diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index db40829920..cb7dff1449 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -37,6 +37,126 @@ basehub: singleuser: serviceAccountName: cloud-user-sa defaultUrl: /lab + profileList: + - display_name: Python + description: Python datascience environment + default: true + allowed_teams: + - 2i2c-org:hub-access-for-2i2c-staff + - NASA-Openscapes:workshopaccess-2i2c + - NASA-Openscapes:longtermaccess-2i2c + - NASA-Openscapes:championsaccess-2i2c + kubespawner_override: + image: openscapes/python:4f340eb + profile_options: &profile_options + requests: &profile_options_resource_allocation + display_name: Resource Allocation + choices: + mem_1_9: + display_name: 1.9 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 1992701952 + mem_limit: 1992701952 + cpu_guarantee: 0.234375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + default: true + mem_3_7: + display_name: 3.7 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 3985403904 + mem_limit: 3985403904 + cpu_guarantee: 0.46875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_7_4: + display_name: 7.4 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 7970807808 + mem_limit: 7970807808 + cpu_guarantee: 0.9375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_14_8: + display_name: 14.8 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 15941615616 + mem_limit: 15941615616 + cpu_guarantee: 1.875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_29_7: + display_name: 29.7 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 31883231232 + mem_limit: 31883231232 + cpu_guarantee: 3.75 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_60_6: + display_name: 60.6 GB RAM, upto 15.7 CPUs + kubespawner_override: + mem_guarantee: 65094813696 + mem_limit: 65094813696 + cpu_guarantee: 7.86 + cpu_limit: 15.72 + node_selector: + node.kubernetes.io/instance-type: r5.4xlarge + mem_121_2: + display_name: 121.2 GB RAM, upto 15.7 CPUs + kubespawner_override: + mem_guarantee: 130189627392 + mem_limit: 130189627392 + cpu_guarantee: 15.72 + cpu_limit: 15.72 + node_selector: + node.kubernetes.io/instance-type: r5.4xlarge + - display_name: R + description: R (with RStudio) + Python environment + allowed_teams: + - 2i2c-org:hub-access-for-2i2c-staff + - NASA-Openscapes:workshopaccess-2i2c + - NASA-Openscapes:longtermaccess-2i2c + - NASA-Openscapes:championsaccess-2i2c + kubespawner_override: + image: openscapes/rocker:a7596b5 + # Ensures container working dir is homedir + # https://github.com/2i2c-org/infrastructure/issues/2559 + working_dir: /home/rstudio + profile_options: *profile_options + - display_name: Matlab + description: Matlab environment + allowed_teams: + - 2i2c-org:hub-access-for-2i2c-staff + - NASA-Openscapes:workshopaccess-2i2c + - NASA-Openscapes:longtermaccess-2i2c + - NASA-Openscapes:championsaccess-2i2c + kubespawner_override: + image: openscapes/matlab:2023-11-28 + profile_options: *profile_options + - display_name: "Bring your own image" + description: Specify your own docker image (must have python and jupyterhub installed in it) + slug: custom + allowed_teams: + - NASA-Openscapes:longtermaccess-2i2c + - 2i2c-org:hub-access-for-2i2c-staff + profile_options: + image: + display_name: Image + unlisted_choice: + enabled: True + display_name: "Custom image" + validation_regex: "^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" + kubespawner_override: + image: "{value}" + choices: {} + resource_allocation: *profile_options_resource_allocation scheduling: userScheduler: enabled: true @@ -46,7 +166,10 @@ basehub: JupyterHub: authenticator_class: github GitHubOAuthenticator: + enable_auth_state: true + populate_teams_in_auth_state: true allowed_organizations: + - 2i2c-org:hub-access-for-2i2c-staff - NASA-Openscapes:workshopaccess-2i2c - NASA-Openscapes:longtermaccess-2i2c - NASA-Openscapes:championsaccess-2i2c diff --git a/config/clusters/openscapes/prod.values.yaml b/config/clusters/openscapes/prod.values.yaml index 29311e3ec8..235ca2d304 100644 --- a/config/clusters/openscapes/prod.values.yaml +++ b/config/clusters/openscapes/prod.values.yaml @@ -11,93 +11,6 @@ basehub: singleuser: extraEnv: SCRATCH_BUCKET: s3://openscapeshub-scratch/$(JUPYTERHUB_USER) - profileList: - - display_name: Python - description: Python datascience environment - default: true - kubespawner_override: - image: openscapes/python:4f340eb - profile_options: &profile_options - requests: - display_name: Resource Allocation - choices: - mem_1_9: - display_name: 1.9 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 1992701952 - mem_limit: 1992701952 - cpu_guarantee: 0.234375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - default: true - mem_3_7: - display_name: 3.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 3985403904 - mem_limit: 3985403904 - cpu_guarantee: 0.46875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_7_4: - display_name: 7.4 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 7970807808 - mem_limit: 7970807808 - cpu_guarantee: 0.9375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_14_8: - display_name: 14.8 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 15941615616 - mem_limit: 15941615616 - cpu_guarantee: 1.875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_29_7: - display_name: 29.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 31883231232 - mem_limit: 31883231232 - cpu_guarantee: 3.75 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_60_6: - display_name: 60.6 GB RAM, upto 15.7 CPUs - kubespawner_override: - mem_guarantee: 65094813696 - mem_limit: 65094813696 - cpu_guarantee: 7.86 - cpu_limit: 15.72 - node_selector: - node.kubernetes.io/instance-type: r5.4xlarge - mem_121_2: - display_name: 121.2 GB RAM, upto 15.7 CPUs - kubespawner_override: - mem_guarantee: 130189627392 - mem_limit: 130189627392 - cpu_guarantee: 15.72 - cpu_limit: 15.72 - node_selector: - node.kubernetes.io/instance-type: r5.4xlarge - - display_name: R - description: R (with RStudio) + Python environment - kubespawner_override: - image: openscapes/rocker:a7596b5 - # Ensures container working dir is homedir - # https://github.com/2i2c-org/infrastructure/issues/2559 - working_dir: /home/rstudio - profile_options: *profile_options - - display_name: Matlab - description: Matlab environment - kubespawner_override: - image: openscapes/matlab:2023-11-28 - profile_options: *profile_options hub: config: GitHubOAuthenticator: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 81ab539c90..eb16900803 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -11,122 +11,6 @@ basehub: singleuser: extraEnv: SCRATCH_BUCKET: s3://openscapeshub-scratch-staging/$(JUPYTERHUB_USER) - profileList: - - display_name: Python - description: Python datascience environment - default: true - profile_options: - image: - display_name: Image and Tag - unlisted_choice: &unlisted_choice - enabled: true - display_name: "Custom image" - validation_regex: "^.+:.+$" - validation_message: "Must be a publicly available docker image, of form :" - kubespawner_override: - image: "{value}" - choices: - default: - display_name: openscapes/python:4f340eb - default: true - kubespawner_override: - image: openscapes/python:4f340eb - requests: &requests_profile_options - display_name: Resource Allocation - choices: - mem_1_9: - display_name: 1.9 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 1992701952 - mem_limit: 1992701952 - cpu_guarantee: 0.234375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - default: true - mem_3_7: - display_name: 3.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 3985403904 - mem_limit: 3985403904 - cpu_guarantee: 0.46875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_7_4: - display_name: 7.4 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 7970807808 - mem_limit: 7970807808 - cpu_guarantee: 0.9375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_14_8: - display_name: 14.8 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 15941615616 - mem_limit: 15941615616 - cpu_guarantee: 1.875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_29_7: - display_name: 29.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 31883231232 - mem_limit: 31883231232 - cpu_guarantee: 3.75 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_60_6: - display_name: 60.6 GB RAM, upto 15.7 CPUs - kubespawner_override: - mem_guarantee: 65094813696 - mem_limit: 65094813696 - cpu_guarantee: 7.86 - cpu_limit: 15.72 - node_selector: - node.kubernetes.io/instance-type: r5.4xlarge - mem_121_2: - display_name: 121.2 GB RAM, upto 15.7 CPUs - kubespawner_override: - mem_guarantee: 130189627392 - mem_limit: 130189627392 - cpu_guarantee: 15.72 - cpu_limit: 15.72 - node_selector: - node.kubernetes.io/instance-type: r5.4xlarge - - display_name: R - description: R (with RStudio) + Python environment - profile_options: - image: - display_name: Image and Tag - unlisted_choice: *unlisted_choice - choices: - default: - display_name: openscapes/rocker:a7596b5 - default: true - kubespawner_override: - image: openscapes/rocker:a7596b5 - # Ensures container working dir is homedir - # https://github.com/2i2c-org/infrastructure/issues/2559 - working_dir: /home/rstudio - requests: *requests_profile_options - - display_name: Matlab - description: Matlab environment - profile_options: - image: - display_name: Image and Tag - unlisted_choice: *unlisted_choice - choices: - default: - display_name: openscapes/matlab:2023-11-28 - default: true - kubespawner_override: - image: openscapes/matlab:2023-06-29 - requests: *requests_profile_options hub: config: GitHubOAuthenticator: diff --git a/docs/hub-deployment-guide/configure-auth/github-orgs.md b/docs/hub-deployment-guide/configure-auth/github-orgs.md index 6e58d14d32..a7b286f3c6 100644 --- a/docs/hub-deployment-guide/configure-auth/github-orgs.md +++ b/docs/hub-deployment-guide/configure-auth/github-orgs.md @@ -230,3 +230,33 @@ To enable this access, that profile. Add `2i2c-org:hub-access-for-2i2c-staff` to all `allowed_teams` so 2i2c engineers can log in to debug issues. If `allowed_teams` is not set, that profile is not available to anyone. + +### Enabling team based access on hub with pre-existing users + +If this is being enabled for users on a hub with *pre-existing* users, they +will all need to be logged out before deployment. This would force them to +re-login next time, and that will set `auth_state` properly so we can filter +based on team membership - without that, we won't know which teams the user +belongs to, and they will get an opaque 'Access denied' error. + +1. Check with the community to know *when* is a good time to log everyone + out. If users have running servers, they will need to refresh the page - + which will put them through the authentication flow again. It's best to + do this at a time when minimal or no users are running, to minimze + disruption. + +2. We log everyone out by regenerating [hub.cookieSecret](https://z2jh.jupyter.org/en/stable/resources/reference.html#hub-cookiesecret). + The easiest way to do this is to simply delete the kubernetes secret + named `hub` in the namespace of the hub, and then do a deployment. So + once the PR for deployment is ready, run the following command: + + ```bash + # Get kubectl access to the cluster + deployer use-cluster-credentials + kubectl -n delete secret hub + ``` + + After that, you can deploy either manually or by merging your PR. + +This should log everyone out, and when they log in, they should see +the profiles they have access to!