From c2b0112d58bd3ca21ae89360561444a8a63be079 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 18 Oct 2024 17:04:30 +0200 Subject: [PATCH] victor: transition to cilogon with github, google, and microsoft idps --- config/clusters/victor/common.values.yaml | 53 ++++++++++++++++--- .../victor/enc-prod.secret.values.yaml | 38 ++++++------- .../victor/enc-staging.secret.values.yaml | 38 ++++++------- config/clusters/victor/prod.values.yaml | 2 +- config/clusters/victor/staging.values.yaml | 2 +- 5 files changed, 87 insertions(+), 46 deletions(-) diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index ceb272cef9..56c1aef731 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -41,13 +41,54 @@ basehub: hub: config: JupyterHub: - authenticator_class: github - GitHubOAuthenticator: - allowed_organizations: - - VICTOR-Community:victoraccess - scope: - - read:org + authenticator_class: cilogon + CILogonOAuthenticator: + allowed_idps: + # Choice of idps was discussed in + # https://2i2c.freshdesk.com/a/tickets/2080 + http://github.com/login/oauth/authorize: + default: true + username_derivation: + username_claim: "preferred_username" + http://google.com/accounts/o8/id: + username_derivation: + username_claim: "email" + action: prefix + prefix: g + http://login.microsoftonline.com/common/oauth2/v2.0/authorize: + username_derivation: + username_claim: "email" + action: prefix + prefix: ms + OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # + allow_existing_users: True Authenticator: + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the + # /hub/admin panel. + # admin_users: - einatlev-ldeo - SamKrasnoff diff --git a/config/clusters/victor/enc-prod.secret.values.yaml b/config/clusters/victor/enc-prod.secret.values.yaml index 1779bc113d..812a7e99fb 100644 --- a/config/clusters/victor/enc-prod.secret.values.yaml +++ b/config/clusters/victor/enc-prod.secret.values.yaml @@ -1,21 +1,21 @@ basehub: - jupyterhub: - hub: - config: - GitHubOAuthenticator: - client_id: ENC[AES256_GCM,data:mETzwJkMDjNm4NVFjdn8qM/i4r8=,iv:eOi5X2bPpuAdL962n2+vVppQ16BfvMHQkDjzwOyOvqg=,tag:Xj6OvAGTTf6zEU5pV2W+Gw==,type:str] - client_secret: ENC[AES256_GCM,data:KIgNcTzW27gfTDaUrxaSI8/asyB8r0QCna95u1X89Rvrxdw8bmA3XQ==,iv:LwsnNw/7c5EMW1RBPnPPQ4+Y7m5BICYl7sWSFuMqLvg=,tag:yoal90cYtv1rZAjm3fym+w==,type:str] + jupyterhub: + hub: + config: + CILogonOAuthenticator: + client_id: ENC[AES256_GCM,data:1CGy1/P5M99SwIhPuw7dGkuBwcgeEHiw9I07W3hHBn+HH0Frxjqxjq78qvQxzHchfMts,iv:zaOb1RDhOPzoJ30bpWK2QX0+Zx8aiYNrAxuKbIbe8IY=,tag:hHeo+u3sBfqUoTU0nL5ukA==,type:str] + client_secret: ENC[AES256_GCM,data:hyUnI8iKzIHWRrPS3iEBjgALdUd/kdNcLL6BZ/sf6anR/6UIegt8kGUTyva74CPt/VdbzXXOBxpPSSBLR83xouFG3thUWaMhlQgfnBfQvdapVHPCeoM=,iv:5ef+sL5UF2bxLYf98I++3DMJ3kg12q4v/J+kqs6DCuY=,tag:fBmA6s8bJKbo51VwTyEDGA==,type:str] sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2022-10-27T14:03:16Z" - enc: CiQA4OM7ePBq3xoyJ+cqQzQAMRzdedwvl7aB8Xvb9MuuuJ7gEaoSSQDuy/p8F597q4v2lvFBC9j9laAaX/r+KoeNhpgOlhTim7pP0ORGKcMjdZwSOd7f5p9msi49+0h+TdVTl87xjNoHEUVY1KW98Ig= - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2022-11-07T16:01:16Z" - mac: ENC[AES256_GCM,data:ypKKVXalN55VYruPHNpb7h8sfaNC6gKmzErXm9nQI+66simIqMCEDcfJ4W7JJK+35dogtDh6sxbN5Vrx+JUbbV14qVlqiF7w96+Nz3vIFERz141FHzZ6DFXFRLZ2yQdirZXIWqLBgX+1Yocr1xoQzKP4YN+GOTsqW4u4a5VkViA=,iv:MQaHDSYNcJo4whi+N8EfxyHamsVnLzS/vCvMt8RFGzI=,tag:IdwOBEBKQaBO6DuPX4RsyQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-10-18T14:51:47Z" + enc: CiUA4OM7eE1+oWrbKDT/Yt8DxHpHaulb84lX39gyROwFLb53tLblEkkA5dG1Q+vMvmVn/CfK5e2oAxajjCo/oHnXPw1Eq5WOTFcLzjDzaK4VeWG34FFhD3/0s1VmChnIwyAo0FhwtJk39bgoMwOB98/9 + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-10-18T14:57:24Z" + mac: ENC[AES256_GCM,data:VaFjMJzVz4Bm6LGoyMmfzFGoiw+fgnIAq//neKTHhIyES6FD/N2kdJKyT8SWxaBu3O5dky6Sgs8ZiaXNBgBQIEv7QgBGteVO8qnIMNfJrFqrikaD/iSoCso+die6xDyZjJi1VVrnhPXtjbmbjizhe7sED2wdcvpSB+iWBEs6de4=,iv:ok1YmYflV6Bj+WPPQvedPelKvhI7Qpz6uknK7V/IJQk=,tag:Ep2G8YnlXSAoAywGW3eSnA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/config/clusters/victor/enc-staging.secret.values.yaml b/config/clusters/victor/enc-staging.secret.values.yaml index 21aa22d4ec..683d3df11d 100644 --- a/config/clusters/victor/enc-staging.secret.values.yaml +++ b/config/clusters/victor/enc-staging.secret.values.yaml @@ -1,21 +1,21 @@ basehub: - jupyterhub: - hub: - config: - GitHubOAuthenticator: - client_id: ENC[AES256_GCM,data:DMX+ifQeCG2R1NztlJboVUMmJWk=,iv:w0CGmYlg5vYiOLTlnTEAxi5zOjMkH80fVAnzBmCHY5A=,tag:LZNgligPIyHjbpCNa01KZg==,type:str] - client_secret: ENC[AES256_GCM,data:521xf5AyhOsh6j3bct6TPfvEV4bcRws2olujelgx8JcAfIoK/fQypA==,iv:IcwANgsgzAUhR0eBcC8WrraRx7Px0SQqFZo3vdrgJTY=,tag:SzCtKdSBPXtX0AFVxEzmxg==,type:str] + jupyterhub: + hub: + config: + CILogonOAuthenticator: + client_id: ENC[AES256_GCM,data:l7Vj9VjpttEjhFksDPPp2gUu+UIfKO3Hw42v7iXZ/rTxoK3V40npzXkfFYVhh8eyCdpi,iv:FQR3NgwKN03m8JhYLhdC3oL+oDFw7BcKp7jDQ7scyWU=,tag:uWm/kFuGEi1RX4F3NIlqog==,type:str] + client_secret: ENC[AES256_GCM,data:656K9IIk1Q+IY526vdtPshy6Cu0uo6km0H1pfTLpYP1AFMxNXZgNdFYJXsYmSxWYKclIl7p4wvvz3xcro4ZrQKEbOmRI5BkAdn0uy+PuR4rSDUskZV8=,iv:F2N5vsCdLdKcotA4/llWVC9Hp74pDMWyByCfRdI3xFk=,tag:WeljKMoZJHDWI9oZwWf2+Q==,type:str] sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2022-10-27T13:48:39Z" - enc: CiQA4OM7eCe5Z4OXrimcHrJLaV6PvjKhd9DdOe0RZfg24j1wIRgSSQDuy/p8pF1vb4Y2QfNFC00np51If00lMog4tOCYg3OO8w4mvRazf9PRv6IvJKJ5ZDiyUETc2p5HJWmF3ltHcyOYhNgNKUrQ2L4= - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2022-11-07T15:57:50Z" - mac: ENC[AES256_GCM,data:D2kCe99nRdPYTB6siv79lhHjGJgnFBfxjA+HFhkApFfWLKW8FwaVmkvDBjJ802J5KQ2IxsRQfa4SUX5nLXuT0gs4k3sGm8PPKDQQb49gAJLj27VxlhfZlZ0n79BLt8CwiaZjo8q2LTUoJdcHnBuJQdRuNlhbaPoslnXqvNqCvk4=,iv:k/yhxvgDaVI9KHcIZzKtgt+oP0YkVvK9MbzEz3y9rEw=,tag:gEn5FENRv6QRUA0vXK2snQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-10-18T14:51:32Z" + enc: CiUA4OM7eHGLgeDCrHeNL+FclK8wSDk7Gum048uOyDR7sfKefIJAEkkA5dG1Q/2wTZSv6076SV76+2kjrwVvt8N2ik79il2NashCHPAlcjc4NJ2qZn1pRr3Nvv+g/RCCKUIHbGCoOyfCVhHzW8OzMSy+ + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-10-18T14:57:17Z" + mac: ENC[AES256_GCM,data:+9Ks3IVP2u4joibmQlQRY3AoFHYkSRoigNW+dUR/AjG4kbjw5QU+BL5SQQ1YcNnRgtT9BybTXxvsd92YEWuj8jSKvPaiEhJBN7WddY3y+6FrDjp5ErdWYtjoawm3GPmZHNt0i3mj6BLfTXSGoSvOzULODocIvta1R/xlDl8F87c=,iv:3LjmZ+U6x0ff9MuHiFyzjzpygDNExdMC/uIcHYP1lSU=,tag:A533NdF5bj3RzULDCQslfA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/config/clusters/victor/prod.values.yaml b/config/clusters/victor/prod.values.yaml index bbce3fff00..61a8ad569f 100644 --- a/config/clusters/victor/prod.values.yaml +++ b/config/clusters/victor/prod.values.yaml @@ -11,7 +11,7 @@ basehub: secretName: https-auto-tls hub: config: - GitHubOAuthenticator: + CILogonOAuthenticator: oauth_callback_url: https://hub.victorproject.org/hub/oauth_callback singleuser: profileList: diff --git a/config/clusters/victor/staging.values.yaml b/config/clusters/victor/staging.values.yaml index 0223f9a378..a13e7aa839 100644 --- a/config/clusters/victor/staging.values.yaml +++ b/config/clusters/victor/staging.values.yaml @@ -11,7 +11,7 @@ basehub: secretName: https-auto-tls hub: config: - GitHubOAuthenticator: + CILogonOAuthenticator: oauth_callback_url: https://staging.hub.victorproject.org/hub/oauth_callback singleuser: profileList: