Skip to content
This repository has been archived by the owner on Dec 5, 2024. It is now read-only.
/ jupyterhub-example-kerberos Public archive

Example for experimenting with how JupyterHub can be configured to work with Kerberos

License

View license
33 stars 22 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jupyterhub/jupyterhub-example-kerberos

BranchesTags

Repository files navigation

jupyterhub-example-kerberos

A proving ground for configuring JupyterHub to work with Kerberos.

This project exists to help you (and us) learn how JupyterHub and Kerberos can interoperate. It will never provide an out-of-the-box, production-ready experience.

At the moment, it is very much a work in progress. If you have experience configuring JupyterHub with Kerberos, please jump in and help us out!

Goals

  • Two local users (principals), alice and bob can successfully log into JupyterHub when it is configured with PAM backed by Kerberos.
  • The two users automatically receive a Kerberos ticket granting ticket (TGT) upon Hub login.
  • The TGT resides in an on-disk credential cache (ccache) which is read-write accessible by the owner alone.
  • The users can refresh the TGT with the kinit command from within any terminal or Python notebook.
  • The users can create keytab files with the kutil command from within any terminal or Python notebook.
  • All other JupyterHub functions behave as expected: starting notebook servers, stopping notebook servers, logging out, admin functions, etc.
  • The above works with the following spawners:
    • default spawner
    • sudospawner
    • your contribution welcome!

Running

Start a KDC container and two JupyterHub containers, one using the default local spawner and the other the sudo spawner, by running docker-compose up.

Visit http://localhost:8000 to access the JupyterHub instance running as root and configured with the local spawner. Visit http://localhost:8001 to access the instance running as jupyter and configured with the sudo spawner. Login to either instance with username alice or bob with a password matching the username.

Click New → Terminal to start a terminal session. View the ticket granting ticket received during login by running klist. Renew the TGT by running kinit -R.

Generate a keytab by running the following commands, substituting bob for alice if you logged into JupyterHub with that user instead.

ktutil
addent -password -p alice@KDC.LOCAL -k 1 -e rc4-hmac
wkt /home/alice/.keytab

Show the contents of the keytab by running klist -k ~/.keytab.

About

Example for experimenting with how JupyterHub can be configured to work with Kerberos

Topics

jupyter jupyterhub kerberos

Resources

Readme

License

View license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

33 stars

Watchers

10 watching

Forks

22 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages