From ff9cf074a119bbcd9b4d33d55500f2c650948be9 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 12:40:38 +0100 Subject: [PATCH 01/20] Enable reading in extra, secret config when not using auth0 in deployer --- deployer/hub.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/deployer/hub.py b/deployer/hub.py index 842faa2ea..c22021edd 100644 --- a/deployer/hub.py +++ b/deployer/hub.py @@ -439,14 +439,28 @@ def deploy(self, auth_provider, secret_key, skip_hub_health_test=False): """ Deploy this hub """ + if self.spec["auth0"]['enabled'] == False: + # Auth0 has been disabled. Instead read in secret config. + secret_config_path = Path(os.getcwd()) / "secrets/config/hubs" / f'{self.cluster.spec["name"]}.cluster.yaml' + with decrypt_file(secret_config_path) as decrypted_file_path: + with open(decrypted_file_path) as f: + secret_config = yaml.load(f) + + hubs = secret_config["hubs"] + secret_hub_config = next((hub for i, hub in enumerate(hubs) if hubs[i]["name"] == self.spec["name"]), None) + secret_hub_config = secret_hub_config["config"] + else: + secret_hub_config = {} generated_values = self.get_generated_config(auth_provider, secret_key) - with tempfile.NamedTemporaryFile(mode='w') as values_file, tempfile.NamedTemporaryFile(mode='w') as generated_values_file: + with tempfile.NamedTemporaryFile(mode='w') as values_file, tempfile.NamedTemporaryFile(mode='w') as generated_values_file, tempfile.NamedTemporaryFile(mode='w') as secret_values_file: json.dump(self.spec['config'], values_file) json.dump(generated_values, generated_values_file) + json.dump(secret_hub_config, secret_values_file) values_file.flush() generated_values_file.flush() + secret_values_file.flush() cmd = [ 'helm', 'upgrade', '--install', '--create-namespace', '--wait', @@ -457,6 +471,7 @@ def deploy(self, auth_provider, secret_key, skip_hub_health_test=False): # we should put the config from config/hubs last. '-f', generated_values_file.name, '-f', values_file.name, + '-f', secret_values_file.name, ] print(f"Running {' '.join(cmd)}") From 3093a3577b4de16f3acc764fa09796a462616578 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 12:41:19 +0100 Subject: [PATCH 02/20] Enable additionalProperties for auth0 key in chart schema This is so I could set enabled: False --- config/hubs/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hubs/schema.yaml b/config/hubs/schema.yaml index 7b4620b2b..d03879584 100644 --- a/config/hubs/schema.yaml +++ b/config/hubs/schema.yaml @@ -158,7 +158,7 @@ properties: - basehub - daskhub auth0: - additionalProperties: false + additionalProperties: true type: object description: | All hubs use Auth0 for authentication, and we dynamically fetch the credentials From d45b1d7642a60b5c607535e4159b3ffe7d029172 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 12:41:45 +0100 Subject: [PATCH 03/20] Add a helm chart schema for secrets/config/hubs --- secrets/config/hubs/schema.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 secrets/config/hubs/schema.yaml diff --git a/secrets/config/hubs/schema.yaml b/secrets/config/hubs/schema.yaml new file mode 100644 index 000000000..0396c7f78 --- /dev/null +++ b/secrets/config/hubs/schema.yaml @@ -0,0 +1,24 @@ +$schema: 'http://json-schema.org/draft-07/schema#' +type: object +additionalProperties: false +properties: + hubs: + type: array + description: | + Each item here is additional config for a hub deployed to this cluster. + required: + - name + - config + items: + - type: object + additionalProperties: false + properties: + name: + type: string + description: | + Name of the hub. This will be used to determine + the namespace the hub is deployed to + config: + type: object + description: | + YAML configuration containing secrets that is passed through to helm. From 92887fca76fb3f6b850d0a3d518458e11af984d4 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 12:45:58 +0100 Subject: [PATCH 04/20] Add some docs on setting up auth using GitHubOAuthenticator in JupyterHub --- docs/howto/configure/auth-management.md | 109 +++++++++++++++++++++++- 1 file changed, 107 insertions(+), 2 deletions(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index 3cb0e3786..602c3b342 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -1,6 +1,8 @@ # Manage authentication -[auth0](https://auth0.com) provides authentication for all hubs here. It can +## Auth0 + +[auth0](https://auth0.com) provides authentication for the majority of 2i2c hubs. It can be configured with many different [connections](https://auth0.com/docs/identityproviders) that users can authenticate with - such as Google, GitHub, etc. @@ -53,4 +55,107 @@ So we want to manage authentication by: ```{admonition} Switching auth Switching authentication for a pre-existing hub will simply create new usernames. Any pre-existing users will no longer be able to access their accounts (although administrators will be able to do so). If you have pre-existing users and want to switch the hub authentication, rename the users to the new auth pattern (e.g. convert github handles to emails). -``` \ No newline at end of file +``` + +## Native JupyterHub OAuthenticator for GitHub Orgs and Teams + +```{admonition} +This setup is currently only supported for communities that **require** authentication via a GitHub organisation or team. + +We may update this policy in the future. +``` + +For communities that require authenticating users against a GitHub organisation or team, we instead use the native JupyterHub OAuthenticator. +Presently, this involves a few more manual steps than the `auth0` setup described above. + +1. **Create a GitHub OAuth App.** + This can be achieved by following [GitHub's documentation](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app). + - When naming the application, please follow the convention `-` for consistency, e.g. `2i2c-staging` is the OAuth app for the staging hub running on the 2i2c cluster. + - The Homepage URL should match that in the `domain` field of the appropriate `*.cluster.yaml` file in the `pilot-hubs` repo. + - The authorisation callback URL is the homepage url appended with `/hub/oauth_callback` + - Once you have created the OAuth app, make a new of the client ID, generate a client secret and then hold on to these values for a future step + +2. **Transfer the OAuth App to the `2i2c-org` GitHub account.** + By default, OAuth apps are created under your GitHub account. + However, it will be a point of failure if a hub's app is only accessible by a single member of the 2i2c Engineering team. + Therefore, please ensure you transfer it to the `2i2c-org` GitHub org by following [GitHub's documentation](https://docs.github.com/en/developers/apps/managing-oauth-apps/transferring-ownership-of-an-oauth-app). + +3. **Create or update the appropriate secret config file under `secrets/config/hubs/*.cluster.yaml`.** + You should add the following config to this file, pasting in the client ID and secret you generated in step 1. + + ```yaml + hubs: + - name: HUB_NAME + config: + jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: CLIENT_ID + client_secret: CLIENT_SECRET + ``` + + ```{note} + Add the `basehub` key between `config` and `jupyterhub` for `daskhub` deployments. + ``` + + ```{admonition} + Make sure this is encrypted with `sops` before committing it to the repository! + + `sops -i -e secrets/config/hub/*.cluster.yaml` + ``` + +4. **Edit the non-secret config under `config/hubs`.** + You should make sure the matching hub config takes one of the following forms. + + To authenticate against a GitHub organisation: + + ```yaml + hubs: + - name: HUB_NAME + auth0: + enabled: false + connection: "" # This key is still required by the schema + ... # Other config + config: + jupyterhub: + hub: + config: + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback + allowed_organizations: + - 2i2c-org + - ORG_NAME + scope: + - read:user + extraConfig: + 06-custom-authenticator: "" # Required to override our overrides... + ``` + + To authenticate against a GitHub Team: + + ```yaml + hubs: + - name: HUB_NAME + auth0: + enabled: false + connection: "" # This key is still required by the schema + ... # Other config + config: + jupyterhub: + hub: + config: + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback + allowed_organizations: + - 2i2c-org:tech-team + - ORG_NAME:TEAM_NAME + scope: + - read:org + extraConfig: + 06-custom-authenticator: "" # Required to override our overrides... + ``` From fe7cd408668d0b06cae099382af445df91fe1d12 Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Thu, 23 Sep 2021 13:38:14 +0100 Subject: [PATCH 05/20] Fix typo in docs --- docs/howto/configure/auth-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index 602c3b342..b7681def8 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -102,7 +102,7 @@ Presently, this involves a few more manual steps than the `auth0` setup describe ```{admonition} Make sure this is encrypted with `sops` before committing it to the repository! - `sops -i -e secrets/config/hub/*.cluster.yaml` + `sops -i -e secrets/config/hubs/*.cluster.yaml` ``` 4. **Edit the non-secret config under `config/hubs`.** From 99e7f8283e9ab323a8c312fe9a282a1b239a891b Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 13:42:48 +0100 Subject: [PATCH 06/20] Add a `required: false` field for `auth0.connection` --- config/hubs/schema.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hubs/schema.yaml b/config/hubs/schema.yaml index d03879584..bf1dc15e0 100644 --- a/config/hubs/schema.yaml +++ b/config/hubs/schema.yaml @@ -176,6 +176,7 @@ properties: Authentication method users of the hub can use to log in to the hub. We support a subset of the [connectors](https://auth0.com/docs/identityproviders) that auth0 supports + required: false application_name: type: string description: | From 4f53a4cc545e1e6c754ce7a7b9cca1d0a7a111f8 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 13:47:57 +0100 Subject: [PATCH 07/20] Unconditionally read in secret config if it exists --- deployer/hub.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/deployer/hub.py b/deployer/hub.py index c22021edd..fed2f16f0 100644 --- a/deployer/hub.py +++ b/deployer/hub.py @@ -439,9 +439,10 @@ def deploy(self, auth_provider, secret_key, skip_hub_health_test=False): """ Deploy this hub """ - if self.spec["auth0"]['enabled'] == False: - # Auth0 has been disabled. Instead read in secret config. - secret_config_path = Path(os.getcwd()) / "secrets/config/hubs" / f'{self.cluster.spec["name"]}.cluster.yaml' + # Check if this hub has any secret config. If yes, read it in. + secret_config_path = Path(os.getcwd()) / "secrets/config/hubs" / f'{self.cluster.spec["name"]}.cluster.yaml' + + if os.path.exists(secret_config_path): with decrypt_file(secret_config_path) as decrypted_file_path: with open(decrypted_file_path) as f: secret_config = yaml.load(f) From ffb4b959306f9c802439b64bd21f637e6a4d3000 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 13:56:21 +0100 Subject: [PATCH 08/20] Unset hardcoded authenticator_class config, conditionally set it in deployer --- deployer/hub.py | 1 + hub-templates/basehub/values.yaml | 5 ----- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/deployer/hub.py b/deployer/hub.py index fed2f16f0..3656fbcb0 100644 --- a/deployer/hub.py +++ b/deployer/hub.py @@ -367,6 +367,7 @@ def get_generated_config(self, auth_provider: KeyProvider, secret_key): # FIXME: We're hardcoding Auth0OAuthenticator here # We should *not*. We need dictionary merging in code, so # these can all exist fine. + generated_config['jupyterhub']['hub']['config']['JupyterHub']['authenticator_class'] = 'oauthenticator.auth0.Auth0OAuthenticator' generated_config['jupyterhub']['hub']['config']['Auth0OAuthenticator'] = auth_provider.get_client_creds(client, self.spec['auth0']['connection']) return self.apply_hub_template_fixes(generated_config, secret_key) diff --git a/hub-templates/basehub/values.yaml b/hub-templates/basehub/values.yaml index dc27459c1..baff81614 100644 --- a/hub-templates/basehub/values.yaml +++ b/hub-templates/basehub/values.yaml @@ -211,9 +211,6 @@ jupyterhub: image: name: quay.io/2i2c/pilot-hub tag: '0.0.1-n1159.h5b045cd' - config: - JupyterHub: - authenticator_class: oauthenticator.auth0.Auth0OAuthenticator nodeSelector: hub.jupyter.org/node-purpose: core networkPolicy: @@ -317,8 +314,6 @@ jupyterhub: resp['name'] = resp['name'].split('|')[-1] return resp - c.JupyterHub.authenticator_class = CustomOAuthenticator - 07-cloud-storage-bucket: | from z2jh import get_config cloud_resources = get_config('custom.cloudResources') From c2587f521fd6cd0f7f8573319e3b35ebcb72cffb Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 14:05:21 +0100 Subject: [PATCH 09/20] Update docs to reflect most recent fixes --- docs/howto/configure/auth-management.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index b7681def8..2e396be42 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -115,7 +115,6 @@ Presently, this involves a few more manual steps than the `auth0` setup describe - name: HUB_NAME auth0: enabled: false - connection: "" # This key is still required by the schema ... # Other config config: jupyterhub: @@ -130,8 +129,6 @@ Presently, this involves a few more manual steps than the `auth0` setup describe - ORG_NAME scope: - read:user - extraConfig: - 06-custom-authenticator: "" # Required to override our overrides... ``` To authenticate against a GitHub Team: @@ -141,7 +138,6 @@ Presently, this involves a few more manual steps than the `auth0` setup describe - name: HUB_NAME auth0: enabled: false - connection: "" # This key is still required by the schema ... # Other config config: jupyterhub: @@ -156,6 +152,4 @@ Presently, this involves a few more manual steps than the `auth0` setup describe - ORG_NAME:TEAM_NAME scope: - read:org - extraConfig: - 06-custom-authenticator: "" # Required to override our overrides... ``` From 7d1c6d7596d654213daac58609d8975b41ad07c3 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 14:07:12 +0100 Subject: [PATCH 10/20] Remove whitelist, update admonition on switching providers --- docs/howto/configure/auth-management.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index 2e396be42..3c33ad68f 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -40,13 +40,11 @@ So we want to manage authentication by: config: jupyterhub: auth: - # will be renamed allowedlist in future JupyterHub - whitelist: - users: + allowed_users: # WARNING: THESE USER LISTS MUST MATCH (for now) - user1@gmail.com - user2@gmail.com - admin: + admin_users: users: # WARNING: THESE USER LISTS MUST MATCH (for now) - user1@gmail.com @@ -54,7 +52,7 @@ So we want to manage authentication by: ``` ```{admonition} Switching auth -Switching authentication for a pre-existing hub will simply create new usernames. Any pre-existing users will no longer be able to access their accounts (although administrators will be able to do so). If you have pre-existing users and want to switch the hub authentication, rename the users to the new auth pattern (e.g. convert github handles to emails). +Switching authentication providers (e.g. from GitHub to Google) for a pre-existing hub will simply create new usernames. Any pre-existing users will no longer be able to access their accounts (although administrators will be able to do so). If you have pre-existing users and want to switch the hub authentication, rename the users to the new auth pattern (e.g. convert github handles to emails). ``` ## Native JupyterHub OAuthenticator for GitHub Orgs and Teams From abaa2239f746c3ed7eee5b0e257980ab90350b17 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 14:10:23 +0100 Subject: [PATCH 11/20] Add some more doc fixes --- docs/howto/configure/auth-management.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index 3c33ad68f..f35012c49 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -68,17 +68,14 @@ Presently, this involves a few more manual steps than the `auth0` setup describe 1. **Create a GitHub OAuth App.** This can be achieved by following [GitHub's documentation](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app). + Use the "Switch account" button at the top of your settings page to make sure you have `2i2c-org` selected. + That way, the app will be owned by the `2i2c-org` GitHub org, rather than your personal GitHub account. - When naming the application, please follow the convention `-` for consistency, e.g. `2i2c-staging` is the OAuth app for the staging hub running on the 2i2c cluster. - The Homepage URL should match that in the `domain` field of the appropriate `*.cluster.yaml` file in the `pilot-hubs` repo. - The authorisation callback URL is the homepage url appended with `/hub/oauth_callback` - Once you have created the OAuth app, make a new of the client ID, generate a client secret and then hold on to these values for a future step -2. **Transfer the OAuth App to the `2i2c-org` GitHub account.** - By default, OAuth apps are created under your GitHub account. - However, it will be a point of failure if a hub's app is only accessible by a single member of the 2i2c Engineering team. - Therefore, please ensure you transfer it to the `2i2c-org` GitHub org by following [GitHub's documentation](https://docs.github.com/en/developers/apps/managing-oauth-apps/transferring-ownership-of-an-oauth-app). - -3. **Create or update the appropriate secret config file under `secrets/config/hubs/*.cluster.yaml`.** +2. **Create or update the appropriate secret config file under `secrets/config/hubs/*.cluster.yaml`.** You should add the following config to this file, pasting in the client ID and secret you generated in step 1. ```yaml @@ -103,7 +100,7 @@ Presently, this involves a few more manual steps than the `auth0` setup describe `sops -i -e secrets/config/hubs/*.cluster.yaml` ``` -4. **Edit the non-secret config under `config/hubs`.** +3. **Edit the non-secret config under `config/hubs`.** You should make sure the matching hub config takes one of the following forms. To authenticate against a GitHub organisation: @@ -151,3 +148,5 @@ Presently, this involves a few more manual steps than the `auth0` setup describe scope: - read:org ``` + +4. Run the deployer as normal to apply the config. From 81c40be499b28396c10c9531667beb47db52f643 Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Mon, 27 Sep 2021 11:08:58 +0100 Subject: [PATCH 12/20] Add links Co-authored-by: Chris Holdgraf --- docs/howto/configure/auth-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index f35012c49..e29759f0f 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -63,7 +63,7 @@ This setup is currently only supported for communities that **require** authenti We may update this policy in the future. ``` -For communities that require authenticating users against a GitHub organisation or team, we instead use the native JupyterHub OAuthenticator. +For communities that require authenticating users against [a GitHub organisation or team](https://docs.github.com/en/organizations), we instead use the [native JupyterHub OAuthenticator](https://github.com/jupyterhub/oauthenticator). Presently, this involves a few more manual steps than the `auth0` setup described above. 1. **Create a GitHub OAuth App.** From 93a792a6ddc17317a4bbf94212e3f4c619ad6a5a Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Mon, 27 Sep 2021 11:09:08 +0100 Subject: [PATCH 13/20] Update docs/howto/configure/auth-management.md Co-authored-by: Chris Holdgraf --- docs/howto/configure/auth-management.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index e29759f0f..74ead8ca3 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -68,8 +68,8 @@ Presently, this involves a few more manual steps than the `auth0` setup describe 1. **Create a GitHub OAuth App.** This can be achieved by following [GitHub's documentation](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app). - Use the "Switch account" button at the top of your settings page to make sure you have `2i2c-org` selected. - That way, the app will be owned by the `2i2c-org` GitHub org, rather than your personal GitHub account. + - Use the "Switch account" button at the top of your settings page to make sure you have `2i2c-org` selected. + That way, the app will be owned by the `2i2c-org` GitHub org, rather than your personal GitHub account. - When naming the application, please follow the convention `-` for consistency, e.g. `2i2c-staging` is the OAuth app for the staging hub running on the 2i2c cluster. - The Homepage URL should match that in the `domain` field of the appropriate `*.cluster.yaml` file in the `pilot-hubs` repo. - The authorisation callback URL is the homepage url appended with `/hub/oauth_callback` From 969869a79cb363b21d899b8b664591e25ea6cb50 Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Mon, 27 Sep 2021 11:09:31 +0100 Subject: [PATCH 14/20] Add example of /hub/oauth_callback url Co-authored-by: Chris Holdgraf --- docs/howto/configure/auth-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index 74ead8ca3..105dc70d3 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -72,7 +72,7 @@ Presently, this involves a few more manual steps than the `auth0` setup describe That way, the app will be owned by the `2i2c-org` GitHub org, rather than your personal GitHub account. - When naming the application, please follow the convention `-` for consistency, e.g. `2i2c-staging` is the OAuth app for the staging hub running on the 2i2c cluster. - The Homepage URL should match that in the `domain` field of the appropriate `*.cluster.yaml` file in the `pilot-hubs` repo. - - The authorisation callback URL is the homepage url appended with `/hub/oauth_callback` + - The authorisation callback URL is the homepage url appended with `/hub/oauth_callback`. For example, `staging.pilot.2i2c.cloud/hub/oauth_callback`. - Once you have created the OAuth app, make a new of the client ID, generate a client secret and then hold on to these values for a future step 2. **Create or update the appropriate secret config file under `secrets/config/hubs/*.cluster.yaml`.** From e3f88f0014261ae29aff4b7ccbe46bd1918b8147 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Mon, 27 Sep 2021 13:08:33 +0100 Subject: [PATCH 15/20] Switch admonition blocks for notes --- docs/howto/configure/auth-management.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index 105dc70d3..97b42cebb 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -57,7 +57,7 @@ Switching authentication providers (e.g. from GitHub to Google) for a pre-existi ## Native JupyterHub OAuthenticator for GitHub Orgs and Teams -```{admonition} +```{note} This setup is currently only supported for communities that **require** authentication via a GitHub organisation or team. We may update this policy in the future. @@ -94,7 +94,7 @@ Presently, this involves a few more manual steps than the `auth0` setup describe Add the `basehub` key between `config` and `jupyterhub` for `daskhub` deployments. ``` - ```{admonition} + ```{note} Make sure this is encrypted with `sops` before committing it to the repository! `sops -i -e secrets/config/hubs/*.cluster.yaml` From 2646ecf5c6ce6a35ec080fa7cb3064ffde4e7782 Mon Sep 17 00:00:00 2001 From: Sarah Gibson <44771837+sgibson91@users.noreply.github.com> Date: Mon, 27 Sep 2021 13:18:54 +0100 Subject: [PATCH 16/20] Update deployer/hub.py --- deployer/hub.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployer/hub.py b/deployer/hub.py index 3656fbcb0..6ae079a86 100644 --- a/deployer/hub.py +++ b/deployer/hub.py @@ -440,7 +440,7 @@ def deploy(self, auth_provider, secret_key, skip_hub_health_test=False): """ Deploy this hub """ - # Check if this hub has any secret config. If yes, read it in. + # Check if this cluster has any secret config. If yes, read it in. secret_config_path = Path(os.getcwd()) / "secrets/config/hubs" / f'{self.cluster.spec["name"]}.cluster.yaml' if os.path.exists(secret_config_path): From fe4ab0101b6900997b9c1c0fc90e62b1b57e1720 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Tue, 28 Sep 2021 15:13:27 +0100 Subject: [PATCH 17/20] Remove stray `users` key from code snippet in docs --- docs/howto/configure/auth-management.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index 97b42cebb..deb03677a 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -45,7 +45,6 @@ So we want to manage authentication by: - user1@gmail.com - user2@gmail.com admin_users: - users: # WARNING: THESE USER LISTS MUST MATCH (for now) - user1@gmail.com - user2@gmail.com From c93769442483127f4fd7a5cbe5ba98860ae6217d Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 29 Sep 2021 10:42:02 +0100 Subject: [PATCH 18/20] Give more explicit fallback when reading secret config --- deployer/hub.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployer/hub.py b/deployer/hub.py index d1e6cbfa2..4c6796dbe 100644 --- a/deployer/hub.py +++ b/deployer/hub.py @@ -427,7 +427,7 @@ def deploy(self, auth_provider, secret_key, skip_hub_health_test=False): if self.spec["template"] == "daskhub": subprocess.check_call(["helm", "dep", "up", "daskhub"]) os.chdir("..") - + # Check if this cluster has any secret config. If yes, read it in. secret_config_path = Path(os.getcwd()) / "secrets/config/hubs" / f'{self.cluster.spec["name"]}.cluster.yaml' @@ -437,7 +437,7 @@ def deploy(self, auth_provider, secret_key, skip_hub_health_test=False): secret_config = yaml.load(f) hubs = secret_config["hubs"] - secret_hub_config = next((hub for i, hub in enumerate(hubs) if hubs[i]["name"] == self.spec["name"]), None) + secret_hub_config = next((hub for i, hub in enumerate(hubs) if hubs[i]["name"] == self.spec["name"]), {"config": {}}) secret_hub_config = secret_hub_config["config"] else: secret_hub_config = {} From 5ca78c96d690e7ce8ff6b30228e18631d1c23b01 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 29 Sep 2021 10:44:15 +0100 Subject: [PATCH 19/20] Clarify a note in docs --- docs/howto/configure/auth-management.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/howto/configure/auth-management.md b/docs/howto/configure/auth-management.md index deb03677a..715c451ca 100644 --- a/docs/howto/configure/auth-management.md +++ b/docs/howto/configure/auth-management.md @@ -89,9 +89,19 @@ Presently, this involves a few more manual steps than the `auth0` setup describe client_secret: CLIENT_SECRET ``` - ```{note} + ````{note} Add the `basehub` key between `config` and `jupyterhub` for `daskhub` deployments. + For example: + + ```yaml + hubs: + - name: HUB_NAME + config: + basehub: + jupyterhub: + ... ``` + ```` ```{note} Make sure this is encrypted with `sops` before committing it to the repository! From b1d6aac999bc8d51890da7a99f0f6aab2ea18af6 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Wed, 29 Sep 2021 10:46:13 +0100 Subject: [PATCH 20/20] Update dynamically set authenticator_class to be CustomOAuthenticator for auth0 hubs --- deployer/hub.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployer/hub.py b/deployer/hub.py index 4c6796dbe..eb0c52f38 100644 --- a/deployer/hub.py +++ b/deployer/hub.py @@ -348,7 +348,7 @@ def get_generated_config(self, auth_provider: KeyProvider, secret_key): # FIXME: We're hardcoding Auth0OAuthenticator here # We should *not*. We need dictionary merging in code, so # these can all exist fine. - generated_config['jupyterhub']['hub']['config']['JupyterHub']['authenticator_class'] = 'oauthenticator.auth0.Auth0OAuthenticator' + generated_config['jupyterhub']['hub']['config']['JupyterHub']['authenticator_class'] = 'CustomOAuthenticator' generated_config['jupyterhub']['hub']['config']['Auth0OAuthenticator'] = auth_provider.get_client_creds(client, self.spec['auth0']['connection']) return self.apply_hub_template_fixes(generated_config, secret_key)