Merge pull request #3232 from consideRatio/pr/cloudbank-auth-revision

cloudbank: revision of auth config

config/clusters/cloudbank/bcc.values.yaml

@@ -39,7 +39,8 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allowed_domains: ["2i2c.org", "berkeley.edu", "peralta.edu"]
+            allowed_domains:
+              - peralta.edu
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/ccsf.values.yaml

@@ -39,22 +39,18 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            # allow_all is a partial authorization, username_pattern is enforced also
-            allow_all: true
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            # allow_all is a partial authorization, username_pattern is enforced also
-            allow_all: true
+            allowed_domains:
+              - mail.ccsf.edu
       Authenticator:
+        allowed_users:
+          - clare.alice.heimer@gmail.com
         admin_users:
           - ericvd@berkeley.edu
           - sean.smorris@berkeley.edu
           - shawn.wiggins@mail.ccsf.edu
           - craig.persiko@mail.ccsf.edu
           - efuchs@mail.ccsf.edu
           - amy.mclanahan@mail.ccsf.edu
-        username_pattern: '^(.+@2i2c\.org|.+@berkeley\.edu|.+@mail\.ccsf\.edu|clare\.alice\.heimer@gmail\.com|deployment-service-check)$'
     extraFiles:
       configurator-schema-default:
         data:

config/clusters/cloudbank/csm.values.yaml

@@ -34,14 +34,8 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-              - "my.smccd.edu"
-              - "smccd.edu"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
+              - my.smccd.edu
+              - smccd.edu
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/csulb.values.yaml

@@ -36,18 +36,15 @@ jupyterhub:
       CILogonOAuthenticator:
         oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback
         allowed_idps:
-          http://google.com/accounts/o8/id:
-            username_derivation:
-              username_claim: "email"
-            allowed_domains: ["2i2c.org", "berkeley.edu", "csulb.edu"]
           https://its-shib.its.csulb.edu/idp/shibboleth:
             username_derivation:
               username_claim: "email"
             allow_all: true
-          urn:mace:incommon:berkeley.edu:
+          http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allow_all: true
+            allowed_domains:
+              - csulb.edu
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/csum.values.yaml

@@ -39,7 +39,6 @@ jupyterhub:
           https://cma-shibboleth.csum.edu/idp/shibboleth:
             username_derivation:
               username_claim: "email"
-            # allow_all is a partial authorization, username_pattern is enforced also
             allow_all: true
           http://login.microsoftonline.com/common/oauth2/v2.0/authorize:
             username_derivation:
@@ -49,13 +48,12 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            # allow_all is a partial authorization, username_pattern is enforced also
-            allow_all: true
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu
           - sean.smorris@berkeley.edu
           - jteoh@csum.edu
+          - jsimons@csum.edu
     extraFiles:
       configurator-schema-default:
         data:

config/clusters/cloudbank/demo.values.yaml

@@ -42,25 +42,17 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            # allow_all is a partial authorization, username_pattern is enforced also
-            allow_all: true
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            # allow_all is a partial authorization, username_pattern is enforced also
-            allow_all: true
       Authenticator:
-        # These folks should still have admin tho
         admin_users:
           - ericvd@berkeley.edu
           - sean.smorris@berkeley.edu
           - kalkeab@gmail.com
           - jhenryestrada@gmail.com
-        # We only want 2i2c users and users with .edu emails to sign up
-        # Protects against cryptominers - https://github.com/2i2c-org/infrastructure/issues/1216
-        # FIXME: This doesn't account for educational institutions that have emails that don't end in .edu,
-        # as is the case for some non-euroamerican universities.
-        username_pattern: '^(.+@2i2c\.org|.+\.edu|kalkeab@gmail\.com|jhenryestrada@gmail\.com|deployment-service-check)$'
+        # NOTE: This demo hub may be temporarily opened up for broad access by
+        #       declaring `allow_all: true` for the google idp. If that is done,
+        #       username_pattern can then be used to constrain access.
+        #
+        # username_pattern: '^(.+@2i2c\.org|.+\.edu|kalkeab@gmail\.com|jhenryestrada@gmail\.com|deployment-service-check)$'
   cull:
     # Cull after 30min of inactivity
     every: 300

config/clusters/cloudbank/dvc.values.yaml

@@ -34,19 +34,16 @@ jupyterhub:
       CILogonOAuthenticator:
         oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback
         allowed_idps:
-          http://google.com/accounts/o8/id:
-            username_derivation:
-              username_claim: "email"
-            allowed_domains: ["2i2c.org", "berkeley.edu", "dvc.edu"]
           http://login.microsoftonline.com/common/oauth2/v2.0/authorize:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "dvc.edu"
-          urn:mace:incommon:berkeley.edu:
+              - dvc.edu
+          http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allow_all: true
+            allowed_domains:
+              - dvc.edu
       JupyterHub:
         authenticator_class: cilogon
       Authenticator:

config/clusters/cloudbank/elcamino.values.yaml

@@ -38,11 +38,8 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allowed_domains: ["2i2c.org", "berkeley.edu", "elcamino.edu"]
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
+            allowed_domains:
+              - elcamino.edu
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/evc.values.yaml

@@ -40,20 +40,13 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "sjcc.edu"
-              - "stu.sjcc.edu"
-              - "stu.evc.edu"
-              - "evc.edu"
+              - sjcc.edu
+              - stu.sjcc.edu
+              - stu.evc.edu
+              - evc.edu
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/fresno.values.yaml

@@ -37,12 +37,6 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allowed_domains:
-              - "2i2c.org"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
       Authenticator:
         admin_users:
           - joellen.green@fresnocitycollege.edu

config/clusters/cloudbank/glendale.values.yaml

@@ -34,14 +34,8 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-              - "glendale.edu"
-              - "student.glendale.edu"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
+              - glendale.edu
+              - student.glendale.edu
       Authenticator:
         admin_users:
           - simon@glendale.edu

config/clusters/cloudbank/howard.values.yaml

@@ -33,9 +33,6 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
       OAuthenticator:
         # WARNING: Don't use allow_existing_users with config to allow an
         #          externally managed group of users, such as

config/clusters/cloudbank/humboldt.values.yaml

@@ -39,23 +39,16 @@ jupyterhub:
       CILogonOAuthenticator:
         oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback
         allowed_idps:
-          http://google.com/accounts/o8/id:
-            username_derivation:
-              username_claim: "email"
-            allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-              - "humboldt.edu"
           https://sso.humboldt.edu/idp/metadata:
             username_derivation:
               username_claim: "email"
             allow_all: true
-          urn:mace:incommon:berkeley.edu:
+          http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allow_all: true
+            allowed_domains:
+              - humboldt.edu
       Authenticator:
-        # These folks should still have admin tho
         admin_users:
           - ericvd@berkeley.edu
           - sean.smorris@berkeley.edu

config/clusters/cloudbank/lacc.values.yaml

@@ -33,9 +33,6 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
       OAuthenticator:
         # WARNING: Don't use allow_existing_users with config to allow an
         #          externally managed group of users, such as

config/clusters/cloudbank/laney.values.yaml

@@ -34,17 +34,11 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "cc.peralta.edu"
-              - "peralta.edu"
+              - cc.peralta.edu
+              - peralta.edu
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allowed_domains:
-              - "2i2c.org"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/mills.values.yaml

@@ -34,13 +34,7 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-              - "mills.edu"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
+              - mills.edu
       Authenticator:
         admin_users:
           - aculich@berkeley.edu

config/clusters/cloudbank/miracosta.values.yaml

@@ -30,18 +30,13 @@ jupyterhub:
       CILogonOAuthenticator:
         oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback
         allowed_idps:
-          http://google.com/accounts/o8/id:
-            username_derivation:
-              username_claim: "email"
-            allowed_domains: ["2i2c.org"]
           https://miracosta.fedgw.com/gateway:
             username_derivation:
               username_claim: "email"
             allow_all: true
-          urn:mace:incommon:berkeley.edu:
+          http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allow_all: true
       Authenticator:
         admin_users:
           - sfirouzian@miracosta.edu

config/clusters/cloudbank/mission.values.yaml

@@ -40,14 +40,8 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-              - "missioncollege.edu"
-              - "mywvm.wvm.edu"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
+              - missioncollege.edu
+              - mywvm.wvm.edu
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/norco.values.yaml

@@ -34,18 +34,11 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "norcocollege.edu"
-              - "student.rccd.edu"
+              - norcocollege.edu
+              - student.rccd.edu
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu

config/clusters/cloudbank/palomar.values.yaml

@@ -33,9 +33,6 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
       OAuthenticator:
         # WARNING: Don't use allow_existing_users with config to allow an
         #          externally managed group of users, such as

config/clusters/cloudbank/pasadena.values.yaml

@@ -40,13 +40,7 @@ jupyterhub:
             username_derivation:
               username_claim: "email"
             allowed_domains:
-              - "2i2c.org"
-              - "berkeley.edu"
-              - "go.pasadena.edu"
-          urn:mace:incommon:berkeley.edu:
-            username_derivation:
-              username_claim: "email"
-            allow_all: true
+              - go.pasadena.edu
       Authenticator:
         admin_users:
           - yxchang@go.pasadena.edu