Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudbank: revision of auth config #3232

Merged
merged 4 commits into from
Oct 13, 2023
Merged

cloudbank: revision of auth config #3232

merged 4 commits into from
Oct 13, 2023

Conversation

consideRatio
Copy link
Contributor

@consideRatio consideRatio commented Oct 5, 2023
edited
Loading

This PR updates cloudbank cluster's hubs configuration of CILogonOAuthenticator, and various changes made here should also be made in other hubs in other clusters but this PR is scoped for cloudbank specifically for now.

PR changes

Now authorized either by ...

With oauthenticator v16, a user can be authorized by different config and doesn't have to be authorized by all config. For example, allowed_domains previously rejected admin users signing in if it was configured, but in oauthenticator v16 you can be authorized by being part of either allowed_domains or admin_users.

berkeley.edu and 2i2c.org users access reduced

Previously any user with a berkeley.edu email or 2i2c.org email was granted access by many hubs configurations via allowed_domains. This is now tightened to only allow specific berkeley.edu usernames and 2i2c.org usernames.

Berkeley idp removed, Google idp is sufficient

Both berkeley and google has been configured as identity providers, where the berkeley idp was meant to provide access for admin users at berkeley and google idp was meant to provide access for admin users at 2i2c. Since the admin users of berkeley have google accounts as well, we can rely soley on the google idp instead to grant access to all admins.

To reduce the complexity of auth config and help us avoid granting more access than wanted, the berkeley idp is removed entirely.

csum open access tightened

I saw that the csum hub was configured to grant access to all google users, this access is now reduced. This resolves the comment in #3231 (review).

Reordered entries allowed_idps entries

I moved the user relevant idp to the top, and the admin relevant idp to the bottom. This was done for consistency and in preparation for a future improvement about pre-selecting a choice in a CILogon dropdown list. This needs jupyterhub/oauthenticator#690 to be resolved first though.

Related

@consideRatio consideRatio requested a review from a team as a code owner October 5, 2023 09:17
@github-actions

This comment was marked as resolved.

Sign in to view
consideRatio
consideRatio commented Oct 5, 2023
View reviewed changes
Copy link
Contributor Author

@consideRatio consideRatio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sean-morris I wrote some comments to help you understand the motivation behind the different kinds of changes I'm making in this PR

config/clusters/cloudbank/ccsf.values.yaml Show resolved Hide resolved
config/clusters/cloudbank/csum.values.yaml Outdated Show resolved Hide resolved
config/clusters/cloudbank/demo.values.yaml Outdated Show resolved Hide resolved
config/clusters/cloudbank/humboldt.values.yaml Show resolved Hide resolved
This was referenced Oct 5, 2023
Merged
Merged
Closed
@consideRatio
Copy link
Contributor Author

@sean-morris do you approve merging this PR at this point? Since last review, I've added the admin user you added as part of #3239 that I closed in favor of this, and I've reduced the demo hub access to just the listed admin users for now but ensured its easy to enable ~public access temporarily when needed in the future.

@consideRatio
cloudbank: simplify and tighten auth config with oauth v16 functionality
4369da0 
In oauthenticator 16, users can be authorized in multiple separate ways.
If they are part of `allowed_domains`, they can be authorized like that,
but if they aren't they still can be authorized by being listed in
`allowed_users` or `admin_users`. This enables us to not list 2i2c.org
and berkeley.edu in `allowed_domains` since its just meant to allow a
few specific users really.
@consideRatio
cloudbank: remove berkeley idp, let admin users be google users
6b3bf90 
Both berkeley and google has been configured as identity providers,
where the berkeley idp was meant to provide access for admin users at
berkeley and google idp was meant to provide access for admin users at
2i2c.

Since the admin users of berkeley have google accounts as well, we can
rely soley on the google idp instead to grant access to all admins.
@consideRatio
cloudbank, csum: add admin user
5a2881f
@consideRatio
cloudbank, demo: limit access to the admin users for now
fc94659
@consideRatio consideRatio force-pushed the pr/cloudbank-auth-revision branch from 11902ff to fc94659 Compare October 13, 2023 09:18
@consideRatio consideRatio merged commit 5cda03c into 2i2c-org:master Oct 13, 2023
2 checks passed
@github-actions
Copy link

🎉🎉🎉🎉

Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/6506417947

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sean-morris sean-morris Awaiting requested review from sean-morris

Assignees

@sean-morris sean-morris

@consideRatio consideRatio

Labels
None yet
Projects
No open projects
Sprint Board
Status: Done 🎉
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cloudbank followup to review auth config
2 participants
@consideRatio @sean-morris