From 8f4e3c69df7a78f603eee02c493191d8e28507c1 Mon Sep 17 00:00:00 2001 From: Simon Li Date: Mon, 16 Apr 2018 18:08:38 +0100 Subject: [PATCH 1/6] Add z2jh method to set config properties only if defined --- images/hub/jupyterhub_config.py | 2 +- images/hub/z2jh.py | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py index ace4f010aa..8828b1ec13 100644 --- a/images/hub/jupyterhub_config.py +++ b/images/hub/jupyterhub_config.py @@ -3,7 +3,7 @@ from tornado.httpclient import AsyncHTTPClient from kubernetes import client -from z2jh import get_config, get_secret +from z2jh import get_config, get_secret, set_config_if_not_none # Configure JupyterHub to use the curl backend for making HTTP requests, # rather than the pure-python implementations. The default one starts diff --git a/images/hub/z2jh.py b/images/hub/z2jh.py index b044d0994e..552de09ad0 100644 --- a/images/hub/z2jh.py +++ b/images/hub/z2jh.py @@ -29,3 +29,12 @@ def get_secret(key, default=None): return f.read().strip() except FileNotFoundError: return default + +def set_config_if_not_none(cparent, name, key): + """ + Find a config item of a given name, set the corresponding Jupyter + configuration item if not None + """ + data = get_config(key) + if data is not None: + setattr(cparent, name, data) From cfa4eac486aaf35225fc4a038f688da392098e12 Mon Sep 17 00:00:00 2001 From: Simon Li Date: Mon, 16 Apr 2018 18:09:16 +0100 Subject: [PATCH 2/6] Add jupyterhub/ldapauthenticator to hub image --- images/hub/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/images/hub/requirements.txt b/images/hub/requirements.txt index 0a6ac5f9f3..66357d418f 100644 --- a/images/hub/requirements.txt +++ b/images/hub/requirements.txt @@ -11,3 +11,4 @@ globus_sdk[jwt]==1.2.1 oauthenticator==0.7.2 cryptography==2.0.3 https://github.com/jupyterhub/kubespawner/archive/085cb30.tar.gz +https://github.com/jupyterhub/ldapauthenticator/archive/1bb93f3.tar.gz From 5718afffaa2b5995f31cff3d2e3e6bc06fedb195 Mon Sep 17 00:00:00 2001 From: Simon Li Date: Mon, 16 Apr 2018 18:10:49 +0100 Subject: [PATCH 3/6] Add LDAPAuthenticator to hub config --- images/hub/jupyterhub_config.py | 16 ++++++++++++++++ jupyterhub/templates/hub/configmap.yaml | 22 ++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py index 8828b1ec13..eefcb1e0cd 100644 --- a/images/hub/jupyterhub_config.py +++ b/images/hub/jupyterhub_config.py @@ -175,6 +175,22 @@ elif auth_type == 'lti': c.JupyterHub.authenticator_class = 'ltiauthenticator.LTIAuthenticator' c.LTIAuthenticator.consumers = get_config('auth.lti.consumers') +elif auth_type == 'ldap': + c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator' + c.LDAPAuthenticator.server_address = get_config('auth.ldap.server.address') + set_config_if_not_none(c.LDAPAuthenticator, 'server_port', 'auth.ldap.server.port') + set_config_if_not_none(c.LDAPAuthenticator, 'use_ssl', 'auth.ldap.server.ssl') + set_config_if_not_none(c.LDAPAuthenticator, 'allowed_groups', 'auth.ldap.allowed-groups') + c.LDAPAuthenticator.bind_dn_template = get_config('auth.ldap.dn.templates') + set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn', 'auth.ldap.dn.lookup') + set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_filter', 'auth.ldap.dn.search.filter') + set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_user', 'auth.ldap.dn.search.user') + set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_password', 'auth.ldap.dn.search.password') + set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_user_dn_attribute', 'auth.ldap.dn.user-dn-attribute') + set_config_if_not_none(c.LDAPAuthenticator, 'escape_userdn', 'auth.ldap.dn.user.escape') + set_config_if_not_none(c.LDAPAuthenticator, 'valid_username_regex', 'auth.ldap.dn.user.valid-regex') + set_config_if_not_none(c.LDAPAuthenticator, 'user_search_base', 'auth.ldap.dn.user.search-base') + set_config_if_not_none(c.LDAPAuthenticator, 'user_attribute', 'auth.ldap.user.attribute') elif auth_type == 'custom': # full_class_name looks like "myauthenticator.MyAuthenticator". # To create a docker image with this class availabe, you can just have the diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index 74aba7d545..4c7fd4f0d4 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -56,6 +56,28 @@ data: auth.lti.consumers: | {{ toYaml .Values.auth.lti.consumers | indent 4 }} {{- end }} + {{ if eq .Values.auth.type "ldap" -}} + auth.ldap.server.address: {{ .Values.auth.ldap.server.address | quote }} + auth.ldap.server.port: {{ .Values.auth.ldap.server.port | quote }} + auth.ldap.server.ssl: {{ .Values.auth.ldap.server.ssl | quote }} + {{ if .Values.auth.ldap.allowedGroups -}} + auth.ldap.allowed-groups: | +{{ toYaml .Values.auth.ldap.allowedGroups | indent 4 }} + {{- end }} + {{ if .Values.auth.ldap.dn.templates -}} + auth.ldap.dn.templates: | +{{ toYaml .Values.auth.ldap.dn.templates | indent 4 }} + {{- end }} + auth.ldap.dn.lookup: {{ .Values.auth.ldap.dn.lookup }} + auth.ldap.dn.search.filter: {{ .Values.auth.ldap.dn.search.filter }} + auth.ldap.dn.search.user: {{ .Values.auth.ldap.dn.search.user }} + auth.ldap.dn.search.password: {{ .Values.auth.ldap.dn.search.password }} + auth.ldap.dn.user-dn-attribute: {{ .Values.auth.ldap.dn.userDnAttribute }} + auth.ldap.dn.user.escape: {{ .Values.auth.ldap.dn.user.escape }} + auth.ldap.dn.user.valid-regex: {{ .Values.auth.ldap.dn.user.validRegex }} + auth.ldap.dn.user.search-base: {{ .Values.auth.ldap.dn.user.searchBase }} + auth.ldap.user.attribute: {{ .Values.auth.ldap.user.attribute }} + {{- end }} {{ if .Values.auth.whitelist.users -}} auth.whitelist.users: | From 0ba4149bed9fbb17737edaf0ff7e42af00c573e5 Mon Sep 17 00:00:00 2001 From: Simon Li Date: Mon, 16 Apr 2018 18:11:30 +0100 Subject: [PATCH 4/6] Add empty ldap.* values to avoid helm errors --- jupyterhub/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml index eac687aaef..647063ab14 100644 --- a/jupyterhub/values.yaml +++ b/jupyterhub/values.yaml @@ -115,6 +115,11 @@ auth: users: dummy: password: + ldap: + dn: + search: {} + user: {} + user: {} state: enabled: false cryptoKey: From 5f5dbb29df8586e05230e2a919e45071b4001748 Mon Sep 17 00:00:00 2001 From: Simon Li Date: Tue, 17 Apr 2018 09:59:06 +0100 Subject: [PATCH 5/6] Fix user.dn-attribute property --- images/hub/jupyterhub_config.py | 2 +- jupyterhub/templates/hub/configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py index eefcb1e0cd..64247aead1 100644 --- a/images/hub/jupyterhub_config.py +++ b/images/hub/jupyterhub_config.py @@ -186,7 +186,7 @@ set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_filter', 'auth.ldap.dn.search.filter') set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_user', 'auth.ldap.dn.search.user') set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_password', 'auth.ldap.dn.search.password') - set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_user_dn_attribute', 'auth.ldap.dn.user-dn-attribute') + set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_user_dn_attribute', 'auth.ldap.dn.user.dn-attribute') set_config_if_not_none(c.LDAPAuthenticator, 'escape_userdn', 'auth.ldap.dn.user.escape') set_config_if_not_none(c.LDAPAuthenticator, 'valid_username_regex', 'auth.ldap.dn.user.valid-regex') set_config_if_not_none(c.LDAPAuthenticator, 'user_search_base', 'auth.ldap.dn.user.search-base') diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index 4c7fd4f0d4..a1294a7ea0 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -72,7 +72,7 @@ data: auth.ldap.dn.search.filter: {{ .Values.auth.ldap.dn.search.filter }} auth.ldap.dn.search.user: {{ .Values.auth.ldap.dn.search.user }} auth.ldap.dn.search.password: {{ .Values.auth.ldap.dn.search.password }} - auth.ldap.dn.user-dn-attribute: {{ .Values.auth.ldap.dn.userDnAttribute }} + auth.ldap.dn.user.dn-attribute: {{ .Values.auth.ldap.dn.user.dnAttribute }} auth.ldap.dn.user.escape: {{ .Values.auth.ldap.dn.user.escape }} auth.ldap.dn.user.valid-regex: {{ .Values.auth.ldap.dn.user.validRegex }} auth.ldap.dn.user.search-base: {{ .Values.auth.ldap.dn.user.searchBase }} From 39dbd7a961c286c853531b0c3fa33cfd491a3b1d Mon Sep 17 00:00:00 2001 From: Simon Li Date: Tue, 17 Apr 2018 10:58:11 +0100 Subject: [PATCH 6/6] Move user.attribute under dn --- images/hub/jupyterhub_config.py | 2 +- jupyterhub/templates/hub/configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py index 64247aead1..36f574ba59 100644 --- a/images/hub/jupyterhub_config.py +++ b/images/hub/jupyterhub_config.py @@ -190,7 +190,7 @@ set_config_if_not_none(c.LDAPAuthenticator, 'escape_userdn', 'auth.ldap.dn.user.escape') set_config_if_not_none(c.LDAPAuthenticator, 'valid_username_regex', 'auth.ldap.dn.user.valid-regex') set_config_if_not_none(c.LDAPAuthenticator, 'user_search_base', 'auth.ldap.dn.user.search-base') - set_config_if_not_none(c.LDAPAuthenticator, 'user_attribute', 'auth.ldap.user.attribute') + set_config_if_not_none(c.LDAPAuthenticator, 'user_attribute', 'auth.ldap.dn.user.attribute') elif auth_type == 'custom': # full_class_name looks like "myauthenticator.MyAuthenticator". # To create a docker image with this class availabe, you can just have the diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index a1294a7ea0..bdba0d268a 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -76,7 +76,7 @@ data: auth.ldap.dn.user.escape: {{ .Values.auth.ldap.dn.user.escape }} auth.ldap.dn.user.valid-regex: {{ .Values.auth.ldap.dn.user.validRegex }} auth.ldap.dn.user.search-base: {{ .Values.auth.ldap.dn.user.searchBase }} - auth.ldap.user.attribute: {{ .Values.auth.ldap.user.attribute }} + auth.ldap.dn.user.attribute: {{ .Values.auth.ldap.dn.user.attribute }} {{- end }} {{ if .Values.auth.whitelist.users -}}