forked from 2i2c-org/infrastructure
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
112 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
# Dummy Authentication | ||
|
||
This documentation covers setting up the [Dummy Authenticator](https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#the-dummy-authenticator) | ||
for a hub. | ||
|
||
For this section, it may be useful to set the following environment variables in your terminal. | ||
|
||
```bash | ||
export CLUSTER_NAME=cluster_name | ||
export HUB_NAME=hub_name | ||
``` | ||
|
||
## Use a specific branch of the homepage repository | ||
|
||
The Dummy Authenticator requires presenting the user with a username and password input field, rather than the typical "log in" button. | ||
This means we cannot use the default homepage template since this will not provide these input fields. | ||
Instead we use a specialised branch of the homepage repo which allows us to have the username and password input fields, along with providing specific info about and for each community: [`username-and-password-homepage`](https://github.com/2i2c-org/default-hub-homepage/tree/username-and-password-homepage). | ||
|
||
In the `${HUB_NAME}.values.yaml` file, include the following config. | ||
|
||
```yaml | ||
jupyterhub: | ||
custom: | ||
homepage: | ||
gitRepoBranch: "username-and-password-homepage" | ||
templateVars: [...] # These values are as normal | ||
``` | ||
## (Recommended) Using Dummy Authenticator with a global password | ||
We strongly recommend using a global password with the authenticator. | ||
A global password is simple to distribute to a large group of people for a specific event, such as a workshop, while still locking the hub down from the public which can protect it from cryptomining abuse. | ||
Enable the Dummy Authenticator in the `${HUB_NAME}.values.yaml` file with the following config. | ||
|
||
```yaml | ||
jupyterhub: | ||
hub: | ||
config: | ||
JupyterHub: | ||
authenticator_class: dummy | ||
``` | ||
|
||
Then, in a `${HUB_NAME}.secret.values.yaml` file, include the password. | ||
|
||
```yaml | ||
jupyterhub: | ||
hub: | ||
config: | ||
DummyAuthenticator: | ||
password: <password> | ||
``` | ||
|
||
You can then encrypt the password using the below `sops` command. | ||
|
||
```bash | ||
sops --output config/clusters/${CLUSTER_NAME}/enc-${HUB_NAME}.secret.values.yaml -e config/clusters/${CLUSTER_NAME}/${HUB_NAME}.secret.values.yaml | ||
``` | ||
|
||
Ensure both these files are listed in the related `cluster.yaml` file. | ||
|
||
```yaml | ||
[...] | ||
hubs: | ||
- name: ... | ||
display_name: ... | ||
domain: ... | ||
helm_chart: ... | ||
helm_chart_values_files: | ||
- ${HUB_NAME}.values.yaml | ||
- enc-${HUB_NAME}.secret.values.yaml | ||
``` | ||
|
||
```{note} | ||
To use the Dummy Authenticator without a password, the steps on including the password config and encrypting it can be skipped. | ||
``` | ||
|
||
### How the community should request changing the password | ||
|
||
If the community wishes to change the global password, they should do so by [submitting a ticket the support team](https://docs.2i2c.org/support/) and using `age` to encrypt the new password. | ||
|
||
- [Community docs on `age`](https://docs.2i2c.org/support/#send-us-encrypted-content) | ||
- [Engineering docs on `age`](support:decrypt-age) | ||
|
||
## Disabling admin users | ||
|
||
Since using the Dummy Authenticator will allow any username with the correct password to login, this opens scope for a user to login with an admin username and gain admin rights. | ||
Hence, we disable all admins on the hub to prevent this. | ||
We do this by not providing anything to `jupyterhub.hub.config.Authenticator.admin_users`. | ||
|
||
However if the hub is sharing config with another, e.g. via a `common.values.yaml` file, you may need to explicitly disable admin users with the following config in the `${HUB_NAME}.values.yaml` file. | ||
|
||
```yaml | ||
jupyterhub: | ||
hub: | ||
config: | ||
Authenticator: | ||
admin_users: [] | ||
``` | ||
|
||
## Disabling the configurator | ||
|
||
For the same reason as above, we also need to disable the configurator as this is an admin-only feature. | ||
|
||
```yaml | ||
jupyterhub: | ||
custom: | ||
jupyterhubConfigurator: | ||
enabled: false | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
(support:decrypt-age)= | ||
# Decrypt encrypted information sent to `[email protected]` | ||
|
||
Sometimes community representatives need to send us *encrypted* information - | ||
|