From 28312242f42d79adfeadfb25a7f281f5fc1ffa05 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 14 Sep 2023 16:08:56 +0200 Subject: [PATCH] Revert "Upgrade to z2jh 3.0.2 from 3.0.0-beta.1 - oauthenticator 15.1 bumped to 16.0" --- .../clusters/2i2c-aws-us/cosmicds.values.yaml | 5 +++ .../2i2c-aws-us/dask-staging.values.yaml | 9 ++++ .../2i2c-aws-us/itcoocean.values.yaml | 8 ++-- .../2i2c-aws-us/researchdelight.values.yaml | 6 +-- .../clusters/2i2c-aws-us/staging.values.yaml | 9 ++++ config/clusters/2i2c-uk/lis.values.yaml | 13 +++--- config/clusters/2i2c-uk/staging.values.yaml | 2 + config/clusters/2i2c/aup.values.yaml | 37 ++++----------- .../clusters/2i2c/binder-staging.values.yaml | 2 + config/clusters/2i2c/climatematch.values.yaml | 8 ++-- config/clusters/2i2c/dask-staging.values.yaml | 5 +++ config/clusters/2i2c/demo.values.yaml | 4 ++ .../2i2c/imagebuilding-demo.values.yaml | 4 +- config/clusters/2i2c/mtu.values.yaml | 3 ++ .../clusters/2i2c/neurohackademy.values.yaml | 43 +++++------------- config/clusters/2i2c/staging.values.yaml | 2 + config/clusters/2i2c/temple.values.yaml | 3 ++ config/clusters/2i2c/ucmerced.values.yaml | 3 ++ config/clusters/awi-ciroh/common.values.yaml | 13 +++--- config/clusters/callysto/common.values.yaml | 3 ++ config/clusters/carbonplan/common.values.yaml | 37 ++++----------- .../unitefa-conicet.values.yaml | 2 + config/clusters/cloudbank/bcc.values.yaml | 2 + config/clusters/cloudbank/ccsf.values.yaml | 3 ++ config/clusters/cloudbank/csm.values.yaml | 3 ++ config/clusters/cloudbank/csulb.values.yaml | 4 ++ config/clusters/cloudbank/demo.values.yaml | 3 ++ config/clusters/cloudbank/dvc.values.yaml | 4 ++ .../clusters/cloudbank/elcamino.values.yaml | 3 ++ config/clusters/cloudbank/evc.values.yaml | 4 ++ config/clusters/cloudbank/fresno.values.yaml | 4 ++ .../clusters/cloudbank/glendale.values.yaml | 3 ++ config/clusters/cloudbank/howard.values.yaml | 36 ++++----------- .../clusters/cloudbank/humboldt.values.yaml | 4 ++ config/clusters/cloudbank/lacc.values.yaml | 36 ++++----------- config/clusters/cloudbank/laney.values.yaml | 4 ++ config/clusters/cloudbank/mills.values.yaml | 3 ++ .../clusters/cloudbank/miracosta.values.yaml | 4 ++ config/clusters/cloudbank/mission.values.yaml | 3 ++ config/clusters/cloudbank/norco.values.yaml | 4 ++ config/clusters/cloudbank/palomar.values.yaml | 36 ++++----------- .../clusters/cloudbank/pasadena.values.yaml | 3 ++ .../clusters/cloudbank/sacramento.values.yaml | 3 ++ .../clusters/cloudbank/saddleback.values.yaml | 3 ++ .../clusters/cloudbank/santiago.values.yaml | 4 ++ .../clusters/cloudbank/sbcc-dev.values.yaml | 37 ++++----------- config/clusters/cloudbank/sbcc.values.yaml | 37 ++++----------- config/clusters/cloudbank/sjcc.values.yaml | 4 ++ config/clusters/cloudbank/sjsu.values.yaml | 4 ++ config/clusters/cloudbank/skyline.values.yaml | 3 ++ config/clusters/cloudbank/srjc.values.yaml | 3 ++ config/clusters/cloudbank/staging.values.yaml | 36 ++++----------- .../clusters/cloudbank/tuskegee.values.yaml | 36 ++++----------- config/clusters/gridsst/common.values.yaml | 37 +++------------ .../common.values.yaml | 45 ++++++------------- config/clusters/leap/common.values.yaml | 15 ++++--- .../clusters/linked-earth/common.values.yaml | 9 ++-- config/clusters/m2lines/common.values.yaml | 13 +++--- config/clusters/meom-ige/common.values.yaml | 37 ++++----------- config/clusters/nasa-cryo/common.values.yaml | 36 ++++++++------- config/clusters/nasa-veda/common.values.yaml | 2 +- config/clusters/openscapes/common.values.yaml | 39 +++++----------- .../clusters/openscapes/staging.values.yaml | 2 +- .../clusters/pangeo-hubs/coessing.values.yaml | 43 +++++------------- .../clusters/pangeo-hubs/common.values.yaml | 15 ++++--- config/clusters/qcl/common.values.yaml | 19 +++++--- .../clusters/smithsonian/common.values.yaml | 3 ++ config/clusters/ubc-eoas/common.values.yaml | 3 ++ config/clusters/utoronto/common.values.yaml | 2 + config/clusters/victor/common.values.yaml | 11 +++-- docs/howto/features/per-user-db.md | 8 ++-- .../configure-auth/cilogon.md | 8 ++++ docs/topic/infrastructure/storage-layer.md | 8 ++-- helm-charts/basehub/Chart.yaml | 2 +- helm-charts/basehub/values.yaml | 20 +++++---- helm-charts/chartpress.yaml | 22 +++------ helm-charts/images/hub/Dockerfile | 6 +-- .../dynamic-image-building-requirements.txt | 2 +- 78 files changed, 425 insertions(+), 539 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 2322f13c54..77931e0b27 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -76,7 +76,12 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "email" + - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index ef475a47b1..49def94b2c 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -33,6 +33,15 @@ basehub: tag: "2022.06.02" hub: config: + Authenticator: + # This hub uses GitHub Org auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. + # + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index a2754241fa..7a9c19ae54 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -57,9 +57,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 6326b3fc18..c7163a272c 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -30,10 +30,12 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" config: JupyterHub: authenticator_class: github + Authenticator: + enable_auth_state: true GitHubOAuthenticator: populate_teams_in_auth_state: true allowed_organizations: @@ -41,8 +43,6 @@ basehub: - 2i2c-org:research-delight-team scope: - read:org - Authenticator: - enable_auth_state: true singleuser: image: name: quay.io/2i2c/researchdelight-image diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 7d839d7b3d..13e68094d4 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -28,6 +28,15 @@ jupyterhub: url: https://2i2c.org hub: config: + Authenticator: + # This hub uses GitHub Org auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. + # + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: diff --git a/config/clusters/2i2c-uk/lis.values.yaml b/config/clusters/2i2c-uk/lis.values.yaml index 8c6e3d943b..87c0ea6207 100644 --- a/config/clusters/2i2c-uk/lis.values.yaml +++ b/config/clusters/2i2c-uk/lis.values.yaml @@ -49,14 +49,17 @@ jupyterhub: config: JupyterHub: authenticator_class: github + Authenticator: + # This hub uses GitHub Orgs auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. These people should have admin access though. + admin_users: + - LaCrecerelle + - matthew-brett GitHubOAuthenticator: - oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" allowed_organizations: - 2i2c-org - lisacuk scope: - read:org - Authenticator: - admin_users: - - LaCrecerelle - - matthew-brett + oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" diff --git a/config/clusters/2i2c-uk/staging.values.yaml b/config/clusters/2i2c-uk/staging.values.yaml index 6e6535a155..26778efe99 100644 --- a/config/clusters/2i2c-uk/staging.values.yaml +++ b/config/clusters/2i2c-uk/staging.values.yaml @@ -39,6 +39,8 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index beec96e623..5165598e51 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -37,40 +37,21 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &aup_users - swalker - shaolintl + admin_users: *aup_users diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index 8bc852e22b..ff4227152d 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -83,6 +83,8 @@ binderhub: - yuvipanda@2i2c.org CILogonOAuthenticator: oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/climatematch.values.yaml b/config/clusters/2i2c/climatematch.values.yaml index 5396702629..a982022793 100644 --- a/config/clusters/2i2c/climatematch.values.yaml +++ b/config/clusters/2i2c/climatematch.values.yaml @@ -39,9 +39,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index bb4ffaafa7..0a0119ed56 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -44,7 +44,12 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "email" + - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml index f43990eab6..134f3c351b 100644 --- a/config/clusters/2i2c/demo.values.yaml +++ b/config/clusters/2i2c/demo.values.yaml @@ -31,6 +31,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback + shown_idps: + # Allow Google for 2i2c.org anr dmbl + - https://accounts.google.com/o/oauth2/auth + - https://enterprise.login.utexas.edu/idp/shibboleth allowed_idps: # UTexas hub https://enterprise.login.utexas.edu/idp/shibboleth: diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 17e2a1c013..50f311916e 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -60,12 +60,14 @@ jupyterhub: hub: image: name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6765.h33942a27" config: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/mtu.values.yaml b/config/clusters/2i2c/mtu.values.yaml index 987dec4528..040b7a27f2 100644 --- a/config/clusters/2i2c/mtu.values.yaml +++ b/config/clusters/2i2c/mtu.values.yaml @@ -39,6 +39,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - https://sso.mtu.edu/idp/shibboleth allowed_idps: # Allow 2i2c staff to login with Google http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 97df782ea4..f5fba70b7f 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -55,43 +55,24 @@ jupyterhub: config: JupyterHub: authenticator_class: cilogon + Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # + allowed_users: &neurohackademy_users + - arokem + admin_users: *neurohackademy_users CILogonOAuthenticator: + scope: + - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback + shown_idps: + - https://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True - Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: - - arokem extraFiles: configurator-schema-default: data: diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index c37f1e6f97..bd95f724f0 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -56,6 +56,8 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index 5285b79915..4ee80ae16b 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -34,6 +34,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback + shown_idps: + - https://fim.temple.edu/idp/shibboleth + - https://accounts.google.com/o/oauth2/auth allowed_idps: https://fim.temple.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/2i2c/ucmerced.values.yaml b/config/clusters/2i2c/ucmerced.values.yaml index bfe3f70435..2f6801e162 100644 --- a/config/clusters/2i2c/ucmerced.values.yaml +++ b/config/clusters/2i2c/ucmerced.values.yaml @@ -38,6 +38,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback + shown_idps: + - urn:mace:incommon:ucmerced.edu + - https://accounts.google.com/o/oauth2/auth allowed_idps: urn:mace:incommon:ucmerced.edu: username_derivation: diff --git a/config/clusters/awi-ciroh/common.values.yaml b/config/clusters/awi-ciroh/common.values.yaml index e05c6c001d..344f2982cd 100644 --- a/config/clusters/awi-ciroh/common.values.yaml +++ b/config/clusters/awi-ciroh/common.values.yaml @@ -33,6 +33,14 @@ basehub: config: JupyterHub: authenticator_class: github + Authenticator: + # This hub uses GitHub Orgs auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. These people should have admin access though. + admin_users: + - jameshalgren + - arpita0911patel + - karnesh GitHubOAuthenticator: allowed_organizations: - 2i2c-org @@ -40,11 +48,6 @@ basehub: - NOAA-OWP scope: - read:org - Authenticator: - admin_users: - - jameshalgren - - arpita0911patel - - karnesh singleuser: image: # Image build repo: https://github.com/2i2c-org/awi-ciroh-image diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index d458fe5809..045570e4f8 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -136,6 +136,9 @@ jupyterhub: - "102749090965437723445" # Byron Chu (Cybera) - "115909958579864751636" # Michael Jones (Cybera) - "106951135662332329542" # Elmar Bouwer (Cybera) + shown_idps: + - https://accounts.google.com/o/oauth2/auth + - https://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index cb99bac399..28a0dd8685 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -188,41 +188,22 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to + # be configured explicitly. # - admin_users: + allowed_users: &users - maxrjones + admin_users: *users dask-gateway: traefik: diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index 700d3b59d9..a2df37b761 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -33,6 +33,8 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index 82efa8756e..639ca29399 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -33,6 +33,8 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://bcc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 133c1ecbbf..33973fe355 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://ccsf.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 212bb96c36..240ea4039e 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csm.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 554bac1627..4ae0342c76 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -35,6 +35,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://its-shib.its.csulb.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index 582082b218..6fdfc4d9b6 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -38,6 +38,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index d3a1e06dcf..2ad2b663a4 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -33,6 +33,10 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index 2251ab5601..c17106e95e 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -34,6 +34,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://elcamino.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index d0b4a04c28..2ff4485923 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -33,6 +33,10 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://evc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index aa68e5cd00..82b4ae01c4 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://fresno.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - https://idp.scccd.edu/idp/shibboleth + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: https://idp.scccd.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index e061af47a1..6e2907e48c 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://glendale.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 5e77e99332..47230603e2 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://howard.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,37 +39,14 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &howard_users - ericvd@berkeley.edu - gwashington@scs.howard.edu - anthony.fgordon64@gmail.com - mikayladorange@gmail.com + admin_users: *howard_users diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index a23fb82f0e..b8b5687663 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -38,6 +38,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://sso.humboldt.edu/idp/metadata + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index 8c6c41b29a..d0cfb85396 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://lacc.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,38 +39,15 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &lacc_users - PINEDAEM@laccd.edu - LAMKT@laccd.edu - ericvd@berkeley.edu - k_usovich@berkeley.edu - sean.smorris@berkeley.edu + admin_users: *lacc_users diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index 030a83fda3..635b814676 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://laney.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index aac9ca925a..3ab1ed7d43 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://datahub.mills.edu/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 498591ee0c..571cf69625 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://miracosta.fedgw.com/gateway + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 8201315abe..16603ec4cf 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://mission.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index cfdbaf302a..5d42630565 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://norco.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 91dcb3349c..ed70944609 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://palomar.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,37 +39,14 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &palomar_users - aculich@berkeley.edu - sean.smorris@berkeley.edu - tcanon@palomar.edu - PChen@palomar.edu + admin_users: *palomar_users diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index a2d10d2a68..34d3e1f0fb 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://pasadena.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 41d5bab610..3ad1eea699 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sacramento.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index 04bb50c6e0..b266acf112 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://saddleback.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index 64584ef345..8b7bb5f559 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -35,6 +35,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://santiago.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 98e01568a0..b9a5978e26 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - https://idp.sbcc.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,36 +43,13 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu + admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 2fc8495102..bc6de536b7 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - https://idp.sbcc.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,36 +43,13 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu + admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index ea7c8b661c..c7e631b968 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjcc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index 8272328530..eba295012f 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -38,6 +38,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://idp01.sjsu.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 6473ee80de..55ba9646aa 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://skyline.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 9f94a9a215..55123f9bed 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://srjc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index b45e22d8ae..3d2667584c 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,34 +39,11 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &staging_users - sean.smorris@berkeley.edu + admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 40d56e897c..6a2bd2b849 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://tuskegee.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,36 +39,12 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &tuskegee_users - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com - yanlisa@berkeley.edu @@ -73,3 +52,4 @@ jupyterhub: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - sean.smorris@gmail.com + admin_users: *tuskegee_users diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index b2bffbfd94..718e911de3 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -36,41 +36,18 @@ basehub: url: https://science.nasa.gov/earth-science/focus-areas/climate-variability-and-change/ocean-physics hub: config: - JupyterHub: - authenticator_class: github - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to + # be configured explicitly. # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: + allowed_users: &gridsst_users - alisonrgray - nikki-t - dgumustel + admin_users: *gridsst_users + JupyterHub: + authenticator_class: github singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index dd9f7364e5..ff8a41e278 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -49,9 +49,11 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan", + ] securityContext: runAsUser: 0 volumeMounts: @@ -220,40 +222,20 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &users # This is just listing a few of the users/admins, a lot of # users has been added manually, see: # https://github.com/pangeo-data/jupyter-earth/issues/53 @@ -273,6 +255,7 @@ basehub: - whyjz # Whyjay Zheng - yuvipanda # Yuvi Panda - jonathan-taylor # Jonathan Taylor + admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 7c1684b87b..bd4d000c24 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,9 +39,17 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: + Authenticator: + enable_auth_state: true + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - rabernat + - jbusecke JupyterHub: authenticator_class: github # Announcement is a JupyterHub feature to present messages to users in @@ -68,11 +76,6 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org - Authenticator: - enable_auth_state: true - admin_users: - - rabernat - - jbusecke singleuser: image: name: pangeo/pangeo-notebook diff --git a/config/clusters/linked-earth/common.values.yaml b/config/clusters/linked-earth/common.values.yaml index 9daf307323..1354a071e2 100644 --- a/config/clusters/linked-earth/common.values.yaml +++ b/config/clusters/linked-earth/common.values.yaml @@ -33,15 +33,18 @@ basehub: config: JupyterHub: authenticator_class: github + Authenticator: + # This hub uses GitHub Orgs auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. These people should have admin access though. + admin_users: + - khider GitHubOAuthenticator: allowed_organizations: - 2i2c-org - LinkedEarth scope: - read:org - Authenticator: - admin_users: - - khider singleuser: image: # User image repo: https://quay.io/repository/linkedearth/pyleoclim diff --git a/config/clusters/m2lines/common.values.yaml b/config/clusters/m2lines/common.values.yaml index 08ab1f3824..d624a11e24 100644 --- a/config/clusters/m2lines/common.values.yaml +++ b/config/clusters/m2lines/common.values.yaml @@ -39,6 +39,14 @@ basehub: hub: allowNamedServers: true config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - rabernat + - johannag126 + - jbusecke JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -47,11 +55,6 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org - Authenticator: - admin_users: - - rabernat - - johannag126 - - jbusecke singleuser: extraFiles: jupyter_notebook_config.json: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index dd8c89f62b..954c78e975 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -87,43 +87,24 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &users - roxyboy - lesommer - auraoupa + admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index 067d059051..53ef4e3997 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -37,22 +37,13 @@ basehub: hub: allowNamedServers: true config: - JupyterHub: - authenticator_class: github - GitHubOAuthenticator: - # We are restricting profiles based on GitHub Team membership and - # so need to populate the teams in the auth state - populate_teams_in_auth_state: true - allowed_organizations: - - 2i2c-org:hub-access-for-2i2c-staff - - CryoInTheCloud:cryoclouduser - - CryoInTheCloud:cryocloudadvanced - scope: - - read:org Authenticator: # We are restricting profiles based on GitHub Team membership and # so need to persist auth state enable_auth_state: true + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. admin_users: - tsnow03 - JessicaS11 @@ -61,7 +52,18 @@ basehub: - fperez - scottyhq - jomey - + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + # We are restricting profiles based on GitHub Team membership and + # so need to populate the teams in the auth state + populate_teams_in_auth_state: true + allowed_organizations: + - 2i2c-org:hub-access-for-2i2c-staff + - CryoInTheCloud:cryoclouduser + - CryoInTheCloud:cryocloudadvanced + scope: + - read:org singleuser: extraFiles: # jupyter_server_config.json is defined by basehub, this entry adds to it @@ -89,9 +91,11 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 8d3a55327d..2eb76b999e 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -34,7 +34,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: Authenticator: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 429becc556..cb4feca425 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -54,44 +54,25 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: + admin_users: &users - amfriesz - jules32 - erinmr - betolink + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # + allowed_users: *users dask-gateway: gateway: extraConfig: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 466c1060d6..13fcfa7ec1 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -122,7 +122,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" config: CILogonOAuthenticator: oauth_callback_url: "https://staging.openscapes.2i2c.cloud/hub/oauth_callback" diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 0235e3e56c..5bdcffc433 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -34,42 +34,23 @@ basehub: node.kubernetes.io/instance-type: n1-standard-2 hub: config: + Authenticator: + admin_users: &admin_users + - paigemar@umich.edu + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # + allowed_users: *admin_users + # Delete any prior existing users in the db that don't pass username_pattern + delete_invalid_users: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://coessing.2i2c.cloud/hub/oauth_callback" + shown_idps: + - https://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True - Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: - - paigemar@umich.edu diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml index e9d9dc23b8..2c4bef29bf 100644 --- a/config/clusters/pangeo-hubs/common.values.yaml +++ b/config/clusters/pangeo-hubs/common.values.yaml @@ -38,6 +38,15 @@ basehub: hub: allowNamedServers: true config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - rabernat + - jhamman + - scottyhq + - TomAugspurger JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -46,12 +55,6 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org - Authenticator: - admin_users: - - rabernat - - jhamman - - scottyhq - - TomAugspurger singleuser: extraEnv: GH_SCOPED_CREDS_CLIENT_ID: "Iv1.c90ee430400a347f" diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index 1d1eddc558..2587614226 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -36,6 +36,13 @@ jupyterhub: hub: allowNamedServers: true config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - gizmo404 + - jtkmckenna JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -44,10 +51,6 @@ jupyterhub: - QuantifiedCarbon:jupyterhub scope: - read:org - Authenticator: - admin_users: - - gizmo404 - - jtkmckenna singleuser: image: # pangeo/pangeo-notebook is maintained at: https://github.com/pangeo-data/pangeo-docker-images @@ -228,9 +231,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 3a8aba9abc..499066f1ff 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -48,6 +48,9 @@ basehub: - read:org Authenticator: enable_auth_state: true + # This hub uses GitHub Orgs auth and so we don't set allowed_users in + # order to not deny access to valid members of the listed orgs. These + # people should have admin access though. admin_users: - MikeTrizna # Mike Trizna - rdikow # Rebecca Dikow diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index bdf33cc29f..fbbbf9ec92 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -42,6 +42,9 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + shown_idps: + - https://authentication.ubc.ca + - http://google.com/accounts/o8/id allowed_idps: https://authentication.ubc.ca: username_derivation: diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index a47175f4f8..984e89b54c 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -81,6 +81,8 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback + shown_idps: + - https://idpz.utorauth.utoronto.ca/shibboleth allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index 4efda07888..47136ec38c 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -34,6 +34,13 @@ basehub: url: https://people.climate.columbia.edu/projects/sponsor/National%20Science%20Foundation hub: config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - einatlev-ldeo + - SamKrasnoff JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -42,10 +49,6 @@ basehub: - VICTOR-Community:victoraccess scope: - read:org - Authenticator: - admin_users: - - einatlev-ldeo - - SamKrasnoff singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/docs/howto/features/per-user-db.md b/docs/howto/features/per-user-db.md index 871c843b3f..52141691ac 100644 --- a/docs/howto/features/per-user-db.md +++ b/docs/howto/features/per-user-db.md @@ -60,9 +60,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /var/lib/postgresql/data && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /var/lib/postgresql/data && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index 04a5824843..de91c07245 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -69,6 +69,10 @@ jupyterhub: - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback + # Show only the option to login with Google and ANU's provider + shown_idps: + - http://google.com/accounts/o8/id + - https://idp2.anu.edu.au/idp/shibboleth # Allow to only login into the hub using Google or ANU's provider allowed_idps: http://google.com/accounts/o8/id: @@ -115,7 +119,11 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/docs/topic/infrastructure/storage-layer.md b/docs/topic/infrastructure/storage-layer.md index 171b2b0943..951eb916ca 100644 --- a/docs/topic/infrastructure/storage-layer.md +++ b/docs/topic/infrastructure/storage-layer.md @@ -118,9 +118,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index d410964912..ff28172b3e 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -11,7 +11,7 @@ dependencies: # images/hub/Dockerfile, and will also involve manually building and pushing # the Dockerfile to https://quay.io/2i2c/pilot-hub. Details about this can # be found in the Dockerfile's comments. - version: 3.0.2 + version: 3.0.0-beta.1.git.6208.h7b44299a repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service version: 0.1.0-0.dev.git.80.h358d32f diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index c35a07fc0d..c58cea667f 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,9 +177,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: @@ -392,7 +394,7 @@ jupyterhub: interfaces: - value: "/tree" title: Classic Notebook - description: >- + description: The original single-document interface for creating Jupyter Notebooks. - value: "/lab" @@ -418,8 +420,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + allowPrivilegeEscalation: False + readOnlyRootFilesystem: True volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -486,8 +488,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + allowPrivilegeEscalation: False + readOnlyRootFilesystem: True volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -524,7 +526,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6074.h895181eb" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated diff --git a/helm-charts/chartpress.yaml b/helm-charts/chartpress.yaml index 6ecf191e45..962a638476 100644 --- a/helm-charts/chartpress.yaml +++ b/helm-charts/chartpress.yaml @@ -1,13 +1,3 @@ -# This is the configuration for chartpress, a CLI for Helm chart management. -# -# chartpress can be used to: -# - Build images -# - Update Chart.yaml (version) and values.yaml (image tags) -# - Package and publish Helm charts to a GitHub based Helm chart repository -# -# For more information about chartpress, see the projects README.md file: -# https://github.com/jupyterhub/chartpress -# charts: - name: basehub imagePrefix: quay.io/2i2c/pilot- @@ -15,16 +5,16 @@ charts: hub: valuesPath: jupyterhub.hub.image buildArgs: - REQUIREMENTS_FILE: requirements.txt + REQUIREMENTS_FILE: "requirements.txt" unlisted-choice-experiment: imageName: quay.io/2i2c/unlisted-choice-experiment buildArgs: - REQUIREMENTS_FILE: unlisted-choice-requirements.txt - contextPath: images/hub + REQUIREMENTS_FILE: "unlisted-choice-requirements.txt" + contextPath: "images/hub" dockerfilePath: images/hub/Dockerfile dynamic-image-building-experiment: imageName: quay.io/2i2c/dynamic-image-building-experiment buildArgs: - REQUIREMENTS_FILE: dynamic-image-building-requirements.txt - contextPath: images/hub - dockerfilePath: images/hub/Dockerfile + REQUIREMENTS_FILE: "dynamic-image-building-requirements.txt" + contextPath: "images/hub" + dockerfilePath: "images/hub/Dockerfile" diff --git a/helm-charts/images/hub/Dockerfile b/helm-charts/images/hub/Dockerfile index 6d5e7e05b5..77caeb4434 100644 --- a/helm-charts/images/hub/Dockerfile +++ b/helm-charts/images/hub/Dockerfile @@ -12,11 +12,7 @@ # `chartpress --push --builder docker-buildx --platform linux/amd64` # Ref: https://cloudolife.com/2022/03/05/Infrastructure-as-Code-IaC/Container/Docker/Docker-buildx-support-multiple-architectures-images/ # -FROM jupyterhub/k8s-hub:3.0.2 - -# chartpress.yaml defines multiple hub images differentiated only by a -# requirements.txt file with dependencies, this build argument allows us to -# re-use this Dockerfile for all images. +FROM jupyterhub/k8s-hub:3.0.0-beta.1 ARG REQUIREMENTS_FILE COPY ${REQUIREMENTS_FILE} /tmp/ diff --git a/helm-charts/images/hub/dynamic-image-building-requirements.txt b/helm-charts/images/hub/dynamic-image-building-requirements.txt index fcfadf2363..225a86b394 100644 --- a/helm-charts/images/hub/dynamic-image-building-requirements.txt +++ b/helm-charts/images/hub/dynamic-image-building-requirements.txt @@ -1,6 +1,6 @@ # Image lives at quay.io/2i2c/second-hub-experimental git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db # Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -git+https://github.com/jupyterhub/kubespawner@8cc569c78bcdb342e694f7344219e43d522f4809 +git+https://github.com/jupyterhub/kubespawner@5a90351adba7d65286bd5e00e82f156011bf7b83 # Brings in https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui git+https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui.git@b36ece00b5e7fcba5d4485e7ab70992705601c3c