From ca4e736a20b3ec43c4de35d665bd4aae8851d84b Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:13:29 +0200 Subject: [PATCH 01/24] oauthenticator 16: remove shown_idps, allowed_idps now provides that effect --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 2 -- config/clusters/2i2c-uk/staging.values.yaml | 2 -- config/clusters/2i2c/aup.values.yaml | 2 -- config/clusters/2i2c/binder-staging.values.yaml | 2 -- config/clusters/2i2c/dask-staging.values.yaml | 2 -- config/clusters/2i2c/demo.values.yaml | 4 ---- config/clusters/2i2c/mtu.values.yaml | 3 --- config/clusters/2i2c/neurohackademy.values.yaml | 2 -- config/clusters/2i2c/staging.values.yaml | 2 -- config/clusters/2i2c/temple.values.yaml | 3 --- config/clusters/2i2c/ucmerced.values.yaml | 3 --- config/clusters/callysto/common.values.yaml | 3 --- config/clusters/carbonplan/common.values.yaml | 2 -- .../catalystproject-latam/unitefa-conicet.values.yaml | 2 -- config/clusters/cloudbank/bcc.values.yaml | 2 -- config/clusters/cloudbank/ccsf.values.yaml | 3 --- config/clusters/cloudbank/csm.values.yaml | 3 --- config/clusters/cloudbank/csulb.values.yaml | 4 ---- config/clusters/cloudbank/demo.values.yaml | 3 --- config/clusters/cloudbank/dvc.values.yaml | 4 ---- config/clusters/cloudbank/elcamino.values.yaml | 3 --- config/clusters/cloudbank/evc.values.yaml | 4 ---- config/clusters/cloudbank/fresno.values.yaml | 4 ---- config/clusters/cloudbank/glendale.values.yaml | 3 --- config/clusters/cloudbank/howard.values.yaml | 3 --- config/clusters/cloudbank/humboldt.values.yaml | 4 ---- config/clusters/cloudbank/lacc.values.yaml | 3 --- config/clusters/cloudbank/laney.values.yaml | 4 ---- config/clusters/cloudbank/mills.values.yaml | 3 --- config/clusters/cloudbank/miracosta.values.yaml | 4 ---- config/clusters/cloudbank/mission.values.yaml | 3 --- config/clusters/cloudbank/norco.values.yaml | 4 ---- config/clusters/cloudbank/palomar.values.yaml | 3 --- config/clusters/cloudbank/pasadena.values.yaml | 3 --- config/clusters/cloudbank/sacramento.values.yaml | 3 --- config/clusters/cloudbank/saddleback.values.yaml | 3 --- config/clusters/cloudbank/santiago.values.yaml | 4 ---- config/clusters/cloudbank/sbcc-dev.values.yaml | 4 ---- config/clusters/cloudbank/sbcc.values.yaml | 4 ---- config/clusters/cloudbank/sjcc.values.yaml | 4 ---- config/clusters/cloudbank/sjsu.values.yaml | 4 ---- config/clusters/cloudbank/skyline.values.yaml | 3 --- config/clusters/cloudbank/srjc.values.yaml | 3 --- config/clusters/cloudbank/staging.values.yaml | 3 --- config/clusters/cloudbank/tuskegee.values.yaml | 3 --- config/clusters/hhmi/common.values.yaml | 2 -- config/clusters/jupyter-meets-the-earth/common.values.yaml | 2 -- config/clusters/openscapes/common.values.yaml | 2 -- config/clusters/pangeo-hubs/coessing.values.yaml | 2 -- config/clusters/ubc-eoas/common.values.yaml | 3 --- config/clusters/utoronto/common.values.yaml | 2 -- docs/hub-deployment-guide/configure-auth/cilogon.md | 6 ------ 52 files changed, 158 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 77931e0b27..5c060ab0af 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -80,8 +80,6 @@ jupyterhub: - "email" - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/2i2c-uk/staging.values.yaml b/config/clusters/2i2c-uk/staging.values.yaml index 26778efe99..6e6535a155 100644 --- a/config/clusters/2i2c-uk/staging.values.yaml +++ b/config/clusters/2i2c-uk/staging.values.yaml @@ -39,8 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 5165598e51..7fe2a8db21 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -40,8 +40,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index ff4227152d..8bc852e22b 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -83,8 +83,6 @@ binderhub: - yuvipanda@2i2c.org CILogonOAuthenticator: oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index 0a0119ed56..52f380bdf7 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -48,8 +48,6 @@ basehub: - "email" - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml index 134f3c351b..f43990eab6 100644 --- a/config/clusters/2i2c/demo.values.yaml +++ b/config/clusters/2i2c/demo.values.yaml @@ -31,10 +31,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback - shown_idps: - # Allow Google for 2i2c.org anr dmbl - - https://accounts.google.com/o/oauth2/auth - - https://enterprise.login.utexas.edu/idp/shibboleth allowed_idps: # UTexas hub https://enterprise.login.utexas.edu/idp/shibboleth: diff --git a/config/clusters/2i2c/mtu.values.yaml b/config/clusters/2i2c/mtu.values.yaml index 040b7a27f2..987dec4528 100644 --- a/config/clusters/2i2c/mtu.values.yaml +++ b/config/clusters/2i2c/mtu.values.yaml @@ -39,9 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.mtu.edu/idp/shibboleth allowed_idps: # Allow 2i2c staff to login with Google http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 17f703e810..4534cdc056 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -67,8 +67,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index bd95f724f0..c37f1e6f97 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -56,8 +56,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index abbeb5ac05..9469e3dc9f 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -52,9 +52,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://fim.temple.edu/idp/shibboleth - - https://accounts.google.com/o/oauth2/auth allowed_idps: https://fim.temple.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/2i2c/ucmerced.values.yaml b/config/clusters/2i2c/ucmerced.values.yaml index 2f6801e162..bfe3f70435 100644 --- a/config/clusters/2i2c/ucmerced.values.yaml +++ b/config/clusters/2i2c/ucmerced.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback - shown_idps: - - urn:mace:incommon:ucmerced.edu - - https://accounts.google.com/o/oauth2/auth allowed_idps: urn:mace:incommon:ucmerced.edu: username_derivation: diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index 045570e4f8..d458fe5809 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -136,9 +136,6 @@ jupyterhub: - "102749090965437723445" # Byron Chu (Cybera) - "115909958579864751636" # Michael Jones (Cybera) - "106951135662332329542" # Elmar Bouwer (Cybera) - shown_idps: - - https://accounts.google.com/o/oauth2/auth - - https://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 3c6e40c791..e7981a13d5 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -190,8 +190,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index a2df37b761..700d3b59d9 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -33,8 +33,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index 639ca29399..82efa8756e 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -33,8 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://bcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 0bc7ba5c23..fc742abaf5 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://ccsf.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 240ea4039e..212bb96c36 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csm.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 4ae0342c76..554bac1627 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://its-shib.its.csulb.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index ef6559d4c2..fcf667887d 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index 2ad2b663a4..d3a1e06dcf 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index c17106e95e..2251ab5601 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -34,9 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://elcamino.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index 2ff4485923..d0b4a04c28 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://evc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index 82b4ae01c4..aa68e5cd00 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://fresno.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://idp.scccd.edu/idp/shibboleth - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: https://idp.scccd.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index 6e2907e48c..e061af47a1 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://glendale.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 47230603e2..fe5d9c4cd3 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://howard.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index b8b5687663..a23fb82f0e 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.humboldt.edu/idp/metadata - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index d0cfb85396..5c3e8e6442 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://lacc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index 635b814676..030a83fda3 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://laney.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index 3ab1ed7d43..aac9ca925a 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://datahub.mills.edu/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 571cf69625..498591ee0c 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://miracosta.fedgw.com/gateway - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 16603ec4cf..8201315abe 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://mission.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index 5d42630565..cfdbaf302a 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://norco.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index ed70944609..81ae2bd4c3 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://palomar.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index 34d3e1f0fb..a2d10d2a68 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://pasadena.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 3ad1eea699..41d5bab610 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sacramento.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index b266acf112..04bb50c6e0 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://saddleback.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index 8b7bb5f559..64584ef345 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://santiago.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index b9a5978e26..56f4cd6d44 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index bc6de536b7..638eb616ba 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index c7e631b968..ea7c8b661c 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index eba295012f..8272328530 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://idp01.sjsu.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 55ba9646aa..6473ee80de 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://skyline.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 2459bbbaa2..39e35b65be 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://srjc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 3d2667584c..806d18a453 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 6a2bd2b849..12a0b32027 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://tuskegee.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/hhmi/common.values.yaml b/config/clusters/hhmi/common.values.yaml index c169a683fe..96aa1d0003 100644 --- a/config/clusters/hhmi/common.values.yaml +++ b/config/clusters/hhmi/common.values.yaml @@ -49,8 +49,6 @@ basehub: scope: - "profile" - "email" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 5ca62e82d4..e74ca997c5 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -224,8 +224,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 02505c43bc..9106a8d9f2 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -53,8 +53,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 5bdcffc433..6a19477097 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -48,8 +48,6 @@ basehub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://coessing.2i2c.cloud/hub/oauth_callback" - shown_idps: - - https://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 188c54389e..0d057dec89 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -42,9 +42,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - shown_idps: - - https://authentication.ubc.ca - - http://google.com/accounts/o8/id allowed_idps: https://authentication.ubc.ca: username_derivation: diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index b9bb4b9d84..2d9b07fc33 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -81,8 +81,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback - shown_idps: - - https://idpz.utorauth.utoronto.ca/shibboleth allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index de91c07245..bb8c7e0790 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -69,10 +69,6 @@ jupyterhub: - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - # Show only the option to login with Google and ANU's provider - shown_idps: - - http://google.com/accounts/o8/id - - https://idp2.anu.edu.au/idp/shibboleth # Allow to only login into the hub using Google or ANU's provider allowed_idps: http://google.com/accounts/o8/id: @@ -122,8 +118,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: From 7c6c7c5791b364817c78cb1d6d431b09464b9095 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:16:10 +0200 Subject: [PATCH 02/24] oauthenticator 16: remove explicit scope, profile is included anyhow The default scope in oauthenticator 16 includes what we need. Let's rely on the default for simplicity. --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 3 --- config/clusters/2i2c/aup.values.yaml | 2 -- config/clusters/2i2c/dask-staging.values.yaml | 3 --- config/clusters/2i2c/neurohackademy.values.yaml | 2 -- config/clusters/carbonplan/common.values.yaml | 2 -- config/clusters/hhmi/common.values.yaml | 3 --- config/clusters/jupyter-meets-the-earth/common.values.yaml | 2 -- config/clusters/openscapes/common.values.yaml | 2 -- docs/hub-deployment-guide/configure-auth/cilogon.md | 2 -- 9 files changed, 21 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 5c060ab0af..2322f13c54 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -76,9 +76,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback allowed_idps: # The username claim here is used to do *authorization*, for both diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 7fe2a8db21..1fdc4934de 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -37,8 +37,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" allowed_idps: http://github.com/login/oauth/authorize: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index 52f380bdf7..bb4ffaafa7 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -44,9 +44,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" allowed_idps: http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 4534cdc056..9a2e82d9c6 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -64,8 +64,6 @@ jupyterhub: - arokem admin_users: *neurohackademy_users CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index e7981a13d5..afcd117d37 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -188,8 +188,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/hhmi/common.values.yaml b/config/clusters/hhmi/common.values.yaml index 96aa1d0003..bce32ad686 100644 --- a/config/clusters/hhmi/common.values.yaml +++ b/config/clusters/hhmi/common.values.yaml @@ -46,9 +46,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - - "email" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index e74ca997c5..ef18095faf 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -222,8 +222,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 9106a8d9f2..9d6d5246d7 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -51,8 +51,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index bb8c7e0790..04a5824843 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -115,8 +115,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: From 366319484e96e1e565c6313e033e8d85eb5d9787 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:52:09 +0200 Subject: [PATCH 03/24] oauthenticator 16: add allow_existing_users where allowed_users was configured --- config/clusters/2i2c/aup.values.yaml | 6 ++---- .../clusters/2i2c/neurohackademy.values.yaml | 14 ++++++-------- config/clusters/carbonplan/common.values.yaml | 6 ++---- config/clusters/cloudbank/howard.values.yaml | 6 ++---- config/clusters/cloudbank/lacc.values.yaml | 6 ++---- config/clusters/cloudbank/palomar.values.yaml | 6 ++---- config/clusters/cloudbank/sbcc-dev.values.yaml | 6 ++---- config/clusters/cloudbank/sbcc.values.yaml | 6 ++---- config/clusters/cloudbank/staging.values.yaml | 6 ++---- config/clusters/cloudbank/tuskegee.values.yaml | 6 ++---- config/clusters/gridsst/common.values.yaml | 10 ++++------ .../jupyter-meets-the-earth/common.values.yaml | 6 ++---- config/clusters/openscapes/common.values.yaml | 6 ++---- .../clusters/pangeo-hubs/coessing.values.yaml | 18 ++++++++---------- 14 files changed, 40 insertions(+), 68 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 1fdc4934de..cfc4e743be 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -42,11 +42,9 @@ jupyterhub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &aup_users - swalker - shaolintl diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 9a2e82d9c6..61a3a6efb8 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -55,20 +55,18 @@ jupyterhub: config: JupyterHub: authenticator_class: cilogon - Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: &neurohackademy_users - - arokem - admin_users: *neurohackademy_users CILogonOAuthenticator: oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True + Authenticator: + allowed_users: &neurohackademy_users + - arokem + admin_users: *neurohackademy_users extraFiles: configurator-schema-default: data: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index afcd117d37..8b20037be2 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -192,11 +192,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. - # allowed_users: &users - maxrjones admin_users: *users diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index fe5d9c4cd3..32fd25f104 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &howard_users - ericvd@berkeley.edu - gwashington@scs.howard.edu diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index 5c3e8e6442..ca20b076a8 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &lacc_users - PINEDAEM@laccd.edu - LAMKT@laccd.edu diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 81ae2bd4c3..60ba874481 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &palomar_users - aculich@berkeley.edu - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 56f4cd6d44..3443173895 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -39,11 +39,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 638eb616ba..3399eaa550 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -39,11 +39,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 806d18a453..fe109f8f5b 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &staging_users - sean.smorris@berkeley.edu admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 12a0b32027..d6029d98bf 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &tuskegee_users - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index 718e911de3..ec498b3cb5 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -36,18 +36,16 @@ basehub: url: https://science.nasa.gov/earth-science/focus-areas/climate-variability-and-change/ocean-physics hub: config: + JupyterHub: + authenticator_class: github + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. - # allowed_users: &gridsst_users - alisonrgray - nikki-t - dgumustel admin_users: *gridsst_users - JupyterHub: - authenticator_class: github singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index ef18095faf..3bdcffad1f 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -226,11 +226,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &users # This is just listing a few of the users/admins, a lot of # users has been added manually, see: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 9d6d5246d7..896bd3aa33 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -55,14 +55,12 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: admin_users: &users - amfriesz - jules32 - erinmr - betolink - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: *users diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 6a19477097..51028b1c58 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -34,16 +34,6 @@ basehub: node.kubernetes.io/instance-type: n1-standard-2 hub: config: - Authenticator: - admin_users: &admin_users - - paigemar@umich.edu - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: *admin_users - # Delete any prior existing users in the db that don't pass username_pattern - delete_invalid_users: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -52,3 +42,11 @@ basehub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True + Authenticator: + admin_users: &admin_users + - paigemar@umich.edu + allowed_users: *admin_users + # Delete any prior existing users in the db that don't pass username_pattern + delete_invalid_users: true From adb6b9a5da0500bda9913a6f7cf30e4742a0fff4 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:18:42 +0200 Subject: [PATCH 04/24] oauthenticator 16: remove outdated comment about allowed_users --- .../2i2c-aws-us/dask-staging.values.yaml | 14 ++++------ .../2i2c-aws-us/researchdelight.values.yaml | 4 +-- .../clusters/2i2c-aws-us/staging.values.yaml | 14 ++++------ config/clusters/2i2c-uk/lis.values.yaml | 13 ++++----- config/clusters/awi-ciroh/common.values.yaml | 13 ++++----- config/clusters/leap/common.values.yaml | 13 ++++----- .../clusters/linked-earth/common.values.yaml | 9 ++---- config/clusters/m2lines/common.values.yaml | 13 ++++----- config/clusters/nasa-cryo/common.values.yaml | 28 +++++++++---------- .../clusters/pangeo-hubs/common.values.yaml | 15 ++++------ config/clusters/qcl/common.values.yaml | 11 +++----- .../clusters/smithsonian/common.values.yaml | 3 -- config/clusters/victor/common.values.yaml | 11 +++----- 13 files changed, 62 insertions(+), 99 deletions(-) diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index 49def94b2c..6b2569467d 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -33,15 +33,6 @@ basehub: tag: "2022.06.02" hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: @@ -50,3 +41,8 @@ basehub: - 2i2c-org scope: - read:org + Authenticator: + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index a4c4c0532c..0e7ba535df 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -34,8 +34,6 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - enable_auth_state: true GitHubOAuthenticator: populate_teams_in_auth_state: true allowed_organizations: @@ -43,6 +41,8 @@ basehub: - 2i2c-org:research-delight-team scope: - read:org + Authenticator: + enable_auth_state: true singleuser: image: name: quay.io/2i2c/researchdelight-image diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 13e68094d4..8992c8403c 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -28,15 +28,6 @@ jupyterhub: url: https://2i2c.org hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: @@ -45,3 +36,8 @@ jupyterhub: - 2i2c-org scope: - read:org + Authenticator: + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] diff --git a/config/clusters/2i2c-uk/lis.values.yaml b/config/clusters/2i2c-uk/lis.values.yaml index 87c0ea6207..8c6e3d943b 100644 --- a/config/clusters/2i2c-uk/lis.values.yaml +++ b/config/clusters/2i2c-uk/lis.values.yaml @@ -49,17 +49,14 @@ jupyterhub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - LaCrecerelle - - matthew-brett GitHubOAuthenticator: + oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" allowed_organizations: - 2i2c-org - lisacuk scope: - read:org - oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" + Authenticator: + admin_users: + - LaCrecerelle + - matthew-brett diff --git a/config/clusters/awi-ciroh/common.values.yaml b/config/clusters/awi-ciroh/common.values.yaml index 344f2982cd..e05c6c001d 100644 --- a/config/clusters/awi-ciroh/common.values.yaml +++ b/config/clusters/awi-ciroh/common.values.yaml @@ -33,14 +33,6 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - jameshalgren - - arpita0911patel - - karnesh GitHubOAuthenticator: allowed_organizations: - 2i2c-org @@ -48,6 +40,11 @@ basehub: - NOAA-OWP scope: - read:org + Authenticator: + admin_users: + - jameshalgren + - arpita0911patel + - karnesh singleuser: image: # Image build repo: https://github.com/2i2c-org/awi-ciroh-image diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index eea8fb49c0..50b9d09de4 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -42,14 +42,6 @@ basehub: tag: "0.0.1-0.dev.git.7080.h0da36d1e" allowNamedServers: true config: - Authenticator: - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jbusecke JupyterHub: authenticator_class: github # Announcement is a JupyterHub feature to present messages to users in @@ -76,6 +68,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + enable_auth_state: true + admin_users: + - rabernat + - jbusecke singleuser: image: name: pangeo/pangeo-notebook diff --git a/config/clusters/linked-earth/common.values.yaml b/config/clusters/linked-earth/common.values.yaml index 1354a071e2..9daf307323 100644 --- a/config/clusters/linked-earth/common.values.yaml +++ b/config/clusters/linked-earth/common.values.yaml @@ -33,18 +33,15 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - khider GitHubOAuthenticator: allowed_organizations: - 2i2c-org - LinkedEarth scope: - read:org + Authenticator: + admin_users: + - khider singleuser: image: # User image repo: https://quay.io/repository/linkedearth/pyleoclim diff --git a/config/clusters/m2lines/common.values.yaml b/config/clusters/m2lines/common.values.yaml index d624a11e24..08ab1f3824 100644 --- a/config/clusters/m2lines/common.values.yaml +++ b/config/clusters/m2lines/common.values.yaml @@ -39,14 +39,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - johannag126 - - jbusecke JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +47,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - johannag126 + - jbusecke singleuser: extraFiles: jupyter_notebook_config.json: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index be071fb353..7385424507 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -37,21 +37,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # We are restricting profiles based on GitHub Team membership and - # so need to persist auth state - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - tsnow03 - - JessicaS11 - - jdmillstein - - dfelikson - - fperez - - scottyhq - - jomey JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -64,6 +49,19 @@ basehub: - CryoInTheCloud:cryocloudadvanced scope: - read:org + Authenticator: + # We are restricting profiles based on GitHub Team membership and + # so need to persist auth state + enable_auth_state: true + admin_users: + - tsnow03 + - JessicaS11 + - jdmillstein + - dfelikson + - fperez + - scottyhq + - jomey + singleuser: extraFiles: # jupyter_server_config.json is defined by basehub, this entry adds to it diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml index 2c4bef29bf..e9d9dc23b8 100644 --- a/config/clusters/pangeo-hubs/common.values.yaml +++ b/config/clusters/pangeo-hubs/common.values.yaml @@ -38,15 +38,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jhamman - - scottyhq - - TomAugspurger JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +46,12 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - jhamman + - scottyhq + - TomAugspurger singleuser: extraEnv: GH_SCOPED_CREDS_CLIENT_ID: "Iv1.c90ee430400a347f" diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index c2975441b7..d0d9ac70ad 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -36,13 +36,6 @@ jupyterhub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - gizmo404 - - jtkmckenna JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -51,6 +44,10 @@ jupyterhub: - QuantifiedCarbon:jupyterhub scope: - read:org + Authenticator: + admin_users: + - gizmo404 + - jtkmckenna singleuser: image: # pangeo/pangeo-notebook is maintained at: https://github.com/pangeo-data/pangeo-docker-images diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 499066f1ff..3a8aba9abc 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -48,9 +48,6 @@ basehub: - read:org Authenticator: enable_auth_state: true - # This hub uses GitHub Orgs auth and so we don't set allowed_users in - # order to not deny access to valid members of the listed orgs. These - # people should have admin access though. admin_users: - MikeTrizna # Mike Trizna - rdikow # Rebecca Dikow diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index 47136ec38c..4efda07888 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -34,13 +34,6 @@ basehub: url: https://people.climate.columbia.edu/projects/sponsor/National%20Science%20Foundation hub: config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - einatlev-ldeo - - SamKrasnoff JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -49,6 +42,10 @@ basehub: - VICTOR-Community:victoraccess scope: - read:org + Authenticator: + admin_users: + - einatlev-ldeo + - SamKrasnoff singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods From 93e2e25fcda524d32216b150489efb39dac7cec1 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:20:18 +0200 Subject: [PATCH 05/24] auth config: remove outdated workaround setting empty admin_users This was fixed in https://github.com/2i2c-org/infrastructure/pull/2299 --- config/clusters/2i2c-aws-us/dask-staging.values.yaml | 5 ----- config/clusters/2i2c-aws-us/staging.values.yaml | 5 ----- 2 files changed, 10 deletions(-) diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index 6b2569467d..ef475a47b1 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -41,8 +41,3 @@ basehub: - 2i2c-org scope: - read:org - Authenticator: - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 8992c8403c..7d839d7b3d 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -36,8 +36,3 @@ jupyterhub: - 2i2c-org scope: - read:org - Authenticator: - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] From 641d8bcd3ec8a9e7bb9b37fa8147217bf0f075bb Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:33:19 +0200 Subject: [PATCH 06/24] oauthenticator 16: remove redundant spec of allowed_users, add warnings --- config/clusters/2i2c/aup.values.yaml | 29 +++++++++++++++++-- .../clusters/2i2c/neurohackademy.values.yaml | 29 +++++++++++++++++-- config/clusters/carbonplan/common.values.yaml | 29 +++++++++++++++++-- config/clusters/cloudbank/howard.values.yaml | 29 +++++++++++++++++-- config/clusters/cloudbank/lacc.values.yaml | 29 +++++++++++++++++-- config/clusters/cloudbank/palomar.values.yaml | 29 +++++++++++++++++-- .../clusters/cloudbank/sbcc-dev.values.yaml | 29 +++++++++++++++++-- config/clusters/cloudbank/sbcc.values.yaml | 29 +++++++++++++++++-- config/clusters/cloudbank/staging.values.yaml | 29 +++++++++++++++++-- .../clusters/cloudbank/tuskegee.values.yaml | 29 +++++++++++++++++-- config/clusters/gridsst/common.values.yaml | 29 +++++++++++++++++-- .../common.values.yaml | 29 +++++++++++++++++-- config/clusters/openscapes/common.values.yaml | 29 +++++++++++++++++-- .../clusters/pangeo-hubs/coessing.values.yaml | 29 +++++++++++++++++-- 14 files changed, 378 insertions(+), 28 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index cfc4e743be..beec96e623 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -43,9 +43,34 @@ jupyterhub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &aup_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - swalker - shaolintl - admin_users: *aup_users diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 61a3a6efb8..17764ea812 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -62,11 +62,36 @@ jupyterhub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &neurohackademy_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - arokem - admin_users: *neurohackademy_users extraFiles: configurator-schema-default: data: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 8b20037be2..39a1b067d8 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -193,11 +193,36 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - maxrjones - admin_users: *users dask-gateway: traefik: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 32fd25f104..5e77e99332 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -37,11 +37,36 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &howard_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@berkeley.edu - gwashington@scs.howard.edu - anthony.fgordon64@gmail.com - mikayladorange@gmail.com - admin_users: *howard_users diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index ca20b076a8..8c6c41b29a 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -37,12 +37,37 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &lacc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - PINEDAEM@laccd.edu - LAMKT@laccd.edu - ericvd@berkeley.edu - k_usovich@berkeley.edu - sean.smorris@berkeley.edu - admin_users: *lacc_users diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 60ba874481..91dcb3349c 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -37,11 +37,36 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &palomar_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - aculich@berkeley.edu - sean.smorris@berkeley.edu - tcanon@palomar.edu - PChen@palomar.edu - admin_users: *palomar_users diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 3443173895..98e01568a0 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -40,10 +40,35 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &sbcc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 3399eaa550..2fc8495102 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -40,10 +40,35 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &sbcc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index fe109f8f5b..b45e22d8ae 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -37,8 +37,33 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &staging_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - sean.smorris@berkeley.edu - admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index d6029d98bf..40d56e897c 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -37,9 +37,35 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &tuskegee_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com - yanlisa@berkeley.edu @@ -47,4 +73,3 @@ jupyterhub: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - sean.smorris@gmail.com - admin_users: *tuskegee_users diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index ec498b3cb5..b2bffbfd94 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -39,13 +39,38 @@ basehub: JupyterHub: authenticator_class: github OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &gridsst_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - alisonrgray - nikki-t - dgumustel - admin_users: *gridsst_users singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 3bdcffad1f..e37bce4b79 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -227,9 +227,35 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: # This is just listing a few of the users/admins, a lot of # users has been added manually, see: # https://github.com/pangeo-data/jupyter-earth/issues/53 @@ -249,7 +275,6 @@ basehub: - whyjz # Whyjay Zheng - yuvipanda # Yuvi Panda - jonathan-taylor # Jonathan Taylor - admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 896bd3aa33..02422d2c0b 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -56,11 +56,36 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - admin_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - amfriesz - jules32 - erinmr - betolink - allowed_users: *users diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 51028b1c58..d21c2d555b 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -43,10 +43,35 @@ basehub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - admin_users: &admin_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - paigemar@umich.edu - allowed_users: *admin_users # Delete any prior existing users in the db that don't pass username_pattern delete_invalid_users: true From 6e51de585768a769dccd2b54cf6dfc29977c1e46 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:36:55 +0200 Subject: [PATCH 07/24] auth config: remove temporary config addition --- config/clusters/pangeo-hubs/coessing.values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index d21c2d555b..0235e3e56c 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -73,5 +73,3 @@ basehub: # admin_users: - paigemar@umich.edu - # Delete any prior existing users in the db that don't pass username_pattern - delete_invalid_users: true From 34960832e5d31f127bab7c2169e9c7bd39a1ad7f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:12:07 +0200 Subject: [PATCH 08/24] basehub: tweak values to avoid formatting conflicts --- helm-charts/basehub/values.yaml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 8bcefeb866..e18a7052a9 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,11 +177,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", - ] + - "sh" + - "-c" + - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan" securityContext: runAsUser: 0 volumeMounts: @@ -394,7 +392,7 @@ jupyterhub: interfaces: - value: "/tree" title: Classic Notebook - description: + description: >- The original single-document interface for creating Jupyter Notebooks. - value: "/lab" @@ -430,8 +428,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/extra-templates-dir @@ -486,8 +484,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/extra-templates-dir From 93d1466724733e9495bdeac0663d5e45ef2c7e58 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:24:16 +0200 Subject: [PATCH 09/24] basehub: refactor, simplify chowning container's command --- config/clusters/2i2c-aws-us/itcoocean.values.yaml | 8 +++----- config/clusters/2i2c/climatematch.values.yaml | 8 +++----- .../clusters/jupyter-meets-the-earth/common.values.yaml | 8 +++----- config/clusters/nasa-cryo/common.values.yaml | 8 +++----- config/clusters/nasa-veda/common.values.yaml | 8 +++----- config/clusters/qcl/common.values.yaml | 8 +++----- docs/howto/features/per-user-db.md | 8 +++----- docs/topic/infrastructure/storage-layer.md | 8 +++----- helm-charts/basehub/values.yaml | 6 +++--- 9 files changed, 27 insertions(+), 43 deletions(-) diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index 16d75220ce..5a754800cc 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -57,11 +57,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c/climatematch.values.yaml b/config/clusters/2i2c/climatematch.values.yaml index 87ffb2a9f1..9b0d5e31f2 100644 --- a/config/clusters/2i2c/climatematch.values.yaml +++ b/config/clusters/2i2c/climatematch.values.yaml @@ -39,11 +39,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index e37bce4b79..93fc5adff7 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -49,11 +49,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index 7385424507..bfc32b9e43 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -89,11 +89,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index bd25e0afb4..e514bf6ffc 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -104,11 +104,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index d0d9ac70ad..792743503a 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -228,11 +228,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/howto/features/per-user-db.md b/docs/howto/features/per-user-db.md index 01bd751b60..6eb3a20270 100644 --- a/docs/howto/features/per-user-db.md +++ b/docs/howto/features/per-user-db.md @@ -60,11 +60,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /var/lib/postgresql/data && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /var/lib/postgresql/data && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/topic/infrastructure/storage-layer.md b/docs/topic/infrastructure/storage-layer.md index ce33e0d0d1..8a023924c8 100644 --- a/docs/topic/infrastructure/storage-layer.md +++ b/docs/topic/infrastructure/storage-layer.md @@ -118,11 +118,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index e18a7052a9..77ad2e1bdc 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,9 +177,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox:1.36.1 command: - - "sh" - - "-c" - - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan" + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: From d4bc156dd624cc7027f2a9fa1616387efd37db71 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:25:36 +0200 Subject: [PATCH 10/24] basehub: upgrade z2jh from 3.0.0-beta.1 to 3.1.0 --- helm-charts/basehub/Chart.yaml | 2 +- helm-charts/chartpress.yaml | 22 ++++++++++++++++------ helm-charts/images/hub/Dockerfile | 6 +++++- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index ff28172b3e..70680d991a 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -11,7 +11,7 @@ dependencies: # images/hub/Dockerfile, and will also involve manually building and pushing # the Dockerfile to https://quay.io/2i2c/pilot-hub. Details about this can # be found in the Dockerfile's comments. - version: 3.0.0-beta.1.git.6208.h7b44299a + version: 3.1.0 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service version: 0.1.0-0.dev.git.80.h358d32f diff --git a/helm-charts/chartpress.yaml b/helm-charts/chartpress.yaml index 962a638476..6ecf191e45 100644 --- a/helm-charts/chartpress.yaml +++ b/helm-charts/chartpress.yaml @@ -1,3 +1,13 @@ +# This is the configuration for chartpress, a CLI for Helm chart management. +# +# chartpress can be used to: +# - Build images +# - Update Chart.yaml (version) and values.yaml (image tags) +# - Package and publish Helm charts to a GitHub based Helm chart repository +# +# For more information about chartpress, see the projects README.md file: +# https://github.com/jupyterhub/chartpress +# charts: - name: basehub imagePrefix: quay.io/2i2c/pilot- @@ -5,16 +15,16 @@ charts: hub: valuesPath: jupyterhub.hub.image buildArgs: - REQUIREMENTS_FILE: "requirements.txt" + REQUIREMENTS_FILE: requirements.txt unlisted-choice-experiment: imageName: quay.io/2i2c/unlisted-choice-experiment buildArgs: - REQUIREMENTS_FILE: "unlisted-choice-requirements.txt" - contextPath: "images/hub" + REQUIREMENTS_FILE: unlisted-choice-requirements.txt + contextPath: images/hub dockerfilePath: images/hub/Dockerfile dynamic-image-building-experiment: imageName: quay.io/2i2c/dynamic-image-building-experiment buildArgs: - REQUIREMENTS_FILE: "dynamic-image-building-requirements.txt" - contextPath: "images/hub" - dockerfilePath: "images/hub/Dockerfile" + REQUIREMENTS_FILE: dynamic-image-building-requirements.txt + contextPath: images/hub + dockerfilePath: images/hub/Dockerfile diff --git a/helm-charts/images/hub/Dockerfile b/helm-charts/images/hub/Dockerfile index 77caeb4434..50aacb4637 100644 --- a/helm-charts/images/hub/Dockerfile +++ b/helm-charts/images/hub/Dockerfile @@ -12,7 +12,11 @@ # `chartpress --push --builder docker-buildx --platform linux/amd64` # Ref: https://cloudolife.com/2022/03/05/Infrastructure-as-Code-IaC/Container/Docker/Docker-buildx-support-multiple-architectures-images/ # -FROM jupyterhub/k8s-hub:3.0.0-beta.1 +FROM jupyterhub/k8s-hub:3.1.0 + +# chartpress.yaml defines multiple hub images differentiated only by a +# requirements.txt file with dependencies, this build argument allows us to +# re-use this Dockerfile for all images. ARG REQUIREMENTS_FILE COPY ${REQUIREMENTS_FILE} /tmp/ From 0b082a51935b5211d836a307ca5fedb9fa54280d Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 14:07:18 +0200 Subject: [PATCH 11/24] hub images: use kubespawner 6.1.0 from base image, add fixme notes --- .../dynamic-image-building-requirements.txt | 16 ++++++++++------ helm-charts/images/hub/requirements.txt | 12 +++++++++--- .../hub/unlisted-choice-requirements.txt | 19 +++++++++++++++---- 3 files changed, 34 insertions(+), 13 deletions(-) diff --git a/helm-charts/images/hub/dynamic-image-building-requirements.txt b/helm-charts/images/hub/dynamic-image-building-requirements.txt index 1e54c5aa92..955cad733f 100644 --- a/helm-charts/images/hub/dynamic-image-building-requirements.txt +++ b/helm-charts/images/hub/dynamic-image-building-requirements.txt @@ -1,9 +1,13 @@ -# Image lives at quay.io/2i2c/second-hub-experimental +# Image lives at quay.io/2i2c/dynamic-image-building-experiment + +# jupyterhub-configurator isn't version controlled, so we pin to a specific +# commit currently. Available commits are found at +# https://github.com/yuvipanda/jupyterhub-configurator/commits/main +# +# FIXME: ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db is from Mar 26, 2021, but +# several commits has been made since. +# git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db -# Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -# Brings in https://github.com/jupyterhub/kubespawner/pull/787 -# This kubespawner version includes an important bugfix pending 6.1.0 release -# tracked in https://github.com/jupyterhub/kubespawner/issues/767 -git+https://github.com/jupyterhub/kubespawner@d60146f5fe9cd31e09acf13c377d9334ecf59c9b + # Brings in https://github.com/yuvipanda/jupyterhub-fancy-profiles git+https://github.com/yuvipanda/jupyterhub-fancy-profiles@b624031b661f71a278a37bb1fae0b8d6f316d6b3 diff --git a/helm-charts/images/hub/requirements.txt b/helm-charts/images/hub/requirements.txt index 4bc7a8a7ac..ff9c81c682 100644 --- a/helm-charts/images/hub/requirements.txt +++ b/helm-charts/images/hub/requirements.txt @@ -1,4 +1,10 @@ -# This kubespawner version includes an important bugfix pending 6.1.0 release -# tracked in https://github.com/jupyterhub/kubespawner/issues/767 -git+https://github.com/jupyterhub/kubespawner@d60146f5fe9cd31e09acf13c377d9334ecf59c9b +# Image lives at quay.io/2i2c/pilot-hub + +# jupyterhub-configurator isn't version controlled, so we pin to a specific +# commit currently. Available commits are found at +# https://github.com/yuvipanda/jupyterhub-configurator/commits/main +# +# FIXME: ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db is from Mar 26, 2021, but +# several commits has been made since. +# git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db diff --git a/helm-charts/images/hub/unlisted-choice-requirements.txt b/helm-charts/images/hub/unlisted-choice-requirements.txt index 2f90b6a95f..9af2b6c1ac 100644 --- a/helm-charts/images/hub/unlisted-choice-requirements.txt +++ b/helm-charts/images/hub/unlisted-choice-requirements.txt @@ -1,5 +1,16 @@ +# Image lives at quay.io/2i2c/unlisted-choice-experiment + +# FIXME: This image is currently redundant as kubespawner 6.1.0 with +# unlisted_choice is used by default in z2jh 3.1.0, but it _could_ serve +# a purpose to test future related development such as +# https://github.com/jupyterhub/kubespawner/pull/778. +# + +# jupyterhub-configurator isn't version controlled, so we pin to a specific +# commit currently. Available commits are found at +# https://github.com/yuvipanda/jupyterhub-configurator/commits/main +# +# FIXME: ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db is from Mar 26, 2021, but +# several commits has been made since. +# git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db -# Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -# This kubespawner version includes an important bugfix pending 6.1.0 release -# tracked in https://github.com/jupyterhub/kubespawner/issues/767 -git+https://github.com/jupyterhub/kubespawner@d60146f5fe9cd31e09acf13c377d9334ecf59c9b \ No newline at end of file From 81d66df008596c54402c2d808b21f17db83c06bf Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 15 Sep 2023 02:57:27 +0200 Subject: [PATCH 12/24] utoronto: re-order config entries for consistency --- config/clusters/utoronto/common.values.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index 2d9b07fc33..85c74e9c80 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -79,16 +79,14 @@ jupyterhub: readinessProbe: enabled: false config: + JupyterHub: + authenticator_class: cilogon + concurrent_spawn_limit: 100 + # We wanna keep logs long term, primarily for analytics + extra_log_file: /srv/jupyterhub/jupyterhub.log CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: username_claim: "email" - Authenticator: - enable_auth_state: false - JupyterHub: - authenticator_class: cilogon - concurrent_spawn_limit: 100 - # We wanna keep logs long term, primarily for analytics - extra_log_file: /srv/jupyterhub/jupyterhub.log From edf1500290b1622ce0d2baf91c6132489f4e4299 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 15 Sep 2023 02:58:07 +0200 Subject: [PATCH 13/24] utoronto: remove duplicated specification --- config/clusters/utoronto/common.values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index 85c74e9c80..a8fc3a0ca1 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -85,7 +85,6 @@ jupyterhub: # We wanna keep logs long term, primarily for analytics extra_log_file: /srv/jupyterhub/jupyterhub.log CILogonOAuthenticator: - oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: From 56853280f3c390602e7c7516b30fd8fe6a8f4049 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 12:36:42 +0200 Subject: [PATCH 14/24] docs: remove no longer correct warning --- docs/hub-deployment-guide/configure-auth/github-orgs.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/hub-deployment-guide/configure-auth/github-orgs.md b/docs/hub-deployment-guide/configure-auth/github-orgs.md index b8f38f835b..f0838e3c59 100644 --- a/docs/hub-deployment-guide/configure-auth/github-orgs.md +++ b/docs/hub-deployment-guide/configure-auth/github-orgs.md @@ -69,13 +69,6 @@ You can remove yourself from the org once you have confirmed that login is worki 4. **Edit the non-secret config under `config/clusters//.values.yaml`.** You should make sure the matching hub config takes one of the following forms. - ```{warning} - When using this method of authentication, make sure to remove the `allowed_users` key from the config. - This is because this key will block any user not listed under it **even if** they are valid members of the the organisation or team you are authenticating against. - - You should keep the `admin_users` key, however. - ``` - To authenticate against a GitHub organisation (Note the `read:user` scope. See comment box below.): ```yaml From b5e1f1e294d3894860748a5ab8779105f02e1b07 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 13:46:33 +0200 Subject: [PATCH 15/24] oauthenticator 16.1: add allow_all config to individual idps --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 1 + config/clusters/2i2c/demo.values.yaml | 1 + config/clusters/2i2c/temple.values.yaml | 1 + config/clusters/2i2c/ucmerced.values.yaml | 1 + config/clusters/cloudbank/ccsf.values.yaml | 4 ++++ config/clusters/cloudbank/csm.values.yaml | 1 + config/clusters/cloudbank/csulb.values.yaml | 2 ++ config/clusters/cloudbank/demo.values.yaml | 4 ++++ config/clusters/cloudbank/dvc.values.yaml | 1 + config/clusters/cloudbank/elcamino.values.yaml | 1 + config/clusters/cloudbank/evc.values.yaml | 1 + config/clusters/cloudbank/fresno.values.yaml | 1 + config/clusters/cloudbank/glendale.values.yaml | 1 + config/clusters/cloudbank/humboldt.values.yaml | 2 ++ config/clusters/cloudbank/laney.values.yaml | 1 + config/clusters/cloudbank/mills.values.yaml | 1 + config/clusters/cloudbank/miracosta.values.yaml | 2 ++ config/clusters/cloudbank/mission.values.yaml | 1 + config/clusters/cloudbank/norco.values.yaml | 1 + config/clusters/cloudbank/pasadena.values.yaml | 1 + config/clusters/cloudbank/sacramento.values.yaml | 1 + config/clusters/cloudbank/saddleback.values.yaml | 1 + config/clusters/cloudbank/santiago.values.yaml | 1 + config/clusters/cloudbank/sjcc.values.yaml | 1 + config/clusters/cloudbank/sjsu.values.yaml | 2 ++ config/clusters/cloudbank/skyline.values.yaml | 1 + config/clusters/cloudbank/srjc.values.yaml | 4 ++++ config/clusters/hhmi/common.values.yaml | 4 ++++ config/clusters/ubc-eoas/common.values.yaml | 1 + config/clusters/utoronto/common.values.yaml | 1 + 30 files changed, 46 insertions(+) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 2322f13c54..dbc9f2150e 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -83,3 +83,4 @@ jupyterhub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + allow_all: true diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml index f43990eab6..7790b60e77 100644 --- a/config/clusters/2i2c/demo.values.yaml +++ b/config/clusters/2i2c/demo.values.yaml @@ -36,6 +36,7 @@ jupyterhub: https://enterprise.login.utexas.edu/idp/shibboleth: username_derivation: username_claim: "eppn" + allow_all: true http://google.com/accounts/o8/id: username_derivation: username_claim: "email" diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index 9469e3dc9f..ee4b67aa3f 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -56,6 +56,7 @@ jupyterhub: https://fim.temple.edu/idp/shibboleth: username_derivation: username_claim: "eppn" + allow_all: true http://google.com/accounts/o8/id: username_derivation: username_claim: "email" diff --git a/config/clusters/2i2c/ucmerced.values.yaml b/config/clusters/2i2c/ucmerced.values.yaml index bfe3f70435..b424c4b8b7 100644 --- a/config/clusters/2i2c/ucmerced.values.yaml +++ b/config/clusters/2i2c/ucmerced.values.yaml @@ -42,6 +42,7 @@ jupyterhub: urn:mace:incommon:ucmerced.edu: username_derivation: username_claim: "eppn" + allow_all: true http://google.com/accounts/o8/id: username_derivation: username_claim: "email" diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index fc742abaf5..7c795a60d1 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -39,9 +39,13 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + # allow_all is a partial authorization, username_pattern is enforced also + allow_all: true urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + # allow_all is a partial authorization, username_pattern is enforced also + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 212bb96c36..3ca4847157 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -41,6 +41,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 554bac1627..1b18d17551 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -43,9 +43,11 @@ jupyterhub: https://its-shib.its.csulb.edu/idp/shibboleth: username_derivation: username_claim: "email" + allow_all: true urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index fcf667887d..b2789d0d67 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -42,9 +42,13 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + # allow_all is a partial authorization, username_pattern is enforced also + allow_all: true urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + # allow_all is a partial authorization, username_pattern is enforced also + allow_all: true Authenticator: # These folks should still have admin tho admin_users: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index d3a1e06dcf..fcec3ad5d6 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -46,6 +46,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true JupyterHub: authenticator_class: cilogon Authenticator: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index 2251ab5601..77a0880052 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -42,6 +42,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index d0b4a04c28..f84bc809bb 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -51,6 +51,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true JupyterHub: authenticator_class: cilogon Authenticator: diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index aa68e5cd00..992a0e766f 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -41,6 +41,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - joellen.green@fresnocitycollege.edu diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index e061af47a1..56b2887061 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -41,6 +41,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - simon@glendale.edu diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index a23fb82f0e..94ae78b4aa 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -49,9 +49,11 @@ jupyterhub: https://sso.humboldt.edu/idp/metadata: username_derivation: username_claim: "email" + allow_all: true urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: # These folks should still have admin tho admin_users: diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index 030a83fda3..f57b52b0a5 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -44,6 +44,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index aac9ca925a..ef60c48a76 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -40,6 +40,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: &mills_admins - aculich@berkeley.edu diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 498591ee0c..add08ecabd 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -37,9 +37,11 @@ jupyterhub: https://miracosta.fedgw.com/gateway: username_derivation: username_claim: "email" + allow_all: true urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - sfirouzian@miracosta.edu diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 8201315abe..2914d1e6e8 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -47,6 +47,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index cfdbaf302a..d946b180ce 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -45,6 +45,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index a2d10d2a68..dc033c2cec 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -46,6 +46,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - yxchang@go.pasadena.edu diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 41d5bab610..e5fbede910 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -47,6 +47,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index 04bb50c6e0..fc0fa0211c 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -46,6 +46,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index 64584ef345..c9e39072c8 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -52,6 +52,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index ea7c8b661c..4d45d372e0 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -47,6 +47,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - christiaan.desmond@sjcc.edu diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index 8272328530..35f1170400 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -47,9 +47,11 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true https://idp01.sjsu.edu/idp/shibboleth: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 6473ee80de..9223fdac48 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -45,6 +45,7 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 39e35b65be..19e01d253c 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -39,9 +39,13 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + # allow_all is a partial authorization, username_pattern is enforced also + allow_all: true urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + # allow_all is a partial authorization, username_pattern is enforced also + allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/hhmi/common.values.yaml b/config/clusters/hhmi/common.values.yaml index bce32ad686..921234ab8a 100644 --- a/config/clusters/hhmi/common.values.yaml +++ b/config/clusters/hhmi/common.values.yaml @@ -50,3 +50,7 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + # FIXME: allow_all=true is the current behavior, but its not + # intentional based on discussion about how the hub was + # setup. + allow_all: true diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 0d057dec89..d9a6066157 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -48,6 +48,7 @@ jupyterhub: username_claim: email action: strip_idp_domain domain: eoas.ubc.ca + allow_all: true http://google.com/accounts/o8/id: username_derivation: username_claim: email diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index a8fc3a0ca1..246c4e2dd5 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -89,3 +89,4 @@ jupyterhub: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: username_claim: "email" + allow_all: true From 4c9be70ab0b0e35802fb6a6eb5a49fad48252de9 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 13:47:43 +0200 Subject: [PATCH 16/24] docs: refine inline comment about admin_users --- config/clusters/callysto/common.values.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index d458fe5809..01bd567c25 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -127,8 +127,11 @@ jupyterhub: - cfis.com - "*.ca" CILogonOAuthenticator: - # We set up admin_users, but *not* allowed users. Those are set up via the extraConfig - admin_users: &callysto_users + # Usernames are based on a unique "oidc" claim and not email, so we need + # to reference these names when declaring admin_users. The custom + # authenticator class used will reject any user not having an associated + # email with a specific domain name though. + admin_users: - "117859169473992122769" # Georgiana (2i2c) - "115722756968212778437" # Sarah (2i2c) - "103849660365364958119" # Erik (2i2c) From a430c9e4fbe5deda1434026c6cae552942223fa9 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 13:48:12 +0200 Subject: [PATCH 17/24] docs: refresh cilogon docs about config --- .../configure-auth/cilogon.md | 39 ++++++++++++------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index 04a5824843..5cfa596165 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -69,38 +69,49 @@ jupyterhub: - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - # Allow to only login into the hub using Google or ANU's provider + # Google and ANU's are configured as the hubs identity providers (idps) allowed_idps: http://google.com/accounts/o8/id: username_derivation: # Use the email as the hub username username_claim: "email" - # Allow only 2i2c.org accounts to login through Google + # Authorize any user with a @2i2c.org email in this idp allowed_domains: - "2i2c.org" https://idp2.anu.edu.au/idp/shibboleth: username_derivation: # Use the email as the hub username username_claim: "email" + # Authorize all users in this idp + allow_all: true ``` -## Important rules to follow when using this method of authentication +## `username_derivation` is security critical -1. The `admin_users` list need to match `allowed_idps` rules too. +Each configured idp has `username_derivation` config, and for security reasons +its important that this is setup carefully thinking about the following aspects. -2. It is recommended to define in the `allowed_idps` dict, all the identity providers we plan to allow to be used for a hub. This way, only these will be allowed to be used. +1. `username_derivation.username_claim` _must provide unique values_ so that one + user in the idp can't impersonate another. - ```{note} - The keys allowed in the `allowed_idps` dict **must be valid CILogon `EntityIDs`**. - Go to https://cilogon.org/idplist for the list of EntityIDs of each IdP. - ``` + As an example, a claim "username" is probably unique, but a "display name" + probably isn't. -3. All the identity providers must define a `username_derivation` scheme, with their own `username_claim`, that the user *cannot change*. If they can, it can be easily used to impersonate others! For example, if we allow both GitHub and `utoronto.ca` as allowed authentication providers, and only use `email` as `username_claim`, for both providers, any GitHub user can set their email field in their GitHub profile to a `utoronto.ca` email and thus gain access to any `utoronto.ca` user's server! So a very careful choice needs to -be made here. + Available claims will to some degree differ between idps and requested scope, + for more information see [ciLogon scopes documentation] +2. `username_derivation.username_claim` _should provide values that doesn't + change over time_ so that users don't loose access to their old JupyterHub + account over time. +3. Ensure that idps `username_derivation` doesn't lead to unwanted overlap + between JupyterHub usernames by using [`username_derivation.action`] if + needed. - ```{note} - You can check the [CILogon scopes section](https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm) to checkout available values for `username_claim`. This *cannot* be changed afterwards without manual migration of user names, so choose this carefully. - ``` + As an example, if two separate idps A and B allows you to register with them + and provide any value for their configured `username_claim`, the `cat` user + in A could be controlled by a different human than the `cat` user in B. + +[`username_derivation.action`]: https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.cilogon.html#oauthenticator.cilogon.CILogonOAuthenticator.allowed_idps +[ciLogon scopes documentation]: https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm ## Other common CILogon configurations across 2i2c hubs From 03aece50770386b15c362ff30d32b63c0184b37a Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 13:49:43 +0200 Subject: [PATCH 18/24] hhmi: stop allowing all users, allow only existing users --- config/clusters/hhmi/common.values.yaml | 35 ++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/config/clusters/hhmi/common.values.yaml b/config/clusters/hhmi/common.values.yaml index 921234ab8a..97dc21a7c0 100644 --- a/config/clusters/hhmi/common.values.yaml +++ b/config/clusters/hhmi/common.values.yaml @@ -50,7 +50,34 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - # FIXME: allow_all=true is the current behavior, but its not - # intentional based on discussion about how the hub was - # setup. - allow_all: true + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True + Authenticator: + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: + - colliand From 789cc8133a78f480323a6d066e8d0c5fd71070a1 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 14:16:46 +0200 Subject: [PATCH 19/24] hub image: configure use of newly built image based on z2jh 3.1.0 --- config/clusters/2i2c-aws-us/researchdelight.values.yaml | 2 +- config/clusters/2i2c/imagebuilding-demo.values.yaml | 2 +- config/clusters/leap/common.values.yaml | 2 +- config/clusters/nasa-veda/common.values.yaml | 2 +- config/clusters/openscapes/staging.values.yaml | 2 +- docs/howto/custom-jupyterhub-image.md | 2 +- helm-charts/basehub/Chart.yaml | 5 +++-- helm-charts/basehub/values.yaml | 2 +- 8 files changed, 10 insertions(+), 9 deletions(-) diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 0e7ba535df..4f4b40c45a 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -30,7 +30,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.7080.h0da36d1e" + tag: "0.0.1-0.dev.git.7130.h0bdc2d30" config: JupyterHub: authenticator_class: github diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index cce5335087..c6e18209c7 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -129,7 +129,7 @@ jupyterhub: url: http://imagebuilding-demo-binderhub-service:8090 image: name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.7080.h0da36d1e" + tag: "0.0.1-0.dev.git.7130.h0bdc2d30" config: JupyterHub: authenticator_class: github diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 50b9d09de4..182bc47277 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,7 +39,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.7080.h0da36d1e" + tag: "0.0.1-0.dev.git.7130.h0bdc2d30" allowNamedServers: true config: JupyterHub: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index e514bf6ffc..6035bb26fb 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -34,7 +34,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.7080.h0da36d1e" + tag: "0.0.1-0.dev.git.7130.h0bdc2d30" allowNamedServers: true config: Authenticator: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 0fd1e653f0..9fad628840 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -127,7 +127,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.7080.h0da36d1e" + tag: "0.0.1-0.dev.git.7130.h0bdc2d30" config: CILogonOAuthenticator: oauth_callback_url: "https://staging.openscapes.2i2c.cloud/hub/oauth_callback" diff --git a/docs/howto/custom-jupyterhub-image.md b/docs/howto/custom-jupyterhub-image.md index ae85cf7a46..0a59631679 100644 --- a/docs/howto/custom-jupyterhub-image.md +++ b/docs/howto/custom-jupyterhub-image.md @@ -148,7 +148,7 @@ You will need to put a config similar to the one below in your hub configuration hub: image: name: quay.io/2i2c/new-experiment - tag: "0.0.1-0.dev.git.6406.hc1091b1c" + tag: "0.0.1-0.dev.git.7130.h0bdc2d30" ``` ```{important} diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index 70680d991a..4646d5ec56 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -2,8 +2,9 @@ apiVersion: v2 appVersion: "1.0" description: Deployment Chart for JupyterHub name: basehub -# Updates to this version should be kept in sync -# with the dependency reference in the daskhub chart. +# Updates to this version must be kept in sync with the dependency reference in +# the daskhub chart. Since we don't publish this, we opt to have it frozen at +# version 0.1.0 instead. version: "0.1.0" dependencies: - name: jupyterhub diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 77ad2e1bdc..8f33933ac9 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -522,7 +522,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.7080.h0da36d1e" + tag: "0.0.1-0.dev.git.7130.h0bdc2d30" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated From 2cd299ed2d2703010ea565ebf0da36f4dc65a1e6 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 14:40:34 +0200 Subject: [PATCH 20/24] refactor: make ordering of config entries consistent --- .../clusters/2i2c-aws-us/cosmicds.values.yaml | 16 ++++++++-------- .../clusters/2i2c/binder-staging.values.yaml | 16 ++++++++-------- config/clusters/2i2c/mtu.values.yaml | 8 ++++---- config/clusters/2i2c/temple.values.yaml | 6 +++--- .../catalystproject-africa/staging.values.yaml | 6 +++--- .../unitefa-conicet.values.yaml | 8 ++++---- config/clusters/cloudbank/mills.values.yaml | 2 +- .../jupyter-meets-the-earth/common.values.yaml | 2 +- config/clusters/nasa-ghg/common.values.yaml | 6 +++--- config/clusters/nasa-veda/common.values.yaml | 18 +++++++++--------- config/clusters/ubc-eoas/common.values.yaml | 10 +++++----- .../configure-auth/cilogon.md | 6 +++--- 12 files changed, 52 insertions(+), 52 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index dbc9f2150e..11ee2e6a96 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -65,14 +65,6 @@ jupyterhub: # Callback URL for the auth0 tenant, provided to us by auth0 oauth_redirect_uri: https://dev-tbr72rd5whnwlyrg.us.auth0.com/login/callback config: - Authenticator: - admin_users: - - nmearl - - patudom - # When using JupyterHub as an auth *provider*, we don't want the - # end user to see the JupyterHub home page at all - just redirect - # them to the upstream auth provider (CILogon) directly. - auto_login_oauth2_authorize: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -84,3 +76,11 @@ jupyterhub: username_derivation: username_claim: "preferred_username" allow_all: true + Authenticator: + admin_users: + - nmearl + - patudom + # When using JupyterHub as an auth *provider*, we don't want the + # end user to see the JupyterHub home page at all - just redirect + # them to the upstream auth provider (CILogon) directly. + auto_login_oauth2_authorize: true diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index 8bc852e22b..fefd4928c4 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -70,6 +70,14 @@ binderhub: auth_enabled: true JupyterHub: authenticator_class: cilogon + CILogonOAuthenticator: + oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" + allowed_idps: + http://google.com/accounts/o8/id: + username_derivation: + username_claim: "email" + allowed_domains: + - "2i2c.org" Authenticator: admin_users: - choldgraf@2i2c.org @@ -81,14 +89,6 @@ binderhub: - pnasrat@2i2c.org - sgibson@2i2c.org - yuvipanda@2i2c.org - CILogonOAuthenticator: - oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" - allowed_idps: - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" - allowed_domains: - - "2i2c.org" singleuser: # to make notebook servers aware of hub cmd: jupyterhub-singleuser diff --git a/config/clusters/2i2c/mtu.values.yaml b/config/clusters/2i2c/mtu.values.yaml index 987dec4528..a9ae0cc2ea 100644 --- a/config/clusters/2i2c/mtu.values.yaml +++ b/config/clusters/2i2c/mtu.values.yaml @@ -31,10 +31,6 @@ jupyterhub: tag: "6286b77ae45c" hub: config: - Authenticator: - admin_users: - - "dbkc@mtu.edu" - - "lebrown@mtu.edu" JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -52,3 +48,7 @@ jupyterhub: username_claim: "email" allowed_domains: - "mtu.edu" + Authenticator: + admin_users: + - "dbkc@mtu.edu" + - "lebrown@mtu.edu" diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index ee4b67aa3f..5db7a27fe4 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -45,9 +45,6 @@ jupyterhub: limit: 2G hub: config: - Authenticator: - admin_users: - - jmsmith1@temple.edu JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -62,3 +59,6 @@ jupyterhub: username_claim: "email" allowed_domains: - "2i2c.org" + Authenticator: + admin_users: + - jmsmith1@temple.edu diff --git a/config/clusters/catalystproject-africa/staging.values.yaml b/config/clusters/catalystproject-africa/staging.values.yaml index 600175d838..2eef04e747 100644 --- a/config/clusters/catalystproject-africa/staging.values.yaml +++ b/config/clusters/catalystproject-africa/staging.values.yaml @@ -25,9 +25,6 @@ jupyterhub: url: "https://chanzuckerberg.com/science/programs-resources/open-science/" hub: config: - # Authenticator: - # admin_users: - # - future-community-champion JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -37,3 +34,6 @@ jupyterhub: - czi-catalystproject scope: - read:org + # Authenticator: + # admin_users: + # - future-community-champion diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index 700d3b59d9..e5b63b8d4a 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -25,10 +25,6 @@ jupyterhub: url: "https://chanzuckerberg.com/science/programs-resources/open-science/" hub: config: - Authenticator: - admin_users: - - aquevedo@unc.edu.ar - - nicolasw@famaf.unc.edu.ar JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -44,3 +40,7 @@ jupyterhub: - "unc.edu.ar" - "mi.unc.edu.ar" - "famaf.unc.edu.ar" + Authenticator: + admin_users: + - aquevedo@unc.edu.ar + - nicolasw@famaf.unc.edu.ar diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index ef60c48a76..faceacfd7d 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -42,7 +42,7 @@ jupyterhub: username_claim: "email" allow_all: true Authenticator: - admin_users: &mills_admins + admin_users: - aculich@berkeley.edu - sean.smorris@berkeley.edu - akonrad@mills.edu diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 93fc5adff7..b04a367fd6 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -216,6 +216,7 @@ basehub: nvidia.com/gpu: "1" hub: + allowNamedServers: true config: JupyterHub: authenticator_class: cilogon @@ -273,7 +274,6 @@ basehub: - whyjz # Whyjay Zheng - yuvipanda # Yuvi Panda - jonathan-taylor # Jonathan Taylor - allowNamedServers: true dask-gateway: gateway: diff --git a/config/clusters/nasa-ghg/common.values.yaml b/config/clusters/nasa-ghg/common.values.yaml index 69f055fcfc..277daaa332 100644 --- a/config/clusters/nasa-ghg/common.values.yaml +++ b/config/clusters/nasa-ghg/common.values.yaml @@ -34,9 +34,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - admin_users: - - freitagb JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -45,6 +42,9 @@ basehub: - US-GHG-Center:ghgc-hub-access scope: - read:org + Authenticator: + admin_users: + - freitagb singleuser: defaultUrl: /lab profileList: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 6035bb26fb..9be63b0893 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -37,15 +37,6 @@ basehub: tag: "0.0.1-0.dev.git.7130.h0bdc2d30" allowNamedServers: true config: - Authenticator: - admin_users: - - abarciauskas-bgse - - freitagb - - j08lue - - rezuma - - ranchodeluxe - - jsignell - - slesaad JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -56,6 +47,15 @@ basehub: - CYGNSS-VEDA:cygnss-iwg scope: - read:org + Authenticator: + admin_users: + - abarciauskas-bgse + - freitagb + - j08lue + - rezuma + - ranchodeluxe + - jsignell + - slesaad singleuser: defaultUrl: /lab image: diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index d9a6066157..23d417c2bf 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -34,11 +34,6 @@ jupyterhub: hub: config: - Authenticator: - admin_users: - - ckrzysik # Technical representative, Charles Krzysik - - lheagy # Technical representative, Lindsey Heagy - - hmodzelewski # Technical representative, Henryk Modzelewski JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -54,6 +49,11 @@ jupyterhub: username_claim: email allowed_domains: - 2i2c.org + Authenticator: + admin_users: + - ckrzysik # Technical representative, Charles Krzysik + - lheagy # Technical representative, Lindsey Heagy + - hmodzelewski # Technical representative, Henryk Modzelewski singleuser: defaultUrl: /lab diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index 5cfa596165..6a559f4ff2 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -64,9 +64,6 @@ jupyterhub: config: JupyterHub: authenticator_class: cilogon - Authenticator: - admin_users: - - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback # Google and ANU's are configured as the hubs identity providers (idps) @@ -84,6 +81,9 @@ jupyterhub: username_claim: "email" # Authorize all users in this idp allow_all: true + Authenticator: + admin_users: + - admin@anu.edu.au ``` ## `username_derivation` is security critical From f4bc4cefa51f4a62780f7ad751f36a13fba6a3af Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 30 Sep 2023 14:49:44 +0200 Subject: [PATCH 21/24] deployer: remove no longer relevant github auth validation In oauthenticator 16 its possible to allow a github organization/team and separately allow individual users. Instead of the intersection of allowed_users and users allowed via allowed_organization, oauthenticator 16 allows the union of these users. This makes this validation check no longer relevant. --- deployer/config_validation.py | 69 ----------------------------------- deployer/deployer.py | 3 -- 2 files changed, 72 deletions(-) diff --git a/deployer/config_validation.py b/deployer/config_validation.py index 9165c03579..e159f7782c 100644 --- a/deployer/config_validation.py +++ b/deployer/config_validation.py @@ -155,72 +155,3 @@ def validate_support_config(cluster_name): sys.exit(1) else: print_colour(f"No support defined for {cluster_name}. Nothing to validate!") - - -def validate_authenticator_config(cluster_name, hub_name): - """ - For each hub of a specific cluster: - - It asserts that when the JupyterHub GitHubOAuthenticator is used, - then `Authenticator.allowed_users` is not set. - - Before oauthenticator 16 / z2jh 3.0.0-beta.3+, allowed_users was an - additional requirement besides being part of an allowed github - organization or team, which made the config likely to not be what we - intended. - - FIXME: Remove this after we have upgraded to oauthenticator 16 / z2jh - 3.0.0-beta.3+, as that makes this config reasonable again, where a - user can be allowed independently from allowing an organization. - """ - _prepare_helm_charts_dependencies_and_schemas() - - config_file_path = find_absolute_path_to_cluster_file(cluster_name) - with open(config_file_path) as f: - cluster = Cluster(yaml.load(f), config_file_path.parent) - - hubs = [] - if hub_name: - hubs = [h for h in cluster.hubs if h.spec["name"] == hub_name] - else: - hubs = cluster.hubs - - for i, hub in enumerate(hubs): - print_colour( - f"{i+1} / {len(hubs)}: Validating authenticator config for {hub.spec['name']}..." - ) - - authenticator_class = "" - allowed_users = [] - for values_file_name in hub.spec["helm_chart_values_files"]: - if "secret" not in os.path.basename(values_file_name): - values_file = config_file_path.parent.joinpath(values_file_name) - # Load the hub extra config from its specific values files - config = yaml.load(values_file) - # Check if there's config that specifies an authenticator class - try: - if hub.spec["helm_chart"] != "basehub": - hub_config = config["basehub"]["jupyterhub"]["hub"]["config"] - else: - hub_config = config["jupyterhub"]["hub"]["config"] - - authenticator_class = hub_config["JupyterHub"][ - "authenticator_class" - ] - allowed_users = hub_config["Authenticator"]["allowed_users"] - org_based_github_auth = False - if hub_config.get("GitHubOAuthenticator", None): - org_based_github_auth = hub_config["GitHubOAuthenticator"].get( - "allowed_organizations", False - ) - except KeyError: - pass - - # If the authenticator class is github, then raise an error - # if `Authenticator.allowed_users` is set - if authenticator_class == "github" and allowed_users and org_based_github_auth: - raise ValueError( - f""" - Please unset `Authenticator.allowed_users` for {hub.spec['name']} when GitHub Orgs/Teams is - being used for auth so valid members are not refused access. - """ - ) diff --git a/deployer/deployer.py b/deployer/deployer.py index 677b8db6de..b8b9a2cd61 100644 --- a/deployer/deployer.py +++ b/deployer/deployer.py @@ -17,7 +17,6 @@ from .cli_app import app from .cluster import Cluster from .config_validation import ( - validate_authenticator_config, validate_cluster_config, validate_hub_config, validate_support_config, @@ -175,7 +174,6 @@ def deploy( """ validate_cluster_config(cluster_name) validate_hub_config(cluster_name, hub_name) - validate_authenticator_config(cluster_name, hub_name) config_file_path = find_absolute_path_to_cluster_file(cluster_name) with open(config_file_path) as f: @@ -431,4 +429,3 @@ def validate( validate_cluster_config(cluster_name) validate_support_config(cluster_name) validate_hub_config(cluster_name, hub_name) - validate_authenticator_config(cluster_name, hub_name) From 37a86a3ba96fa9d9490b9cfa34568c8ff55d1e9a Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 4 Oct 2023 11:25:22 +0200 Subject: [PATCH 22/24] docs: remove a comment --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 2 -- .../clusters/catalystproject-latam/unitefa-conicet.values.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 11ee2e6a96..c78f732dfd 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -70,8 +70,6 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback allowed_idps: - # The username claim here is used to do *authorization*, for both - # admin use and any allow listing we want to do. http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index e5b63b8d4a..be97a08271 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -30,8 +30,6 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" allowed_idps: - # The username claim here is used to do *authorization*, for both - # admin use and any allow listing we want to do. http://google.com/accounts/o8/id: username_derivation: username_claim: "email" From bc68128a87b0cb2d566f446351c5cab452619bbb Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 4 Oct 2023 11:26:12 +0200 Subject: [PATCH 23/24] refactor: reorder config for consistency --- config/clusters/cloudbank/bcc.values.yaml | 4 ++-- config/clusters/cloudbank/evc.values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index 82efa8756e..c54c472c9b 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -31,6 +31,8 @@ jupyterhub: url: https://www.berkeleycitycollege.edu/ hub: config: + JupyterHub: + authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://bcc.cloudbank.2i2c.cloud/hub/oauth_callback allowed_idps: @@ -38,8 +40,6 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: ["2i2c.org", "berkeley.edu", "peralta.edu"] - JupyterHub: - authenticator_class: cilogon Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index f84bc809bb..5f7e60628e 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -31,6 +31,8 @@ jupyterhub: url: https://www.evc.edu/ hub: config: + JupyterHub: + authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://evc.cloudbank.2i2c.cloud/hub/oauth_callback allowed_idps: @@ -52,8 +54,6 @@ jupyterhub: username_derivation: username_claim: "email" allow_all: true - JupyterHub: - authenticator_class: cilogon Authenticator: admin_users: - ericvd@berkeley.edu From 25d52b775bfc04bc528a933d5a9ee4e0073e6fff Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 4 Oct 2023 11:27:14 +0200 Subject: [PATCH 24/24] cloudbank, fresno: fix auth config mistake in v15 to v16 migration --- config/clusters/cloudbank/fresno.values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index 992a0e766f..55d10335ed 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -33,6 +33,7 @@ jupyterhub: https://idp.scccd.edu/idp/shibboleth: username_derivation: username_claim: "email" + allow_all: true http://google.com/accounts/o8/id: username_derivation: username_claim: "email"