From 37be2ef40e83db11dfc7f770ffcbf8dc305876e7 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Tue, 17 Dec 2024 18:51:49 +0200 Subject: [PATCH] Set auth_state_groups_key to teams and manage_groups to true for hubs using GitHub team based authorization --- .../clusters/2i2c-aws-us/itcoocean.values.yaml | 2 ++ .../clusters/2i2c-aws-us/showcase.values.yaml | 2 ++ config/clusters/leap/daskhub-common.values.yaml | 2 ++ config/clusters/leap/public.values.yaml | 2 ++ config/clusters/maap/common.values.yaml | 2 ++ config/clusters/nasa-cryo/common.values.yaml | 2 ++ config/clusters/nasa-ghg/common.values.yaml | 2 ++ config/clusters/nasa-veda/common.values.yaml | 2 ++ .../clusters/nmfs-openscapes/common.values.yaml | 2 ++ config/clusters/openscapes/common.values.yaml | 2 ++ config/clusters/pangeo-hubs/common.values.yaml | 2 ++ config/clusters/smithsonian/common.values.yaml | 2 ++ docs/howto/features/profile-list-restrict.md | 3 +++ helm-charts/basehub/values.yaml | 17 ++--------------- 14 files changed, 29 insertions(+), 15 deletions(-) diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index dac198ffe9..7e4a9d987d 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -35,6 +35,8 @@ jupyterhub: GitHubOAuthenticator: oauth_callback_url: https://itcoocean.2i2c.cloud/hub/oauth_callback populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - Hackweek-ITCOocean:itcoocean-hackweek-2023 - nmfs-opensci:2i2c-demo diff --git a/config/clusters/2i2c-aws-us/showcase.values.yaml b/config/clusters/2i2c-aws-us/showcase.values.yaml index fc2d000dce..58bdddfa89 100644 --- a/config/clusters/2i2c-aws-us/showcase.values.yaml +++ b/config/clusters/2i2c-aws-us/showcase.values.yaml @@ -39,6 +39,8 @@ basehub: GitHubOAuthenticator: oauth_callback_url: "https://showcase.2i2c.cloud/hub/oauth_callback" populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - 2i2c-community-showcase:access-2i2c-showcase - 2i2c-community-showcase:magiclinks-demo diff --git a/config/clusters/leap/daskhub-common.values.yaml b/config/clusters/leap/daskhub-common.values.yaml index 9cfeaeb44e..a145ad1a04 100644 --- a/config/clusters/leap/daskhub-common.values.yaml +++ b/config/clusters/leap/daskhub-common.values.yaml @@ -88,6 +88,8 @@ basehub: # is expected. GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - leap-stc:leap-pangeo-base-access - leap-stc:leap-pangeo-full-access diff --git a/config/clusters/leap/public.values.yaml b/config/clusters/leap/public.values.yaml index b73631980a..7a37458c20 100644 --- a/config/clusters/leap/public.values.yaml +++ b/config/clusters/leap/public.values.yaml @@ -43,6 +43,8 @@ jupyterhub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true oauth_callback_url: https://public.leap.2i2c.cloud/hub/oauth_callback allowed_organizations: - leap-stc:leap-pangeo-public-access diff --git a/config/clusters/maap/common.values.yaml b/config/clusters/maap/common.values.yaml index 97ee00fb1d..79c1dbb7a2 100644 --- a/config/clusters/maap/common.values.yaml +++ b/config/clusters/maap/common.values.yaml @@ -46,6 +46,8 @@ jupyterhub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - MAAP-Project:data - MAAP-Project:maap-all diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index 1bb8bc822b..d03be87bc5 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -53,6 +53,8 @@ basehub: # We are restricting profiles based on GitHub Team membership and # so need to populate the teams in the auth state populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - CryoInTheCloud:cryoclouduser - CryoInTheCloud:cryocloudadvanced diff --git a/config/clusters/nasa-ghg/common.values.yaml b/config/clusters/nasa-ghg/common.values.yaml index e3d77d0c71..c32ee34154 100644 --- a/config/clusters/nasa-ghg/common.values.yaml +++ b/config/clusters/nasa-ghg/common.values.yaml @@ -48,6 +48,8 @@ basehub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - US-GHG-Center:ghgc-hub-access - US-GHG-Center:ghg-use-case-1 diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 8dcaac3f3a..bcf03ef4ae 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -49,6 +49,8 @@ basehub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - CASI-LIS-Dashboard:dev-veda-jupyterhub - veda-analytics-access:all-users diff --git a/config/clusters/nmfs-openscapes/common.values.yaml b/config/clusters/nmfs-openscapes/common.values.yaml index 5dc21d2ea3..cf9fbf3869 100644 --- a/config/clusters/nmfs-openscapes/common.values.yaml +++ b/config/clusters/nmfs-openscapes/common.values.yaml @@ -198,6 +198,8 @@ jupyterhub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - nmfs-openscapes:longterm-access-2i2c - nmfs-openscapes:2024-mentors diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index e5877d31e5..aef0837166 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -180,6 +180,8 @@ basehub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - 2i2c-org:hub-access-for-2i2c-staff - NASA-Openscapes:workshopaccess-2i2c diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml index 25f1b508ef..e015d27b41 100644 --- a/config/clusters/pangeo-hubs/common.values.yaml +++ b/config/clusters/pangeo-hubs/common.values.yaml @@ -50,6 +50,8 @@ basehub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - pangeo-data:us-central1-b-gcp scope: diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index a90053d6e8..9c88a5c8d2 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -65,6 +65,8 @@ basehub: authenticator_class: github GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true allowed_organizations: - smithsonian - sidatasciencelab diff --git a/docs/howto/features/profile-list-restrict.md b/docs/howto/features/profile-list-restrict.md index ba021e89e2..062df14976 100644 --- a/docs/howto/features/profile-list-restrict.md +++ b/docs/howto/features/profile-list-restrict.md @@ -190,6 +190,9 @@ jupyterhub: enable_auth_state: true GitHubOAuthenticator: populate_teams_in_auth_state: true + auth_state_groups_key: "teams" + manage_groups: true + ``` ```{note} diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index b8e3832117..4d2592a91c 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -1402,6 +1402,8 @@ jupyterhub: # - GitHubOAuthenticator is used. # - GitHubOAuthenticator.populate_teams_in_auth_state is True, that # requires Authenticator.enable_auth_state to be True as well. + # - GitHubOAuthenticator.auth_state_groups_key is "teams" + # - GitHubOAuthenticator.manage_groups: true # - The user is a normal user, and not "deployment-service-check". # from copy import deepcopy @@ -1434,21 +1436,6 @@ jupyterhub: # casefold group names so we can do case insensitive comparisons. groups = {g.name.casefold() for g in spawner.user.groups} - # If we're using GitHubOAuthenticator, add the user's teams to the groups as well. - # Eventually this can be removed, as the user's teams can be set to be groups - # once https://github.com/jupyterhub/oauthenticator/pull/735 is merged - if isinstance(spawner.authenticator, GitHubOAuthenticator): - # Ensure auth_state is populated with teams info - auth_state = await spawner.user.get_auth_state() - if not auth_state or "teams" not in auth_state: - print(f"User {spawner.user.name} does not have any auth_state set, profile_list filtering not available") - - else: - # casefold teams to match what GitHub's API does when doing authorization calls - groups |= set([f'{team["organization"]["login"]}:{team["slug"]}'.casefold() for team in auth_state["teams"]]) - - print(f"User {spawner.user.name} is part of groups {' '.join(groups)}") - # Filter out profiles with allowed_groups set if the user isn't part of the group allowed_profiles = [] for original_profile in original_profile_list: