From 4369da0ebaa0430d0cc364f20f8508bc3d3a695c Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 5 Oct 2023 10:59:42 +0200 Subject: [PATCH 1/4] cloudbank: simplify and tighten auth config with oauth v16 functionality In oauthenticator 16, users can be authorized in multiple separate ways. If they are part of `allowed_domains`, they can be authorized like that, but if they aren't they still can be authorized by being listed in `allowed_users` or `admin_users`. This enables us to not list 2i2c.org and berkeley.edu in `allowed_domains` since its just meant to allow a few specific users really. --- config/clusters/cloudbank/bcc.values.yaml | 3 ++- config/clusters/cloudbank/ccsf.values.yaml | 9 ++++----- config/clusters/cloudbank/csm.values.yaml | 7 ++----- config/clusters/cloudbank/csulb.values.yaml | 4 ++-- config/clusters/cloudbank/csum.values.yaml | 3 --- config/clusters/cloudbank/demo.values.yaml | 6 +++--- config/clusters/cloudbank/dvc.values.yaml | 6 +++--- config/clusters/cloudbank/elcamino.values.yaml | 4 ++-- config/clusters/cloudbank/evc.values.yaml | 12 ++++-------- config/clusters/cloudbank/fresno.values.yaml | 3 --- config/clusters/cloudbank/glendale.values.yaml | 7 ++----- config/clusters/cloudbank/humboldt.values.yaml | 5 +---- config/clusters/cloudbank/laney.values.yaml | 7 ++----- config/clusters/cloudbank/mills.values.yaml | 5 +---- config/clusters/cloudbank/miracosta.values.yaml | 2 -- config/clusters/cloudbank/mission.values.yaml | 7 ++----- config/clusters/cloudbank/norco.values.yaml | 8 ++------ config/clusters/cloudbank/pasadena.values.yaml | 5 +---- config/clusters/cloudbank/sacramento.values.yaml | 7 ++----- config/clusters/cloudbank/saddleback.values.yaml | 5 +---- config/clusters/cloudbank/santiago.values.yaml | 10 +++------- config/clusters/cloudbank/sjcc.values.yaml | 12 ++++-------- config/clusters/cloudbank/sjsu.values.yaml | 11 ++++------- config/clusters/cloudbank/skyline.values.yaml | 4 +--- config/clusters/cloudbank/srjc.values.yaml | 7 ++----- 25 files changed, 50 insertions(+), 109 deletions(-) diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index c54c472c9b..9020355723 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -39,7 +39,8 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: ["2i2c.org", "berkeley.edu", "peralta.edu"] + allowed_domains: + - peralta.edu Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 7c795a60d1..73c7303cae 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -39,14 +39,14 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also - allow_all: true + allowed_domains: + - mail.ccsf.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also - allow_all: true Authenticator: + allowed_users: + - clare.alice.heimer@gmail.com admin_users: - ericvd@berkeley.edu - sean.smorris@berkeley.edu @@ -54,7 +54,6 @@ jupyterhub: - craig.persiko@mail.ccsf.edu - efuchs@mail.ccsf.edu - amy.mclanahan@mail.ccsf.edu - username_pattern: '^(.+@2i2c\.org|.+@berkeley\.edu|.+@mail\.ccsf\.edu|clare\.alice\.heimer@gmail\.com|deployment-service-check)$' extraFiles: configurator-schema-default: data: diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 3ca4847157..36bb238354 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -34,14 +34,11 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "my.smccd.edu" - - "smccd.edu" + - my.smccd.edu + - smccd.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 1b18d17551..8d75bacdcc 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -39,7 +39,8 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: ["2i2c.org", "berkeley.edu", "csulb.edu"] + allowed_domains: + - csulb.edu https://its-shib.its.csulb.edu/idp/shibboleth: username_derivation: username_claim: "email" @@ -47,7 +48,6 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/csum.values.yaml b/config/clusters/cloudbank/csum.values.yaml index 53c08a65c8..bf3afa8677 100644 --- a/config/clusters/cloudbank/csum.values.yaml +++ b/config/clusters/cloudbank/csum.values.yaml @@ -39,7 +39,6 @@ jupyterhub: https://cma-shibboleth.csum.edu/idp/shibboleth: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also allow_all: true http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: @@ -49,8 +48,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index b2789d0d67..8ed6f2e721 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -42,13 +42,13 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also + # allow_all is a partial authorization, username_pattern is enforced + # also to allow a subset of users, specifically *.edu suffixed + # domains in this case allow_all: true urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also - allow_all: true Authenticator: # These folks should still have admin tho admin_users: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index fcec3ad5d6..0844c11520 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -37,16 +37,16 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: ["2i2c.org", "berkeley.edu", "dvc.edu"] + allowed_domains: + - dvc.edu http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: username_claim: "email" allowed_domains: - - "dvc.edu" + - dvc.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true JupyterHub: authenticator_class: cilogon Authenticator: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index 77a0880052..3715de112f 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -38,11 +38,11 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: ["2i2c.org", "berkeley.edu", "elcamino.edu"] + allowed_domains: + - elcamino.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index 5f7e60628e..9cda39e729 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -40,20 +40,16 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "sjcc.edu" - - "stu.sjcc.edu" - - "stu.evc.edu" - - "evc.edu" + - sjcc.edu + - stu.sjcc.edu + - stu.evc.edu + - evc.edu http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: - - "2i2c.org" - - "berkeley.edu" urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index 55d10335ed..ea472f3fd3 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -37,12 +37,9 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: - - "2i2c.org" urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - joellen.green@fresnocitycollege.edu diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index 56b2887061..b5769bef6a 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -34,14 +34,11 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "glendale.edu" - - "student.glendale.edu" + - glendale.edu + - student.glendale.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - simon@glendale.edu diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index 94ae78b4aa..d9be01abf7 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -43,9 +43,7 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "humboldt.edu" + - humboldt.edu https://sso.humboldt.edu/idp/metadata: username_derivation: username_claim: "email" @@ -53,7 +51,6 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: # These folks should still have admin tho admin_users: diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index f57b52b0a5..a30b501d07 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -34,17 +34,14 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "cc.peralta.edu" - - "peralta.edu" + - cc.peralta.edu + - peralta.edu http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: - - "2i2c.org" urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index faceacfd7d..c2f4cae8cf 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -34,13 +34,10 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "mills.edu" + - mills.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - aculich@berkeley.edu diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index add08ecabd..dbae907c84 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -33,7 +33,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: ["2i2c.org"] https://miracosta.fedgw.com/gateway: username_derivation: username_claim: "email" @@ -41,7 +40,6 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - sfirouzian@miracosta.edu diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 2914d1e6e8..acf5883b71 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -40,14 +40,11 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "missioncollege.edu" - - "mywvm.wvm.edu" + - missioncollege.edu + - mywvm.wvm.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index d946b180ce..d82f2d3a43 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -34,18 +34,14 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "norcocollege.edu" - - "student.rccd.edu" + - norcocollege.edu + - student.rccd.edu http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: - - "2i2c.org" - - "berkeley.edu" urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index dc033c2cec..6a8896ff8a 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -40,13 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "go.pasadena.edu" + - go.pasadena.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - yxchang@go.pasadena.edu diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index e5fbede910..174d1d1465 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -40,14 +40,11 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "scc.losrios.edu" - - "apps.losrios.edu" + - scc.losrios.edu + - apps.losrios.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index fc0fa0211c..e3b7f98920 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -40,13 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "berkeley.edu" - - "saddleback.edu" + - saddleback.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index c9e39072c8..be3ad58b77 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -40,19 +40,15 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "sccollege.edu" - - "student.sccollege.edu" - - "student.sac.edu" + - sccollege.edu + - student.sccollege.edu + - student.sac.edu http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: - - "2i2c.org" - - "berkeley.edu" urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index 4d45d372e0..d1dcd0df1e 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -34,20 +34,16 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "sjcc.edu" - - "stu.sjcc.edu" - - "stu.evc.edu" - - "evc.edu" + - sjcc.edu + - stu.sjcc.edu + - stu.evc.edu + - evc.edu http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allowed_domains: - - "2i2c.org" - - "berkeley.edu" urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - christiaan.desmond@sjcc.edu diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index 35f1170400..9257693c0b 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -39,19 +39,16 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback allowed_idps: - http://google.com/accounts/o8/id: + https://idp01.sjsu.edu/idp/shibboleth: username_derivation: username_claim: "email" - allowed_domains: - - "2i2c.org" - urn:mace:incommon:berkeley.edu: + allow_all: true + http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - allow_all: true - https://idp01.sjsu.edu/idp/shibboleth: + urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 9223fdac48..d153662897 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -40,12 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" allowed_domains: - - "2i2c.org" - - "my.smccd.edu" + - my.smccd.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 19e01d253c..1475e74c8e 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -39,17 +39,14 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also - allow_all: true + allowed_domains: + - santarosa.edu urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced also - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - mmckeever@santarosa.edu - mjmckeever496@gmail.com - username_pattern: '^(.+@2i2c\.org|.+@berkeley\.edu|.+@santarosa\.edu|mjmckeever496@gmail\.com|deployment-service-check)$' From 6b3bf906c2bcdbe7d731b4f96d857fc987c34e4a Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 5 Oct 2023 11:14:59 +0200 Subject: [PATCH 2/4] cloudbank: remove berkeley idp, let admin users be google users Both berkeley and google has been configured as identity providers, where the berkeley idp was meant to provide access for admin users at berkeley and google idp was meant to provide access for admin users at 2i2c. Since the admin users of berkeley have google accounts as well, we can rely soley on the google idp instead to grant access to all admins. --- config/clusters/cloudbank/ccsf.values.yaml | 3 --- config/clusters/cloudbank/csm.values.yaml | 3 --- config/clusters/cloudbank/csulb.values.yaml | 9 +++------ config/clusters/cloudbank/demo.values.yaml | 10 +++------- config/clusters/cloudbank/dvc.values.yaml | 7 ++----- config/clusters/cloudbank/elcamino.values.yaml | 3 --- config/clusters/cloudbank/evc.values.yaml | 3 --- config/clusters/cloudbank/fresno.values.yaml | 3 --- config/clusters/cloudbank/glendale.values.yaml | 3 --- config/clusters/cloudbank/howard.values.yaml | 3 --- config/clusters/cloudbank/humboldt.values.yaml | 10 +++------- config/clusters/cloudbank/lacc.values.yaml | 3 --- config/clusters/cloudbank/laney.values.yaml | 3 --- config/clusters/cloudbank/mills.values.yaml | 3 --- config/clusters/cloudbank/miracosta.values.yaml | 5 +---- config/clusters/cloudbank/mission.values.yaml | 3 --- config/clusters/cloudbank/norco.values.yaml | 3 --- config/clusters/cloudbank/palomar.values.yaml | 3 --- config/clusters/cloudbank/pasadena.values.yaml | 3 --- config/clusters/cloudbank/sacramento.values.yaml | 3 --- config/clusters/cloudbank/saddleback.values.yaml | 3 --- config/clusters/cloudbank/santiago.values.yaml | 3 --- config/clusters/cloudbank/sbcc-dev.values.yaml | 5 +---- config/clusters/cloudbank/sbcc.values.yaml | 5 +---- config/clusters/cloudbank/sjcc.values.yaml | 3 --- config/clusters/cloudbank/sjsu.values.yaml | 3 --- config/clusters/cloudbank/skyline.values.yaml | 3 --- config/clusters/cloudbank/srjc.values.yaml | 3 --- config/clusters/cloudbank/staging.values.yaml | 3 --- config/clusters/cloudbank/tuskegee.values.yaml | 3 --- 30 files changed, 14 insertions(+), 106 deletions(-) diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 73c7303cae..786b32d16f 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -41,9 +41,6 @@ jupyterhub: username_claim: "email" allowed_domains: - mail.ccsf.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: allowed_users: - clare.alice.heimer@gmail.com diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 36bb238354..e7409cc5e9 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -36,9 +36,6 @@ jupyterhub: allowed_domains: - my.smccd.edu - smccd.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 8d75bacdcc..8eb30c3e91 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -36,18 +36,15 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback allowed_idps: - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" - allowed_domains: - - csulb.edu https://its-shib.its.csulb.edu/idp/shibboleth: username_derivation: username_claim: "email" allow_all: true - urn:mace:incommon:berkeley.edu: + http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + allowed_domains: + - csulb.edu Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index 8ed6f2e721..ce194dfdc6 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -42,15 +42,11 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - # allow_all is a partial authorization, username_pattern is enforced - # also to allow a subset of users, specifically *.edu suffixed - # domains in this case + # allow_all is a partial authorization for this hub because + # username_pattern configured and enforced also, allowing only users + # with *.edu suffixed domains besides specific admin users. allow_all: true - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: - # These folks should still have admin tho admin_users: - ericvd@berkeley.edu - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index 0844c11520..dce9039f10 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -34,19 +34,16 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback allowed_idps: - http://google.com/accounts/o8/id: + http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: username_claim: "email" allowed_domains: - dvc.edu - http://login.microsoftonline.com/common/oauth2/v2.0/authorize: + http://google.com/accounts/o8/id: username_derivation: username_claim: "email" allowed_domains: - dvc.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" JupyterHub: authenticator_class: cilogon Authenticator: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index 3715de112f..670bffc31a 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -40,9 +40,6 @@ jupyterhub: username_claim: "email" allowed_domains: - elcamino.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index 9cda39e729..ac04f1379d 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -47,9 +47,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index ea472f3fd3..5a333e8abc 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -37,9 +37,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - joellen.green@fresnocitycollege.edu diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index b5769bef6a..080bab4d51 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -36,9 +36,6 @@ jupyterhub: allowed_domains: - glendale.edu - student.glendale.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - simon@glendale.edu diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 5e77e99332..f2fa446aa4 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -33,9 +33,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" OAuthenticator: # WARNING: Don't use allow_existing_users with config to allow an # externally managed group of users, such as diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index d9be01abf7..255b67fe5d 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -39,20 +39,16 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback allowed_idps: - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" - allowed_domains: - - humboldt.edu https://sso.humboldt.edu/idp/metadata: username_derivation: username_claim: "email" allow_all: true - urn:mace:incommon:berkeley.edu: + http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + allowed_domains: + - humboldt.edu Authenticator: - # These folks should still have admin tho admin_users: - ericvd@berkeley.edu - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index 8c6c41b29a..0542b302e6 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -33,9 +33,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" OAuthenticator: # WARNING: Don't use allow_existing_users with config to allow an # externally managed group of users, such as diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index a30b501d07..f431f69e26 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -39,9 +39,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index c2f4cae8cf..74b846e6d3 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -35,9 +35,6 @@ jupyterhub: username_claim: "email" allowed_domains: - mills.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - aculich@berkeley.edu diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index dbae907c84..9864706df3 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -30,14 +30,11 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback allowed_idps: - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" https://miracosta.fedgw.com/gateway: username_derivation: username_claim: "email" allow_all: true - urn:mace:incommon:berkeley.edu: + http://google.com/accounts/o8/id: username_derivation: username_claim: "email" Authenticator: diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index acf5883b71..6ec0d56592 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -42,9 +42,6 @@ jupyterhub: allowed_domains: - missioncollege.edu - mywvm.wvm.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index d82f2d3a43..2e64440c0c 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -39,9 +39,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 91dcb3349c..2d5e8ce8f8 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -33,9 +33,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" OAuthenticator: # WARNING: Don't use allow_existing_users with config to allow an # externally managed group of users, such as diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index 6a8896ff8a..c5ce436305 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -41,9 +41,6 @@ jupyterhub: username_claim: "email" allowed_domains: - go.pasadena.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - yxchang@go.pasadena.edu diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 174d1d1465..ff03773762 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -42,9 +42,6 @@ jupyterhub: allowed_domains: - scc.losrios.edu - apps.losrios.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index e3b7f98920..ffaa5de787 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -41,9 +41,6 @@ jupyterhub: username_claim: "email" allowed_domains: - saddleback.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index be3ad58b77..14837ede12 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -46,9 +46,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 98e01568a0..bb470db2b6 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -30,13 +30,10 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" allowed_idps: - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" https://idp.sbcc.edu/idp/shibboleth: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: + http://google.com/accounts/o8/id: username_derivation: username_claim: "email" OAuthenticator: diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 2fc8495102..f186ee3386 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -30,13 +30,10 @@ jupyterhub: CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" allowed_idps: - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" https://idp.sbcc.edu/idp/shibboleth: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: + http://google.com/accounts/o8/id: username_derivation: username_claim: "email" OAuthenticator: diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index d1dcd0df1e..7aa427950e 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -41,9 +41,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - christiaan.desmond@sjcc.edu diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index 9257693c0b..91454df518 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -46,9 +46,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index d153662897..03b16084f1 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -41,9 +41,6 @@ jupyterhub: username_claim: "email" allowed_domains: - my.smccd.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 1475e74c8e..03c6802287 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -41,9 +41,6 @@ jupyterhub: username_claim: "email" allowed_domains: - santarosa.edu - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" Authenticator: admin_users: - ericvd@berkeley.edu diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index b45e22d8ae..83ec5fe872 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -33,9 +33,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" OAuthenticator: # WARNING: Don't use allow_existing_users with config to allow an # externally managed group of users, such as diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 40d56e897c..9ff5994406 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -33,9 +33,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - urn:mace:incommon:berkeley.edu: - username_derivation: - username_claim: "email" OAuthenticator: # WARNING: Don't use allow_existing_users with config to allow an # externally managed group of users, such as From 5a2881f33f87ce69b2b9edf4b29b9e4a0a3ab30e Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Oct 2023 08:27:54 +0200 Subject: [PATCH 3/4] cloudbank, csum: add admin user --- config/clusters/cloudbank/csum.values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/clusters/cloudbank/csum.values.yaml b/config/clusters/cloudbank/csum.values.yaml index bf3afa8677..e4338d28d3 100644 --- a/config/clusters/cloudbank/csum.values.yaml +++ b/config/clusters/cloudbank/csum.values.yaml @@ -53,6 +53,7 @@ jupyterhub: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - jteoh@csum.edu + - jsimons@csum.edu extraFiles: configurator-schema-default: data: From fc9465990f494810eb16c167801a6f05b07b3bee Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Oct 2023 08:36:37 +0200 Subject: [PATCH 4/4] cloudbank, demo: limit access to the admin users for now --- config/clusters/cloudbank/demo.values.yaml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index ce194dfdc6..f3e64c4ad8 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -42,21 +42,17 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - # allow_all is a partial authorization for this hub because - # username_pattern configured and enforced also, allowing only users - # with *.edu suffixed domains besides specific admin users. - allow_all: true Authenticator: admin_users: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - kalkeab@gmail.com - jhenryestrada@gmail.com - # We only want 2i2c users and users with .edu emails to sign up - # Protects against cryptominers - https://github.com/2i2c-org/infrastructure/issues/1216 - # FIXME: This doesn't account for educational institutions that have emails that don't end in .edu, - # as is the case for some non-euroamerican universities. - username_pattern: '^(.+@2i2c\.org|.+\.edu|kalkeab@gmail\.com|jhenryestrada@gmail\.com|deployment-service-check)$' + # NOTE: This demo hub may be temporarily opened up for broad access by + # declaring `allow_all: true` for the google idp. If that is done, + # username_pattern can then be used to constrain access. + # + # username_pattern: '^(.+@2i2c\.org|.+\.edu|kalkeab@gmail\.com|jhenryestrada@gmail\.com|deployment-service-check)$' cull: # Cull after 30min of inactivity every: 300