Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unify Openscapes profile list config #3625

Merged
merged 1 commit into from
Jan 30, 2024
Merged

Unify Openscapes profile list config #3625

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 123 additions & 0 deletions config/clusters/openscapes/common.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,126 @@ basehub:
singleuser:
serviceAccountName: cloud-user-sa
defaultUrl: /lab
profileList:
- display_name: Python
description: Python datascience environment
default: true
allowed_teams:
- 2i2c-org:hub-access-for-2i2c-staff
- NASA-Openscapes:workshopaccess-2i2c
- NASA-Openscapes:longtermaccess-2i2c
- NASA-Openscapes:championsaccess-2i2c
kubespawner_override:
image: openscapes/python:4f340eb
profile_options: &profile_options
requests: &profile_options_resource_allocation
display_name: Resource Allocation
choices:
mem_1_9:
display_name: 1.9 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 1992701952
mem_limit: 1992701952
cpu_guarantee: 0.234375
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
default: true
mem_3_7:
display_name: 3.7 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 3985403904
mem_limit: 3985403904
cpu_guarantee: 0.46875
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_7_4:
display_name: 7.4 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 7970807808
mem_limit: 7970807808
cpu_guarantee: 0.9375
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_14_8:
display_name: 14.8 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 15941615616
mem_limit: 15941615616
cpu_guarantee: 1.875
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_29_7:
display_name: 29.7 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 31883231232
mem_limit: 31883231232
cpu_guarantee: 3.75
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_60_6:
display_name: 60.6 GB RAM, upto 15.7 CPUs
kubespawner_override:
mem_guarantee: 65094813696
mem_limit: 65094813696
cpu_guarantee: 7.86
cpu_limit: 15.72
node_selector:
node.kubernetes.io/instance-type: r5.4xlarge
mem_121_2:
display_name: 121.2 GB RAM, upto 15.7 CPUs
kubespawner_override:
mem_guarantee: 130189627392
mem_limit: 130189627392
cpu_guarantee: 15.72
cpu_limit: 15.72
node_selector:
node.kubernetes.io/instance-type: r5.4xlarge
- display_name: R
description: R (with RStudio) + Python environment
allowed_teams:
- 2i2c-org:hub-access-for-2i2c-staff
- NASA-Openscapes:workshopaccess-2i2c
- NASA-Openscapes:longtermaccess-2i2c
- NASA-Openscapes:championsaccess-2i2c
kubespawner_override:
image: openscapes/rocker:a7596b5
# Ensures container working dir is homedir
# https://github.com/2i2c-org/infrastructure/issues/2559
working_dir: /home/rstudio
profile_options: *profile_options
- display_name: Matlab
description: Matlab environment
allowed_teams:
- 2i2c-org:hub-access-for-2i2c-staff
- NASA-Openscapes:workshopaccess-2i2c
- NASA-Openscapes:longtermaccess-2i2c
- NASA-Openscapes:championsaccess-2i2c
kubespawner_override:
image: openscapes/matlab:2023-11-28
profile_options: *profile_options
- display_name: "Bring your own image"
description: Specify your own docker image (must have python and jupyterhub installed in it)
slug: custom
allowed_teams:
- NASA-Openscapes:longtermaccess-2i2c
- 2i2c-org:hub-access-for-2i2c-staff
profile_options:
image:
display_name: Image
unlisted_choice:
enabled: True
display_name: "Custom image"
validation_regex: "^.+:.+$"
validation_message: "Must be a publicly available docker image, of form <image-name>:<tag>"
kubespawner_override:
image: "{value}"
choices: {}
resource_allocation: *profile_options_resource_allocation
scheduling:
userScheduler:
enabled: true
Expand All @@ -46,7 +166,10 @@ basehub:
JupyterHub:
authenticator_class: github
GitHubOAuthenticator:
enable_auth_state: true
populate_teams_in_auth_state: true
allowed_organizations:
- 2i2c-org:hub-access-for-2i2c-staff
- NASA-Openscapes:workshopaccess-2i2c
- NASA-Openscapes:longtermaccess-2i2c
- NASA-Openscapes:championsaccess-2i2c
Expand Down
87 changes: 0 additions & 87 deletions config/clusters/openscapes/prod.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,93 +11,6 @@ basehub:
singleuser:
extraEnv:
SCRATCH_BUCKET: s3://openscapeshub-scratch/$(JUPYTERHUB_USER)
profileList:
- display_name: Python
description: Python datascience environment
default: true
kubespawner_override:
image: openscapes/python:4f340eb
profile_options: &profile_options
requests:
display_name: Resource Allocation
choices:
mem_1_9:
display_name: 1.9 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 1992701952
mem_limit: 1992701952
cpu_guarantee: 0.234375
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
default: true
mem_3_7:
display_name: 3.7 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 3985403904
mem_limit: 3985403904
cpu_guarantee: 0.46875
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_7_4:
display_name: 7.4 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 7970807808
mem_limit: 7970807808
cpu_guarantee: 0.9375
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_14_8:
display_name: 14.8 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 15941615616
mem_limit: 15941615616
cpu_guarantee: 1.875
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_29_7:
display_name: 29.7 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 31883231232
mem_limit: 31883231232
cpu_guarantee: 3.75
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_60_6:
display_name: 60.6 GB RAM, upto 15.7 CPUs
kubespawner_override:
mem_guarantee: 65094813696
mem_limit: 65094813696
cpu_guarantee: 7.86
cpu_limit: 15.72
node_selector:
node.kubernetes.io/instance-type: r5.4xlarge
mem_121_2:
display_name: 121.2 GB RAM, upto 15.7 CPUs
kubespawner_override:
mem_guarantee: 130189627392
mem_limit: 130189627392
cpu_guarantee: 15.72
cpu_limit: 15.72
node_selector:
node.kubernetes.io/instance-type: r5.4xlarge
- display_name: R
description: R (with RStudio) + Python environment
kubespawner_override:
image: openscapes/rocker:a7596b5
# Ensures container working dir is homedir
# https://github.com/2i2c-org/infrastructure/issues/2559
working_dir: /home/rstudio
profile_options: *profile_options
- display_name: Matlab
description: Matlab environment
kubespawner_override:
image: openscapes/matlab:2023-11-28
profile_options: *profile_options
hub:
config:
GitHubOAuthenticator:
Expand Down
116 changes: 0 additions & 116 deletions config/clusters/openscapes/staging.values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,122 +11,6 @@ basehub:
singleuser:
extraEnv:
SCRATCH_BUCKET: s3://openscapeshub-scratch-staging/$(JUPYTERHUB_USER)
profileList:
- display_name: Python
description: Python datascience environment
default: true
profile_options:
image:
display_name: Image and Tag
unlisted_choice: &unlisted_choice
enabled: true
display_name: "Custom image"
validation_regex: "^.+:.+$"
validation_message: "Must be a publicly available docker image, of form <image-name>:<tag>"
kubespawner_override:
image: "{value}"
choices:
default:
display_name: openscapes/python:4f340eb
default: true
kubespawner_override:
image: openscapes/python:4f340eb
requests: &requests_profile_options
display_name: Resource Allocation
choices:
mem_1_9:
display_name: 1.9 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 1992701952
mem_limit: 1992701952
cpu_guarantee: 0.234375
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
default: true
mem_3_7:
display_name: 3.7 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 3985403904
mem_limit: 3985403904
cpu_guarantee: 0.46875
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_7_4:
display_name: 7.4 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 7970807808
mem_limit: 7970807808
cpu_guarantee: 0.9375
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_14_8:
display_name: 14.8 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 15941615616
mem_limit: 15941615616
cpu_guarantee: 1.875
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_29_7:
display_name: 29.7 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 31883231232
mem_limit: 31883231232
cpu_guarantee: 3.75
cpu_limit: 3.75
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_60_6:
display_name: 60.6 GB RAM, upto 15.7 CPUs
kubespawner_override:
mem_guarantee: 65094813696
mem_limit: 65094813696
cpu_guarantee: 7.86
cpu_limit: 15.72
node_selector:
node.kubernetes.io/instance-type: r5.4xlarge
mem_121_2:
display_name: 121.2 GB RAM, upto 15.7 CPUs
kubespawner_override:
mem_guarantee: 130189627392
mem_limit: 130189627392
cpu_guarantee: 15.72
cpu_limit: 15.72
node_selector:
node.kubernetes.io/instance-type: r5.4xlarge
- display_name: R
description: R (with RStudio) + Python environment
profile_options:
image:
display_name: Image and Tag
unlisted_choice: *unlisted_choice
choices:
default:
display_name: openscapes/rocker:a7596b5
default: true
kubespawner_override:
image: openscapes/rocker:a7596b5
# Ensures container working dir is homedir
# https://github.com/2i2c-org/infrastructure/issues/2559
working_dir: /home/rstudio
requests: *requests_profile_options
- display_name: Matlab
description: Matlab environment
profile_options:
image:
display_name: Image and Tag
unlisted_choice: *unlisted_choice
choices:
default:
display_name: openscapes/matlab:2023-11-28
default: true
kubespawner_override:
image: openscapes/matlab:2023-06-29
requests: *requests_profile_options
hub:
config:
GitHubOAuthenticator:
Expand Down
30 changes: 30 additions & 0 deletions docs/hub-deployment-guide/configure-auth/github-orgs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,3 +230,33 @@ To enable this access,
that profile. Add `2i2c-org:hub-access-for-2i2c-staff` to all
`allowed_teams` so 2i2c engineers can log in to debug issues. If
`allowed_teams` is not set, that profile is not available to anyone.

### Enabling team based access on hub with pre-existing users

If this is being enabled for users on a hub with *pre-existing* users, they
will all need to be logged out before deployment. This would force them to
re-login next time, and that will set `auth_state` properly so we can filter
based on team membership - without that, we won't know which teams the user
belongs to, and they will get an opaque 'Access denied' error.

1. Check with the community to know *when* is a good time to log everyone
out. If users have running servers, they will need to refresh the page -
which will put them through the authentication flow again. It's best to
do this at a time when minimal or no users are running, to minimze
disruption.

2. We log everyone out by regenerating [hub.cookieSecret](https://z2jh.jupyter.org/en/stable/resources/reference.html#hub-cookiesecret).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Presuming I have the use case correct (there is a hub that was already using GitHub teams/org auth so already have a GitHub OAuth App, and now they want teams-based access to profiles) and there isn't anything more complicated happening at the hub-level, I actually think there is an easier way to do this that does not involve using kubectl at all:

  1. Go to the GitHub OAuth App settings page for the hub, e.g., Openscapes staging is here https://github.com/organizations/2i2c-org/settings/applications/2367936
  2. Click "Revoke all user tokens"

This will also force the oauth flow and make everyone login again.

We have this documented here as a method of debugging when someone did not correctly authorise the GitHub OAuth App on first login.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sgibson91 Thanks for pointing that out - I had not considered that! It would indeed be much simpler! However, I just tried that and it did not work :( I think it works for the 'Authorize' use case because they are not JupyterHub users yet at that point. In this case, since they've already been successfully authenticated into JupyterHub, revoking GitHub creds does nothing, since they're using JupyterHub cookies / creds at that point. It would only take effect after they explicitly log out of JupyterHub. So we need to rotate cookie secret instead.

The easiest way to do this is to simply delete the kubernetes secret
named `hub` in the namespace of the hub, and then do a deployment. So
once the PR for deployment is ready, run the following command:

```bash
# Get kubectl access to the cluster
deployer use-cluster-credentials <cluster-name>
kubectl -n <hub-name> delete secret hub
```

After that, you can deploy either manually or by merging your PR.

This should log everyone out, and when they log in, they should see
the profiles they have access to!
Loading