diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 77931e0b27..2322f13c54 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -76,12 +76,7 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index 49def94b2c..ef475a47b1 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -33,15 +33,6 @@ basehub: tag: "2022.06.02" hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index 7a9c19ae54..a2754241fa 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -57,11 +57,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index c7163a272c..6326b3fc18 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -30,12 +30,10 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: JupyterHub: authenticator_class: github - Authenticator: - enable_auth_state: true GitHubOAuthenticator: populate_teams_in_auth_state: true allowed_organizations: @@ -43,6 +41,8 @@ basehub: - 2i2c-org:research-delight-team scope: - read:org + Authenticator: + enable_auth_state: true singleuser: image: name: quay.io/2i2c/researchdelight-image diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 13e68094d4..7d839d7b3d 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -28,15 +28,6 @@ jupyterhub: url: https://2i2c.org hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: diff --git a/config/clusters/2i2c-uk/lis.values.yaml b/config/clusters/2i2c-uk/lis.values.yaml index 87c0ea6207..8c6e3d943b 100644 --- a/config/clusters/2i2c-uk/lis.values.yaml +++ b/config/clusters/2i2c-uk/lis.values.yaml @@ -49,17 +49,14 @@ jupyterhub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - LaCrecerelle - - matthew-brett GitHubOAuthenticator: + oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" allowed_organizations: - 2i2c-org - lisacuk scope: - read:org - oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" + Authenticator: + admin_users: + - LaCrecerelle + - matthew-brett diff --git a/config/clusters/2i2c-uk/staging.values.yaml b/config/clusters/2i2c-uk/staging.values.yaml index 26778efe99..6e6535a155 100644 --- a/config/clusters/2i2c-uk/staging.values.yaml +++ b/config/clusters/2i2c-uk/staging.values.yaml @@ -39,8 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 5165598e51..beec96e623 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -37,21 +37,40 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &aup_users + admin_users: - swalker - shaolintl - admin_users: *aup_users diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index ff4227152d..8bc852e22b 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -83,8 +83,6 @@ binderhub: - yuvipanda@2i2c.org CILogonOAuthenticator: oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/climatematch.values.yaml b/config/clusters/2i2c/climatematch.values.yaml index a982022793..5396702629 100644 --- a/config/clusters/2i2c/climatematch.values.yaml +++ b/config/clusters/2i2c/climatematch.values.yaml @@ -39,11 +39,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index 0a0119ed56..bb4ffaafa7 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -44,12 +44,7 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml index 134f3c351b..f43990eab6 100644 --- a/config/clusters/2i2c/demo.values.yaml +++ b/config/clusters/2i2c/demo.values.yaml @@ -31,10 +31,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback - shown_idps: - # Allow Google for 2i2c.org anr dmbl - - https://accounts.google.com/o/oauth2/auth - - https://enterprise.login.utexas.edu/idp/shibboleth allowed_idps: # UTexas hub https://enterprise.login.utexas.edu/idp/shibboleth: diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 50f311916e..17e2a1c013 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -60,14 +60,12 @@ jupyterhub: hub: image: name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.6765.h33942a27" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/mtu.values.yaml b/config/clusters/2i2c/mtu.values.yaml index 040b7a27f2..987dec4528 100644 --- a/config/clusters/2i2c/mtu.values.yaml +++ b/config/clusters/2i2c/mtu.values.yaml @@ -39,9 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.mtu.edu/idp/shibboleth allowed_idps: # Allow 2i2c staff to login with Google http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index f5fba70b7f..97df782ea4 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -55,24 +55,43 @@ jupyterhub: config: JupyterHub: authenticator_class: cilogon - Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: &neurohackademy_users - - arokem - admin_users: *neurohackademy_users CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True + Authenticator: + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: + - arokem extraFiles: configurator-schema-default: data: diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index bd95f724f0..c37f1e6f97 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -56,8 +56,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index 4ee80ae16b..5285b79915 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -34,9 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://fim.temple.edu/idp/shibboleth - - https://accounts.google.com/o/oauth2/auth allowed_idps: https://fim.temple.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/2i2c/ucmerced.values.yaml b/config/clusters/2i2c/ucmerced.values.yaml index 2f6801e162..bfe3f70435 100644 --- a/config/clusters/2i2c/ucmerced.values.yaml +++ b/config/clusters/2i2c/ucmerced.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback - shown_idps: - - urn:mace:incommon:ucmerced.edu - - https://accounts.google.com/o/oauth2/auth allowed_idps: urn:mace:incommon:ucmerced.edu: username_derivation: diff --git a/config/clusters/awi-ciroh/common.values.yaml b/config/clusters/awi-ciroh/common.values.yaml index 344f2982cd..e05c6c001d 100644 --- a/config/clusters/awi-ciroh/common.values.yaml +++ b/config/clusters/awi-ciroh/common.values.yaml @@ -33,14 +33,6 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - jameshalgren - - arpita0911patel - - karnesh GitHubOAuthenticator: allowed_organizations: - 2i2c-org @@ -48,6 +40,11 @@ basehub: - NOAA-OWP scope: - read:org + Authenticator: + admin_users: + - jameshalgren + - arpita0911patel + - karnesh singleuser: image: # Image build repo: https://github.com/2i2c-org/awi-ciroh-image diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index 045570e4f8..d458fe5809 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -136,9 +136,6 @@ jupyterhub: - "102749090965437723445" # Byron Chu (Cybera) - "115909958579864751636" # Michael Jones (Cybera) - "106951135662332329542" # Elmar Bouwer (Cybera) - shown_idps: - - https://accounts.google.com/o/oauth2/auth - - https://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 28a0dd8685..cb99bac399 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -188,22 +188,41 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &users + admin_users: - maxrjones - admin_users: *users dask-gateway: traefik: diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index a2df37b761..700d3b59d9 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -33,8 +33,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index 639ca29399..82efa8756e 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -33,8 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://bcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 33973fe355..133c1ecbbf 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://ccsf.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 240ea4039e..212bb96c36 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csm.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 4ae0342c76..554bac1627 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://its-shib.its.csulb.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index 6fdfc4d9b6..582082b218 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index 2ad2b663a4..d3a1e06dcf 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index c17106e95e..2251ab5601 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -34,9 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://elcamino.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index 2ff4485923..d0b4a04c28 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://evc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index 82b4ae01c4..aa68e5cd00 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://fresno.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://idp.scccd.edu/idp/shibboleth - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: https://idp.scccd.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index 6e2907e48c..e061af47a1 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://glendale.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 47230603e2..5e77e99332 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://howard.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,14 +36,37 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &howard_users + admin_users: - ericvd@berkeley.edu - gwashington@scs.howard.edu - anthony.fgordon64@gmail.com - mikayladorange@gmail.com - admin_users: *howard_users diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index b8b5687663..a23fb82f0e 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.humboldt.edu/idp/metadata - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index d0cfb85396..8c6c41b29a 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://lacc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,15 +36,38 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &lacc_users + admin_users: - PINEDAEM@laccd.edu - LAMKT@laccd.edu - ericvd@berkeley.edu - k_usovich@berkeley.edu - sean.smorris@berkeley.edu - admin_users: *lacc_users diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index 635b814676..030a83fda3 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://laney.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index 3ab1ed7d43..aac9ca925a 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://datahub.mills.edu/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 571cf69625..498591ee0c 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://miracosta.fedgw.com/gateway - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 16603ec4cf..8201315abe 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://mission.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index 5d42630565..cfdbaf302a 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://norco.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index ed70944609..91dcb3349c 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://palomar.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,14 +36,37 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &palomar_users + admin_users: - aculich@berkeley.edu - sean.smorris@berkeley.edu - tcanon@palomar.edu - PChen@palomar.edu - admin_users: *palomar_users diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index 34d3e1f0fb..a2d10d2a68 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://pasadena.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 3ad1eea699..41d5bab610 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sacramento.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index b266acf112..04bb50c6e0 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://saddleback.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index 8b7bb5f559..64584ef345 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://santiago.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index b9a5978e26..98e01568a0 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -43,13 +39,36 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &sbcc_users + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index bc6de536b7..2fc8495102 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -43,13 +39,36 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &sbcc_users + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index c7e631b968..ea7c8b661c 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index eba295012f..8272328530 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://idp01.sjsu.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 55ba9646aa..6473ee80de 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://skyline.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 55123f9bed..9f94a9a215 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://srjc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 3d2667584c..b45e22d8ae 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,11 +36,34 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &staging_users + admin_users: - sean.smorris@berkeley.edu - admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 6a2bd2b849..40d56e897c 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://tuskegee.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,12 +36,36 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &tuskegee_users + admin_users: - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com - yanlisa@berkeley.edu @@ -52,4 +73,3 @@ jupyterhub: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - sean.smorris@gmail.com - admin_users: *tuskegee_users diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index 718e911de3..b2bffbfd94 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -36,18 +36,41 @@ basehub: url: https://science.nasa.gov/earth-science/focus-areas/climate-variability-and-change/ocean-physics hub: config: + JupyterHub: + authenticator_class: github + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. # - allowed_users: &gridsst_users + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - alisonrgray - nikki-t - dgumustel - admin_users: *gridsst_users - JupyterHub: - authenticator_class: github singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index ff8a41e278..dd9f7364e5 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -49,11 +49,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: @@ -222,20 +220,40 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &users + admin_users: # This is just listing a few of the users/admins, a lot of # users has been added manually, see: # https://github.com/pangeo-data/jupyter-earth/issues/53 @@ -255,7 +273,6 @@ basehub: - whyjz # Whyjay Zheng - yuvipanda # Yuvi Panda - jonathan-taylor # Jonathan Taylor - admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index bd4d000c24..7c1684b87b 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,17 +39,9 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" allowNamedServers: true config: - Authenticator: - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jbusecke JupyterHub: authenticator_class: github # Announcement is a JupyterHub feature to present messages to users in @@ -76,6 +68,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + enable_auth_state: true + admin_users: + - rabernat + - jbusecke singleuser: image: name: pangeo/pangeo-notebook diff --git a/config/clusters/linked-earth/common.values.yaml b/config/clusters/linked-earth/common.values.yaml index f6c9068305..2f18da08f3 100644 --- a/config/clusters/linked-earth/common.values.yaml +++ b/config/clusters/linked-earth/common.values.yaml @@ -33,18 +33,15 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - khider GitHubOAuthenticator: allowed_organizations: - 2i2c-org - LinkedEarth scope: - read:org + Authenticator: + admin_users: + - khider singleuser: image: # User image repo: https://quay.io/repository/linkedearth/pyleoclim diff --git a/config/clusters/m2lines/common.values.yaml b/config/clusters/m2lines/common.values.yaml index d624a11e24..08ab1f3824 100644 --- a/config/clusters/m2lines/common.values.yaml +++ b/config/clusters/m2lines/common.values.yaml @@ -39,14 +39,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - johannag126 - - jbusecke JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +47,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - johannag126 + - jbusecke singleuser: extraFiles: jupyter_notebook_config.json: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 9b24401572..13145dfb45 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -86,24 +86,43 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. # - allowed_users: &users + admin_users: - roxyboy - lesommer - auraoupa - admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index 53ef4e3997..067d059051 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -37,21 +37,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # We are restricting profiles based on GitHub Team membership and - # so need to persist auth state - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - tsnow03 - - JessicaS11 - - jdmillstein - - dfelikson - - fperez - - scottyhq - - jomey JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -64,6 +49,19 @@ basehub: - CryoInTheCloud:cryocloudadvanced scope: - read:org + Authenticator: + # We are restricting profiles based on GitHub Team membership and + # so need to persist auth state + enable_auth_state: true + admin_users: + - tsnow03 + - JessicaS11 + - jdmillstein + - dfelikson + - fperez + - scottyhq + - jomey + singleuser: extraFiles: # jupyter_server_config.json is defined by basehub, this entry adds to it @@ -91,11 +89,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 2eb76b999e..8d3a55327d 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -34,7 +34,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" allowNamedServers: true config: Authenticator: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index cb4feca425..429becc556 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -54,25 +54,44 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: - admin_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: - amfriesz - jules32 - erinmr - betolink - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: *users dask-gateway: gateway: extraConfig: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 13fcfa7ec1..466c1060d6 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -122,7 +122,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: CILogonOAuthenticator: oauth_callback_url: "https://staging.openscapes.2i2c.cloud/hub/oauth_callback" diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 5bdcffc433..0235e3e56c 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -34,23 +34,42 @@ basehub: node.kubernetes.io/instance-type: n1-standard-2 hub: config: - Authenticator: - admin_users: &admin_users - - paigemar@umich.edu - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: *admin_users - # Delete any prior existing users in the db that don't pass username_pattern - delete_invalid_users: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://coessing.2i2c.cloud/hub/oauth_callback" - shown_idps: - - https://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True + Authenticator: + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # + admin_users: + - paigemar@umich.edu diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml index 2c4bef29bf..e9d9dc23b8 100644 --- a/config/clusters/pangeo-hubs/common.values.yaml +++ b/config/clusters/pangeo-hubs/common.values.yaml @@ -38,15 +38,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jhamman - - scottyhq - - TomAugspurger JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +46,12 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - jhamman + - scottyhq + - TomAugspurger singleuser: extraEnv: GH_SCOPED_CREDS_CLIENT_ID: "Iv1.c90ee430400a347f" diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index 2587614226..1d1eddc558 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -36,13 +36,6 @@ jupyterhub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - gizmo404 - - jtkmckenna JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -51,6 +44,10 @@ jupyterhub: - QuantifiedCarbon:jupyterhub scope: - read:org + Authenticator: + admin_users: + - gizmo404 + - jtkmckenna singleuser: image: # pangeo/pangeo-notebook is maintained at: https://github.com/pangeo-data/pangeo-docker-images @@ -231,11 +228,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 499066f1ff..3a8aba9abc 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -48,9 +48,6 @@ basehub: - read:org Authenticator: enable_auth_state: true - # This hub uses GitHub Orgs auth and so we don't set allowed_users in - # order to not deny access to valid members of the listed orgs. These - # people should have admin access though. admin_users: - MikeTrizna # Mike Trizna - rdikow # Rebecca Dikow diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index fbbbf9ec92..bdf33cc29f 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -42,9 +42,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - shown_idps: - - https://authentication.ubc.ca - - http://google.com/accounts/o8/id allowed_idps: https://authentication.ubc.ca: username_derivation: diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index 984e89b54c..a47175f4f8 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -81,8 +81,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback - shown_idps: - - https://idpz.utorauth.utoronto.ca/shibboleth allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index 568094f27e..5f3827beb2 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -34,13 +34,6 @@ basehub: url: https://people.climate.columbia.edu/projects/sponsor/National%20Science%20Foundation hub: config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - einatlev-ldeo - - SamKrasnoff JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -49,6 +42,10 @@ basehub: - VICTOR-Community:victoraccess scope: - read:org + Authenticator: + admin_users: + - einatlev-ldeo + - SamKrasnoff singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/docs/howto/features/per-user-db.md b/docs/howto/features/per-user-db.md index 52141691ac..871c843b3f 100644 --- a/docs/howto/features/per-user-db.md +++ b/docs/howto/features/per-user-db.md @@ -60,11 +60,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /var/lib/postgresql/data && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /var/lib/postgresql/data && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index de91c07245..04a5824843 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -69,10 +69,6 @@ jupyterhub: - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - # Show only the option to login with Google and ANU's provider - shown_idps: - - http://google.com/accounts/o8/id - - https://idp2.anu.edu.au/idp/shibboleth # Allow to only login into the hub using Google or ANU's provider allowed_idps: http://google.com/accounts/o8/id: @@ -119,11 +115,7 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/docs/topic/infrastructure/storage-layer.md b/docs/topic/infrastructure/storage-layer.md index 951eb916ca..171b2b0943 100644 --- a/docs/topic/infrastructure/storage-layer.md +++ b/docs/topic/infrastructure/storage-layer.md @@ -118,11 +118,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index ff28172b3e..d410964912 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -11,7 +11,7 @@ dependencies: # images/hub/Dockerfile, and will also involve manually building and pushing # the Dockerfile to https://quay.io/2i2c/pilot-hub. Details about this can # be found in the Dockerfile's comments. - version: 3.0.0-beta.1.git.6208.h7b44299a + version: 3.0.2 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service version: 0.1.0-0.dev.git.80.h358d32f diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index c58cea667f..c35a07fc0d 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,11 +177,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: @@ -394,7 +392,7 @@ jupyterhub: interfaces: - value: "/tree" title: Classic Notebook - description: + description: >- The original single-document interface for creating Jupyter Notebooks. - value: "/lab" @@ -420,8 +418,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -488,8 +486,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -526,7 +524,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.6074.h895181eb" + tag: "0.0.1-0.dev.git.6935.h7141d766" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated diff --git a/helm-charts/chartpress.yaml b/helm-charts/chartpress.yaml index 962a638476..6ecf191e45 100644 --- a/helm-charts/chartpress.yaml +++ b/helm-charts/chartpress.yaml @@ -1,3 +1,13 @@ +# This is the configuration for chartpress, a CLI for Helm chart management. +# +# chartpress can be used to: +# - Build images +# - Update Chart.yaml (version) and values.yaml (image tags) +# - Package and publish Helm charts to a GitHub based Helm chart repository +# +# For more information about chartpress, see the projects README.md file: +# https://github.com/jupyterhub/chartpress +# charts: - name: basehub imagePrefix: quay.io/2i2c/pilot- @@ -5,16 +15,16 @@ charts: hub: valuesPath: jupyterhub.hub.image buildArgs: - REQUIREMENTS_FILE: "requirements.txt" + REQUIREMENTS_FILE: requirements.txt unlisted-choice-experiment: imageName: quay.io/2i2c/unlisted-choice-experiment buildArgs: - REQUIREMENTS_FILE: "unlisted-choice-requirements.txt" - contextPath: "images/hub" + REQUIREMENTS_FILE: unlisted-choice-requirements.txt + contextPath: images/hub dockerfilePath: images/hub/Dockerfile dynamic-image-building-experiment: imageName: quay.io/2i2c/dynamic-image-building-experiment buildArgs: - REQUIREMENTS_FILE: "dynamic-image-building-requirements.txt" - contextPath: "images/hub" - dockerfilePath: "images/hub/Dockerfile" + REQUIREMENTS_FILE: dynamic-image-building-requirements.txt + contextPath: images/hub + dockerfilePath: images/hub/Dockerfile diff --git a/helm-charts/images/hub/Dockerfile b/helm-charts/images/hub/Dockerfile index 77caeb4434..6d5e7e05b5 100644 --- a/helm-charts/images/hub/Dockerfile +++ b/helm-charts/images/hub/Dockerfile @@ -12,7 +12,11 @@ # `chartpress --push --builder docker-buildx --platform linux/amd64` # Ref: https://cloudolife.com/2022/03/05/Infrastructure-as-Code-IaC/Container/Docker/Docker-buildx-support-multiple-architectures-images/ # -FROM jupyterhub/k8s-hub:3.0.0-beta.1 +FROM jupyterhub/k8s-hub:3.0.2 + +# chartpress.yaml defines multiple hub images differentiated only by a +# requirements.txt file with dependencies, this build argument allows us to +# re-use this Dockerfile for all images. ARG REQUIREMENTS_FILE COPY ${REQUIREMENTS_FILE} /tmp/ diff --git a/helm-charts/images/hub/dynamic-image-building-requirements.txt b/helm-charts/images/hub/dynamic-image-building-requirements.txt index 225a86b394..fcfadf2363 100644 --- a/helm-charts/images/hub/dynamic-image-building-requirements.txt +++ b/helm-charts/images/hub/dynamic-image-building-requirements.txt @@ -1,6 +1,6 @@ # Image lives at quay.io/2i2c/second-hub-experimental git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db # Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -git+https://github.com/jupyterhub/kubespawner@5a90351adba7d65286bd5e00e82f156011bf7b83 +git+https://github.com/jupyterhub/kubespawner@8cc569c78bcdb342e694f7344219e43d522f4809 # Brings in https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui git+https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui.git@b36ece00b5e7fcba5d4485e7ab70992705601c3c