Set auth_state_groups_key to teams and manage_groups to true for hubs…

… using GitHub team based authorization
2i2c-org · Dec 17, 2024 · 37be2ef · 37be2ef
1 parent 2c42b71
commit 37be2ef
Show file tree

Hide file tree

Showing 14 changed files with 29 additions and 15 deletions.
diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml
@@ -35,6 +35,8 @@ jupyterhub:
       GitHubOAuthenticator:
         oauth_callback_url: https://itcoocean.2i2c.cloud/hub/oauth_callback
         populate_teams_in_auth_state: true
+        auth_state_groups_key: "teams"
+        manage_groups: true
         allowed_organizations:
           - Hackweek-ITCOocean:itcoocean-hackweek-2023
           - nmfs-opensci:2i2c-demo

diff --git a/config/clusters/2i2c-aws-us/showcase.values.yaml b/config/clusters/2i2c-aws-us/showcase.values.yaml
@@ -39,6 +39,8 @@ basehub:
         GitHubOAuthenticator:
           oauth_callback_url: "https://showcase.2i2c.cloud/hub/oauth_callback"
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - 2i2c-community-showcase:access-2i2c-showcase
             - 2i2c-community-showcase:magiclinks-demo

diff --git a/config/clusters/leap/daskhub-common.values.yaml b/config/clusters/leap/daskhub-common.values.yaml
@@ -88,6 +88,8 @@ basehub:
           #     is expected.
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - leap-stc:leap-pangeo-base-access
             - leap-stc:leap-pangeo-full-access

diff --git a/config/clusters/leap/public.values.yaml b/config/clusters/leap/public.values.yaml
@@ -43,6 +43,8 @@ jupyterhub:
         authenticator_class: github
       GitHubOAuthenticator:
         populate_teams_in_auth_state: true
+        auth_state_groups_key: "teams"
+        manage_groups: true
         oauth_callback_url: https://public.leap.2i2c.cloud/hub/oauth_callback
         allowed_organizations:
           - leap-stc:leap-pangeo-public-access

diff --git a/config/clusters/maap/common.values.yaml b/config/clusters/maap/common.values.yaml
@@ -46,6 +46,8 @@ jupyterhub:
         authenticator_class: github
       GitHubOAuthenticator:
         populate_teams_in_auth_state: true
+        auth_state_groups_key: "teams"
+        manage_groups: true
         allowed_organizations:
           - MAAP-Project:data
           - MAAP-Project:maap-all

diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml
@@ -53,6 +53,8 @@ basehub:
           # We are restricting profiles based on GitHub Team membership and
           # so need to populate the teams in the auth state
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - CryoInTheCloud:cryoclouduser
             - CryoInTheCloud:cryocloudadvanced

diff --git a/config/clusters/nasa-ghg/common.values.yaml b/config/clusters/nasa-ghg/common.values.yaml
@@ -48,6 +48,8 @@ basehub:
           authenticator_class: github
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - US-GHG-Center:ghgc-hub-access
             - US-GHG-Center:ghg-use-case-1

diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml
@@ -49,6 +49,8 @@ basehub:
           authenticator_class: github
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - CASI-LIS-Dashboard:dev-veda-jupyterhub
             - veda-analytics-access:all-users

diff --git a/config/clusters/nmfs-openscapes/common.values.yaml b/config/clusters/nmfs-openscapes/common.values.yaml
@@ -198,6 +198,8 @@ jupyterhub:
         authenticator_class: github
       GitHubOAuthenticator:
         populate_teams_in_auth_state: true
+        auth_state_groups_key: "teams"
+        manage_groups: true
         allowed_organizations:
           - nmfs-openscapes:longterm-access-2i2c
           - nmfs-openscapes:2024-mentors

diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml
@@ -180,6 +180,8 @@ basehub:
           authenticator_class: github
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - 2i2c-org:hub-access-for-2i2c-staff
             - NASA-Openscapes:workshopaccess-2i2c

diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml
@@ -50,6 +50,8 @@ basehub:
           authenticator_class: github
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - pangeo-data:us-central1-b-gcp
           scope:

diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml
@@ -65,6 +65,8 @@ basehub:
           authenticator_class: github
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
+          auth_state_groups_key: "teams"
+          manage_groups: true
           allowed_organizations:
             - smithsonian
             - sidatasciencelab

diff --git a/docs/howto/features/profile-list-restrict.md b/docs/howto/features/profile-list-restrict.md
@@ -190,6 +190,9 @@ jupyterhub:
         enable_auth_state: true
       GitHubOAuthenticator:
         populate_teams_in_auth_state: true
+        auth_state_groups_key: "teams"
+        manage_groups: true
+
 ```
 
 ```{note}

diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml
@@ -1402,6 +1402,8 @@ jupyterhub:
         # - GitHubOAuthenticator is used.
         # - GitHubOAuthenticator.populate_teams_in_auth_state is True, that
         #   requires Authenticator.enable_auth_state to be True as well.
+        # - GitHubOAuthenticator.auth_state_groups_key is "teams"
+        # - GitHubOAuthenticator.manage_groups: true
         # - The user is a normal user, and not "deployment-service-check".
         #
         from copy import deepcopy
@@ -1434,21 +1436,6 @@ jupyterhub:
             # casefold group names so we can do case insensitive comparisons.
             groups = {g.name.casefold() for g in spawner.user.groups}
 
-            # If we're using GitHubOAuthenticator, add the user's teams to the groups as well.
-            # Eventually this can be removed, as the user's teams can be set to be groups
-            # once https://github.com/jupyterhub/oauthenticator/pull/735 is merged
-            if isinstance(spawner.authenticator, GitHubOAuthenticator):
-              # Ensure auth_state is populated with teams info
-              auth_state = await spawner.user.get_auth_state()
-              if not auth_state or "teams" not in auth_state:
-                  print(f"User {spawner.user.name} does not have any auth_state set, profile_list filtering not available")
-
-              else:
-                # casefold teams to match what GitHub's API does when doing authorization calls
-                groups |= set([f'{team["organization"]["login"]}:{team["slug"]}'.casefold() for team in auth_state["teams"]])
-
-            print(f"User {spawner.user.name} is part of groups {' '.join(groups)}")
-
             # Filter out profiles with allowed_groups set if the user isn't part of the group
             allowed_profiles = []
             for original_profile in original_profile_list: