Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admins configured in admin_users lose admin status if admin_groups is not configured #591

Closed
dasantonym opened this issue Apr 5, 2023 · 2 comments · Fixed by #594
Closed

Admins configured in admin_users lose admin status if admin_groups is not configured #591

dasantonym opened this issue Apr 5, 2023 · 2 comments · Fixed by #594
Labels
bug

Comments

@dasantonym
Copy link

Bug description

I am running a setup with the following configuration (excerpt):

hub:
  config:
    Authenticator:
      admin_users:
        - REDACTED
        - REDACTED
        - REDACTED
        - REDACTED
        - REDACTED
        - REDACTED
      enable_auth_state: true
      allowed_groups:
        - staff
        - student
      userdata_params:
        state: state
      scope:
        - profile
        - roles
        - openid
    GenericOAuthenticator:
      client_id: jupyterhub
      client_secret: REDACTED
      oauth_callback_url: REDACTED
      authorize_url: REDACTED
      token_url: REDACTED
      userdata_url: REDACTED
      logout_redirect_url: REDACTED
      login_service: keycloak
      auto_login: true
      username_key: preferred_username
      claim_groups_key: groups
    JupyterHub:
      authenticator_class: generic-oauth

As you can see, allowed_groups is configured as are some users under the admin_users list. The variable admin_groups is missing from the config, which seems to cause the problem mentioned in the title.

For further reference, there is a previous issue filed here:
jupyterhub/zero-to-jupyterhub-k8s#3086

Expected behaviour

If a user logs in and is in the admin_users group, they should be assigned the admin role.

Actual behaviour

The user logs in and the OAuthenticator checks if allowed_groups is set and the user's group retrieved from the claim is in there. Now it also checks if the user's group is in the admin_groups list, which it is not, so the user is assigned the user role, even though there is an entry for the user's name in the admin_users list.

This is where it happens:
https://github.com/jupyterhub/oauthenticator/blob/15.1.0/oauthenticator/generic.py#L184-L219

How to reproduce

Set up an instance with admin_users entries, GenericOAuthenticator and external groups retrieved via a claim, allowed_groups but no admin_groups, and then watch it steal your admin status...

Your personal set up

We're using zero-to-jupyterhub chart version jupyterhub-2.0.1-0.dev.git.6026.h0e7347d7.

  • OS: n.a.
  • Version(s): Jupyterhub 3.1.1
@dasantonym dasantonym added the bug label Apr 5, 2023
@welcome
Copy link

welcome bot commented Apr 5, 2023

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@manics
Copy link
Member

manics commented Apr 5, 2023

jupyterhub/zero-to-jupyterhub-k8s#521
Let's make sure we fix it consistently for all authenticators.

@GeorgianaElena GeorgianaElena mentioned this issue Apr 11, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@dasantonym @manics