Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggested changes #2

Merged
merged 4 commits into from
Mar 24, 2022
Merged

Suggested changes #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e98cae3
Move CILogonOAuthenticator default config to values.yaml
yuvipanda Mar 23, 2022
2094892
Add warning about picking USERNAME_KEY
yuvipanda Mar 23, 2022
09925bf
Invoke python as python3 rather than just as python
yuvipanda Mar 23, 2022
d18ed4f
Fix typo in name of cilogon script
yuvipanda Mar 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 17 additions & 9 deletions docs/howto/configure/auth-management.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,14 +227,14 @@ The steps to enable the JupyterHub CILogonOAuthenticator for a hub are simmilar

1. **Create a CILogon OAuth client**
This can be achieved by using the [cilogon_app.py](https://github.com/2i2c-org/infrastructure/blob/HEAD/deployer/cilogon_app.py) script.

- The script needs to be passed the cluster and hub name for which a client id and secret will be generated, but also the hub type, and the authorisation callback URL.
- The authorisation callback URL is the homepage url appended with `/hub/oauth_callback`. For example, `staging.pilot.2i2c.cloud/hub/oauth_callback`.
- Example script invocation that creates a CILogon OAuth client for the 2i2c dask-staging hub:
```bash
python3 ./deployer/cilogon_auth.py create 2i2c dask-staging daskhub https://dask-staging.2i2c.cloud/hub/oauth_callback
python3 ./deployer/cilogon_app.py create 2i2c dask-staging daskhub https://dask-staging.2i2c.cloud/hub/oauth_callback
```
- If successfull, the script will have created a secret values file under `config/clusters/<cluster_name>/enc-<hub_name>.secret.values.yaml`. This file
- If successfull, the script will have created a secret values file under `config/clusters/<cluster_name>/enc-<hub_name>.secret.values.yaml`. This file
holds the encrypted OAuth client id and secret that have been created for this hub.
- The unecrypted file contents should look like this:
```yaml
Expand Down Expand Up @@ -292,16 +292,24 @@ The steps to enable the JupyterHub CILogonOAuthenticator for a hub are simmilar
CILogonOAuthenticator:
oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback
username_claim: USERNAME_KEY
scope:
- openid
- email
- org.cilogon.userinfo
allowed_idps:
- 2i2c.org
- IDP
```
- Check the [CILogon scopes section](https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm) to checkout available values for `USERNAME_KEY` claim.
- Per [CILogon's suggestion]((https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm)), please use the same list of scopes in this example when enabling CILogon for a hub.

Check the [CILogon scopes
section](https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm) to checkout available
values for `USERNAME_KEY` claim. This *cannot* be changed afterwards without manual
migration of user names, so choose this carefully.

```{warning}
`USERNAME_KEY` should be something the user *cannot change* in any of the identity providers
we support. If they can, it can be easily used to impersonate others! For example, if we allow
both GitHub and `utoronto.ca` as allowed authentication providers, and only use `email` as
`USERNAME_KEY`, any GitHub user can set their email field in their GitHub profile to a `utoronto.ca`
email and thus gain access to any `utoronto.ca` user's server! So a very careful choice needs to
be made here.
```

6. Run the deployer as normal to apply the config.

Expand Down
2 changes: 1 addition & 1 deletion docs/howto/operate/delete-hub.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,5 @@ If you'd like to delete a hub, there are a few steps that we need to take:
script. Use the script to delete this CILogon client when a hub is removed.

```bash
python deployer/cilogon_app.py delete <cluster-name> <hub-name>
python3 deployer/cilogon_app.py delete <cluster-name> <hub-name>
```
14 changes: 8 additions & 6 deletions helm-charts/basehub/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,14 @@ jupyterhub:
matchLabels:
app.kubernetes.io/component: traefik
hub:
config:
# Default options for CILogonOAuthenticator, for hubs where it is enabled
CILogonOAuthenticator:
scope:
- openid
- email
- org.cilogon.userinfo
GeorgianaElena marked this conversation as resolved.
Show resolved Hide resolved

extraFiles:
configurator-schema-default:
mountPath: /usr/local/etc/jupyterhub-configurator/00-default.schema.json
Expand Down Expand Up @@ -423,9 +431,3 @@ jupyterhub:

if get_config("custom.docs_service.enabled"):
c.JupyterHub.services.append({"name": "docs", "url": "http://docs-service"})
09-add-cilogon-scopes-if-enabled: |
from z2jh import get_config

authenticator_class = get_config("hub.config.JupyterHub.authenticator_class")
if authenticator_class == "cilogon":
c.CILogonOAuthenticator.scope = ["openid", "email", "org.cilogon.userinfo"]