cloudbank, demo: limit access to the admin users for now

2i2c-org · Oct 13, 2023 · fc94659 · fc94659
1 parent 5a2881f
commit fc94659
Showing 1 changed file with 5 additions and 9 deletions.
diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml
@@ -42,21 +42,17 @@ jupyterhub:
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
-            # allow_all is a partial authorization for this hub because
-            # username_pattern configured and enforced also, allowing only users
-            # with *.edu suffixed domains besides specific admin users.
-            allow_all: true
       Authenticator:
         admin_users:
           - ericvd@berkeley.edu
           - sean.smorris@berkeley.edu
           - kalkeab@gmail.com
           - jhenryestrada@gmail.com
-        # We only want 2i2c users and users with .edu emails to sign up
-        # Protects against cryptominers - https://github.com/2i2c-org/infrastructure/issues/1216
-        # FIXME: This doesn't account for educational institutions that have emails that don't end in .edu,
-        # as is the case for some non-euroamerican universities.
-        username_pattern: '^(.+@2i2c\.org|.+\.edu|kalkeab@gmail\.com|jhenryestrada@gmail\.com|deployment-service-check)$'
+        # NOTE: This demo hub may be temporarily opened up for broad access by
+        #       declaring `allow_all: true` for the google idp. If that is done,
+        #       username_pattern can then be used to constrain access.
+        #
+        # username_pattern: '^(.+@2i2c\.org|.+\.edu|kalkeab@gmail\.com|jhenryestrada@gmail\.com|deployment-service-check)$'
   cull:
     # Cull after 30min of inactivity
     every: 300