.1.0-0.dev.git.80.h358d32f diff --git a/helm-charts/chartpress.yaml b/helm-charts/chartpress.yaml index 962a638476..6ecf191e45 100644 --- a/helm-charts/chartpress.yaml +++ b/helm-charts/chartpress.yaml @@ -1,3 +1,13 @@ +# This is the configuration for chartpress, a CLI for Helm chart management. +# +# chartpress can be used to: +# - Build images +# - Update Chart.yaml (version) and values.yaml (image tags) +# - Package and publish Helm charts to a GitHub based Helm chart repository +# +# For more information about chartpress, see the projects README.md file: +# https://github.com/jupyterhub/chartpress +# charts: - name: basehub imagePrefix: quay.io/2i2c/pilot- @@ -5,16 +15,16 @@ charts: hub: valuesPath: jupyterhub.hub.image buildArgs: - REQUIREMENTS_FILE: "requirements.txt" + REQUIREMENTS_FILE: requirements.txt unlisted-choice-experiment: imageName: quay.io/2i2c/unlisted-choice-experiment buildArgs: - REQUIREMENTS_FILE: "unlisted-choice-requirements.txt" - contextPath: "images/hub" + REQUIREMENTS_FILE: unlisted-choice-requirements.txt + contextPath: images/hub dockerfilePath: images/hub/Dockerfile dynamic-image-building-experiment: imageName: quay.io/2i2c/dynamic-image-building-experiment buildArgs: - REQUIREMENTS_FILE: "dynamic-image-building-requirements.txt" - contextPath: "images/hub" - dockerfilePath: "images/hub/Dockerfile" + REQUIREMENTS_FILE: dynamic-image-building-requirements.txt + contextPath: images/hub + dockerfilePath: images/hub/Dockerfile diff --git a/helm-charts/images/hub/Dockerfile b/helm-charts/images/hub/Dockerfile index 77caeb4434..6d5e7e05b5 100644 --- a/helm-charts/images/hub/Dockerfile +++ b/helm-charts/images/hub/Dockerfile @@ -12,7 +12,11 @@ # `chartpress --push --builder docker-buildx --platform linux/amd64` # Ref: https://cloudolife.com/2022/03/05/Infrastructure-as-Code-IaC/Container/Docker/Docker-buildx-support-multiple-architectures-images/ # -FROM jupyterhub/k8s-hub:3.0.0-beta.1 +FROM jupyterhub/k8s-hub:3.0.2 + +# chartpress.yaml defines multiple hub images differentiated only by a +# requirements.txt file with dependencies, this build argument allows us to +# re-use this Dockerfile for all images. ARG REQUIREMENTS_FILE COPY ${REQUIREMENTS_FILE} /tmp/ From 37d9911530e48b666f54a6cd83ff1fbd3b1c5f0f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:30:02 +0200 Subject: [PATCH 11/13] dynamic image building experiment: bump kubespawner's main branch further --- helm-charts/images/hub/dynamic-image-building-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/images/hub/dynamic-image-building-requirements.txt b/helm-charts/images/hub/dynamic-image-building-requirements.txt index 225a86b394..fcfadf2363 100644 --- a/helm-charts/images/hub/dynamic-image-building-requirements.txt +++ b/helm-charts/images/hub/dynamic-image-building-requirements.txt @@ -1,6 +1,6 @@ # Image lives at quay.io/2i2c/second-hub-experimental git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db # Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -git+https://github.com/jupyterhub/kubespawner@5a90351adba7d65286bd5e00e82f156011bf7b83 +git+https://github.com/jupyterhub/kubespawner@8cc569c78bcdb342e694f7344219e43d522f4809 # Brings in https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui git+https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui.git@b36ece00b5e7fcba5d4485e7ab70992705601c3c From fa134ceaad1aaa2f83100239ee30a17f77a0ca8f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:40:04 +0200 Subject: [PATCH 12/13] basehub: update hub image's to a z2jh 3.0.2 derived image --- config/clusters/2i2c-aws-us/researchdelight.values.yaml | 2 +- config/clusters/2i2c/imagebuilding-demo.values.yaml | 2 +- config/clusters/leap/common.values.yaml | 2 +- config/clusters/nasa-veda/common.values.yaml | 2 +- config/clusters/openscapes/staging.values.yaml | 2 +- helm-charts/basehub/values.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 818ca986dc..6326b3fc18 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -30,7 +30,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: JupyterHub: authenticator_class: github diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 94e36d083f..17e2a1c013 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -60,7 +60,7 @@ jupyterhub: hub: image: name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.6765.h33942a27" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: JupyterHub: authenticator_class: cilogon diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index cdf8aaf208..7c1684b87b 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,7 +39,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" allowNamedServers: true config: JupyterHub: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 2eb76b999e..8d3a55327d 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -34,7 +34,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" allowNamedServers: true config: Authenticator: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 13fcfa7ec1..466c1060d6 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -122,7 +122,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: CILogonOAuthenticator: oauth_callback_url: "https://staging.openscapes.2i2c.cloud/hub/oauth_callback" diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 0cf20bc475..c35a07fc0d 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -524,7 +524,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated From 7406a47bb3840708a079e17cfabcb162d31cd479 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 13:50:19 +0200 Subject: [PATCH 13/13] Refine warning comment about revoking admin status or access --- config/clusters/2i2c/aup.values.yaml | 6 ++++-- config/clusters/2i2c/neurohackademy.values.yaml | 6 ++++-- config/clusters/carbonplan/common.values.yaml | 6 ++++-- config/clusters/cloudbank/howard.values.yaml | 6 ++++-- config/clusters/cloudbank/lacc.values.yaml | 6 ++++-- config/clusters/cloudbank/palomar.values.yaml | 6 ++++-- config/clusters/cloudbank/sbcc-dev.values.yaml | 6 ++++-- config/clusters/cloudbank/sbcc.values.yaml | 6 ++++-- config/clusters/cloudbank/staging.values.yaml | 6 ++++-- config/clusters/cloudbank/tuskegee.values.yaml | 6 ++++-- config/clusters/gridsst/common.values.yaml | 6 ++++-- config/clusters/jupyter-meets-the-earth/common.values.yaml | 6 ++++-- config/clusters/meom-ige/common.values.yaml | 6 ++++-- config/clusters/openscapes/common.values.yaml | 6 ++++-- config/clusters/pangeo-hubs/coessing.values.yaml | 6 ++++-- 15 files changed, 60 insertions(+), 30 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 8dd38478ca..beec96e623 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -65,8 +65,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 1cc8148b85..97df782ea4 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -84,8 +84,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index a8b907ddcd..cb99bac399 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -215,8 +215,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 9dbd30268a..5e77e99332 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index a04dba1087..8c6c41b29a 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index a95b5a6430..91dcb3349c 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 6aee2fa79e..98e01568a0 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -62,8 +62,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index e5557cf6ac..2fc8495102 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -62,8 +62,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 31f42cccc3..b45e22d8ae 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 9c0c746201..40d56e897c 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index a858234963..b2bffbfd94 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -61,8 +61,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 0776b2801d..dd9f7364e5 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -247,8 +247,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 1b2adedaab..13145dfb45 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -113,8 +113,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 2f9a057b7c..429becc556 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -81,8 +81,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index d53450e095..0235e3e56c 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -65,8 +65,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: