Skip to content

Commit

Permalink
Merge pull request #2 from yuvipanda/cilogon-admin-suggestions
Browse files Browse the repository at this point in the history
Suggested changes
  • Loading branch information
GeorgianaElena authored Mar 24, 2022
2 parents 85c6449 + d18ed4f commit 012a084
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 16 deletions.
26 changes: 17 additions & 9 deletions docs/howto/configure/auth-management.md
Original file line number Diff line number Diff line change
Expand Up @@ -227,14 +227,14 @@ The steps to enable the JupyterHub CILogonOAuthenticator for a hub are simmilar
1. **Create a CILogon OAuth client**
This can be achieved by using the [cilogon_app.py](https://github.com/2i2c-org/infrastructure/blob/HEAD/deployer/cilogon_app.py) script.
- The script needs to be passed the cluster and hub name for which a client id and secret will be generated, but also the hub type, and the authorisation callback URL.
- The authorisation callback URL is the homepage url appended with `/hub/oauth_callback`. For example, `staging.pilot.2i2c.cloud/hub/oauth_callback`.
- Example script invocation that creates a CILogon OAuth client for the 2i2c dask-staging hub:
```bash
python3 ./deployer/cilogon_auth.py create 2i2c dask-staging daskhub https://dask-staging.2i2c.cloud/hub/oauth_callback
python3 ./deployer/cilogon_app.py create 2i2c dask-staging daskhub https://dask-staging.2i2c.cloud/hub/oauth_callback
```
- If successfull, the script will have created a secret values file under `config/clusters/<cluster_name>/enc-<hub_name>.secret.values.yaml`. This file
- If successfull, the script will have created a secret values file under `config/clusters/<cluster_name>/enc-<hub_name>.secret.values.yaml`. This file
holds the encrypted OAuth client id and secret that have been created for this hub.
- The unecrypted file contents should look like this:
```yaml
Expand Down Expand Up @@ -292,16 +292,24 @@ The steps to enable the JupyterHub CILogonOAuthenticator for a hub are simmilar
CILogonOAuthenticator:
oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback
username_claim: USERNAME_KEY
scope:
- openid
- email
- org.cilogon.userinfo
allowed_idps:
- 2i2c.org
- IDP
```
- Check the [CILogon scopes section](https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm) to checkout available values for `USERNAME_KEY` claim.
- Per [CILogon's suggestion]((https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm)), please use the same list of scopes in this example when enabling CILogon for a hub.
Check the [CILogon scopes
section](https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm) to checkout available
values for `USERNAME_KEY` claim. This *cannot* be changed afterwards without manual
migration of user names, so choose this carefully.

```{warning}
`USERNAME_KEY` should be something the user *cannot change* in any of the identity providers
we support. If they can, it can be easily used to impersonate others! For example, if we allow
both GitHub and `utoronto.ca` as allowed authentication providers, and only use `email` as
`USERNAME_KEY`, any GitHub user can set their email field in their GitHub profile to a `utoronto.ca`
email and thus gain access to any `utoronto.ca` user's server! So a very careful choice needs to
be made here.
```

6. Run the deployer as normal to apply the config.

Expand Down
2 changes: 1 addition & 1 deletion docs/howto/operate/delete-hub.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,5 @@ If you'd like to delete a hub, there are a few steps that we need to take:
script. Use the script to delete this CILogon client when a hub is removed.

```bash
python deployer/cilogon_app.py delete <cluster-name> <hub-name>
python3 deployer/cilogon_app.py delete <cluster-name> <hub-name>
```
14 changes: 8 additions & 6 deletions helm-charts/basehub/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,14 @@ jupyterhub:
matchLabels:
app.kubernetes.io/component: traefik
hub:
config:
# Default options for CILogonOAuthenticator, for hubs where it is enabled
CILogonOAuthenticator:
scope:
- openid
- email
- org.cilogon.userinfo

extraFiles:
configurator-schema-default:
mountPath: /usr/local/etc/jupyterhub-configurator/00-default.schema.json
Expand Down Expand Up @@ -423,9 +431,3 @@ jupyterhub:
if get_config("custom.docs_service.enabled"):
c.JupyterHub.services.append({"name": "docs", "url": "http://docs-service"})
09-add-cilogon-scopes-if-enabled: |
from z2jh import get_config
authenticator_class = get_config("hub.config.JupyterHub.authenticator_class")
if authenticator_class == "cilogon":
c.CILogonOAuthenticator.scope = ["openid", "email", "org.cilogon.userinfo"]

0 comments on commit 012a084

Please sign in to comment.