Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to z2jh 3.0.2 from 3.0.0-beta.1 - oauthenticator 15.1 bumped to 16.0 #3118

Merged
merged 13 commits into from
Sep 14, 2023
Merged

Upgrade to z2jh 3.0.2 from 3.0.0-beta.1 - oauthenticator 15.1 bumped to 16.0 #3118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
18ddef9
oauthenticator 16: remove shown_idps, allowed_idps now provides that …
consideRatio Sep 10, 2023
640660d
oauthenticator 16: remove explicit scope, profile is included anyhow
consideRatio Sep 10, 2023
435432d
oauthenticator 16: add allow_existing_users where allowed_users was c…
consideRatio Sep 10, 2023
0da0b3e
oauthenticator 16: remove outdated comment about allowed_users
consideRatio Sep 10, 2023
0c43b0c
auth config: remove outdated workaround setting empty admin_users
consideRatio Sep 10, 2023
63eabbc
oauthenticator 16: remove redundant spec of allowed_users, add warnings
consideRatio Sep 10, 2023
7201a88
auth config: remove temporary config addition
consideRatio Sep 10, 2023
a3bb003
basehub: tweak values to avoid formatting conflicts
consideRatio Sep 10, 2023
28cd4f5
basehub: refactor, simplify chowning container's command
consideRatio Sep 10, 2023
4545ef6
basehub: upgrade z2jh from 3.0.0-beta.1 to 3.0.2
consideRatio Sep 10, 2023
37d9911
dynamic image building experiment: bump kubespawner's main branch fur…
consideRatio Sep 10, 2023
fa134ce
basehub: update hub image's to a z2jh 3.0.2 derived image
consideRatio Sep 10, 2023
7406a47
Refine warning comment about revoking admin status or access
consideRatio Sep 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions config/clusters/2i2c-aws-us/cosmicds.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,7 @@ jupyterhub:
JupyterHub:
authenticator_class: cilogon
CILogonOAuthenticator:
scope:
- "email"
- "profile"
oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback
shown_idps:
- http://github.com/login/oauth/authorize
allowed_idps:
# The username claim here is used to do *authorization*, for both
# admin use and any allow listing we want to do.
Expand Down
9 changes: 0 additions & 9 deletions config/clusters/2i2c-aws-us/dask-staging.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,6 @@ basehub:
tag: "2022.06.02"
hub:
config:
Authenticator:
# This hub uses GitHub Org auth and so we don't set
# allowed_users in order to not deny access to valid members of
# the listed orgs.
#
# You must always set admin_users, even if it is an empty list,
# otherwise `add_staff_user_ids_to_admin_users: true` will fail
# silently and no staff members will have admin access.
admin_users: []
JupyterHub:
authenticator_class: "github"
GitHubOAuthenticator:
Expand Down
8 changes: 3 additions & 5 deletions config/clusters/2i2c-aws-us/itcoocean.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,9 @@ jupyterhub:
- name: volume-mount-ownership-fix
image: busybox
command:
[
"sh",
"-c",
"id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ",
]
- sh
- -c
- id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan
securityContext:
runAsUser: 0
volumeMounts:
Expand Down
6 changes: 3 additions & 3 deletions config/clusters/2i2c-aws-us/researchdelight.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,19 +30,19 @@ basehub:
hub:
image:
name: quay.io/2i2c/unlisted-choice-experiment
tag: "0.0.1-0.dev.git.6863.h406a3546"
tag: "0.0.1-0.dev.git.6935.h7141d766"
config:
JupyterHub:
authenticator_class: github
Authenticator:
enable_auth_state: true
GitHubOAuthenticator:
populate_teams_in_auth_state: true
allowed_organizations:
- 2i2c-org:hub-access-for-2i2c-staff
- 2i2c-org:research-delight-team
scope:
- read:org
Authenticator:
enable_auth_state: true
singleuser:
image:
name: quay.io/2i2c/researchdelight-image
Expand Down
9 changes: 0 additions & 9 deletions config/clusters/2i2c-aws-us/staging.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,6 @@ jupyterhub:
url: https://2i2c.org
hub:
config:
Authenticator:
# This hub uses GitHub Org auth and so we don't set
# allowed_users in order to not deny access to valid members of
# the listed orgs.
#
# You must always set admin_users, even if it is an empty list,
# otherwise `add_staff_user_ids_to_admin_users: true` will fail
# silently and no staff members will have admin access.
admin_users: []
JupyterHub:
authenticator_class: "github"
GitHubOAuthenticator:
Expand Down
13 changes: 5 additions & 8 deletions config/clusters/2i2c-uk/lis.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,17 +49,14 @@ jupyterhub:
config:
JupyterHub:
authenticator_class: github
Authenticator:
# This hub uses GitHub Orgs auth and so we don't set
# allowed_users in order to not deny access to valid members of
# the listed orgs. These people should have admin access though.
admin_users:
- LaCrecerelle
- matthew-brett
GitHubOAuthenticator:
oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback"
allowed_organizations:
- 2i2c-org
- lisacuk
scope:
- read:org
oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback"
Authenticator:
admin_users:
- LaCrecerelle
- matthew-brett
2 changes: 0 additions & 2 deletions config/clusters/2i2c-uk/staging.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,6 @@ jupyterhub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback"
shown_idps:
- http://google.com/accounts/o8/id
allowed_idps:
http://google.com/accounts/o8/id:
username_derivation:
Expand Down
37 changes: 28 additions & 9 deletions config/clusters/2i2c/aup.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,21 +37,40 @@ jupyterhub:
JupyterHub:
authenticator_class: cilogon
CILogonOAuthenticator:
scope:
- "profile"
oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback"
shown_idps:
- http://github.com/login/oauth/authorize
allowed_idps:
http://github.com/login/oauth/authorize:
username_derivation:
username_claim: "preferred_username"
OAuthenticator:
# WARNING: Don't use allow_existing_users with config to allow an
# externally managed group of users, such as
# GitHubOAuthenticator.allowed_organizations, as it breaks a
# common expectations for an admin user.
#
# The broken expectation is that removing a user from the
# externally managed group implies that the user won't have
# access any more. In practice the user will still have
# access if it had logged in once before, as it then exists
# in JupyterHub's database of users.
#
Comment on lines +46 to +56
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately I am not a fan of carrying this sort of long comments everywhere.

For example, this comment is not relevant when we use CILogon, because there is no concept of allowing groups of users there (but there is the allowing of a domain part though that still stands I believe).

My personal preference is to have such a comment in a documentation that we follow when we set up the authentication for a hub (or in a future template of some sort).

Though, I understand that we don't have yet templates for hub configs, so we end up copying config from one hub to another and such info might get lost in this process if we only have it in the docs.

Maybe, instead of having one long comment we could instead have a short one that links to this explanation that we put somewhere in the docs instead.

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opened #3134 for a short term fix as not addressing this right away makes me able to get this out the door before I take thursday/firday off in order to work on my move!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A big plus one to what @GeorgianaElena says as well. I often find long repeated comments extremely distracting when working on the projects too.

allow_existing_users: True
Authenticator:
# FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies
# allow_existing_users=True, while in z3jh 3.0.0 this needs to be
# configured explicitly.
# WARNING: Removing a user from admin_users or allowed_users doesn't
# revoke admin status or access.
#
# OAuthenticator.allow_existing_users allows any user in the
# JupyterHub database of users able to login. This includes
# any previously logged in user or user previously listed in
# allowed_users or admin_users, as such users are added to
# JupyterHub's database on startup.
#
# To revoke admin status or access for a user when
# allow_existing_users is enabled, first remove the user from
# admin_users or allowed_users, then deploy the change, and
# finally revoke the admin status or delete the user via the
# /hub/admin panel.
#
allowed_users: &aup_users
admin_users:
- swalker
- shaolintl
admin_users: *aup_users
2 changes: 0 additions & 2 deletions config/clusters/2i2c/binder-staging.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,6 @@ binderhub:
- [email protected]
CILogonOAuthenticator:
oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback"
shown_idps:
- http://google.com/accounts/o8/id
allowed_idps:
http://google.com/accounts/o8/id:
username_derivation:
Expand Down
8 changes: 3 additions & 5 deletions config/clusters/2i2c/climatematch.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,9 @@ jupyterhub:
- name: volume-mount-ownership-fix
image: busybox
command:
[
"sh",
"-c",
"id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ",
]
- sh
- -c
- id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan
securityContext:
runAsUser: 0
volumeMounts:
Expand Down
5 changes: 0 additions & 5 deletions config/clusters/2i2c/dask-staging.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,7 @@ basehub:
JupyterHub:
authenticator_class: cilogon
CILogonOAuthenticator:
scope:
- "email"
- "profile"
oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback"
shown_idps:
- http://accounts.google.com/o/oauth2/auth
allowed_idps:
http://google.com/accounts/o8/id:
username_derivation:
Expand Down
4 changes: 0 additions & 4 deletions config/clusters/2i2c/demo.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,6 @@ jupyterhub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback
shown_idps:
# Allow Google for 2i2c.org anr dmbl
- https://accounts.google.com/o/oauth2/auth
- https://enterprise.login.utexas.edu/idp/shibboleth
allowed_idps:
# UTexas hub
https://enterprise.login.utexas.edu/idp/shibboleth:
Expand Down
4 changes: 1 addition & 3 deletions config/clusters/2i2c/imagebuilding-demo.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,14 +60,12 @@ jupyterhub:
hub:
image:
name: quay.io/2i2c/dynamic-image-building-experiment
tag: "0.0.1-0.dev.git.6765.h33942a27"
tag: "0.0.1-0.dev.git.6935.h7141d766"
config:
JupyterHub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback"
shown_idps:
- http://google.com/accounts/o8/id
allowed_idps:
http://google.com/accounts/o8/id:
username_derivation:
Expand Down
3 changes: 0 additions & 3 deletions config/clusters/2i2c/mtu.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,6 @@ jupyterhub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback"
shown_idps:
- http://google.com/accounts/o8/id
- https://sso.mtu.edu/idp/shibboleth
allowed_idps:
# Allow 2i2c staff to login with Google
http://google.com/accounts/o8/id:
Expand Down
43 changes: 31 additions & 12 deletions config/clusters/2i2c/neurohackademy.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,24 +55,43 @@ jupyterhub:
config:
JupyterHub:
authenticator_class: cilogon
Authenticator:
# FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies
# allow_existing_users=True, while in z3jh 3.0.0 this needs to be
# configured explicitly.
#
allowed_users: &neurohackademy_users
- arokem
admin_users: *neurohackademy_users
CILogonOAuthenticator:
scope:
- "profile"
oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback
shown_idps:
- https://github.com/login/oauth/authorize
allowed_idps:
http://github.com/login/oauth/authorize:
username_derivation:
username_claim: "preferred_username"
OAuthenticator:
# WARNING: Don't use allow_existing_users with config to allow an
# externally managed group of users, such as
# GitHubOAuthenticator.allowed_organizations, as it breaks a
# common expectations for an admin user.
#
# The broken expectation is that removing a user from the
# externally managed group implies that the user won't have
# access any more. In practice the user will still have
# access if it had logged in once before, as it then exists
# in JupyterHub's database of users.
#
allow_existing_users: True
Authenticator:
# WARNING: Removing a user from admin_users or allowed_users doesn't
# revoke admin status or access.
#
# OAuthenticator.allow_existing_users allows any user in the
# JupyterHub database of users able to login. This includes
# any previously logged in user or user previously listed in
# allowed_users or admin_users, as such users are added to
# JupyterHub's database on startup.
#
# To revoke admin status or access for a user when
# allow_existing_users is enabled, first remove the user from
# admin_users or allowed_users, then deploy the change, and
# finally revoke the admin status or delete the user via the
# /hub/admin panel.
#
admin_users:
- arokem
extraFiles:
configurator-schema-default:
data:
Expand Down
2 changes: 0 additions & 2 deletions config/clusters/2i2c/staging.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,6 @@ jupyterhub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback"
shown_idps:
- http://google.com/accounts/o8/id
allowed_idps:
http://google.com/accounts/o8/id:
username_derivation:
Expand Down
3 changes: 0 additions & 3 deletions config/clusters/2i2c/temple.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,6 @@ jupyterhub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback
shown_idps:
- https://fim.temple.edu/idp/shibboleth
- https://accounts.google.com/o/oauth2/auth
allowed_idps:
https://fim.temple.edu/idp/shibboleth:
username_derivation:
Expand Down
3 changes: 0 additions & 3 deletions config/clusters/2i2c/ucmerced.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,6 @@ jupyterhub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback
shown_idps:
- urn:mace:incommon:ucmerced.edu
- https://accounts.google.com/o/oauth2/auth
allowed_idps:
urn:mace:incommon:ucmerced.edu:
username_derivation:
Expand Down
13 changes: 5 additions & 8 deletions config/clusters/awi-ciroh/common.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,21 +33,18 @@ basehub:
config:
JupyterHub:
authenticator_class: github
Authenticator:
# This hub uses GitHub Orgs auth and so we don't set
# allowed_users in order to not deny access to valid members of
# the listed orgs. These people should have admin access though.
admin_users:
- jameshalgren
- arpita0911patel
- karnesh
GitHubOAuthenticator:
allowed_organizations:
- 2i2c-org
- alabamawaterinstitute
- NOAA-OWP
scope:
- read:org
Authenticator:
admin_users:
- jameshalgren
- arpita0911patel
- karnesh
singleuser:
image:
# Image build repo: https://github.com/2i2c-org/awi-ciroh-image
Expand Down
3 changes: 0 additions & 3 deletions config/clusters/callysto/common.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,9 +136,6 @@ jupyterhub:
- "102749090965437723445" # Byron Chu (Cybera)
- "115909958579864751636" # Michael Jones (Cybera)
- "106951135662332329542" # Elmar Bouwer (Cybera)
shown_idps:
- https://accounts.google.com/o/oauth2/auth
- https://login.microsoftonline.com/common/oauth2/v2.0/authorize
allowed_idps:
http://google.com/accounts/o8/id:
username_derivation:
Expand Down
Loading