Grant access for 2i2c members only via admin_users #3233
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
consideRatio
force-pushed
the
pr/tighten-auth-config-for-2i2c-members
branch
2 times, most recently
from
969e459 to
2844cc2
Compare
| @@ -33,7 +33,6 @@ jupyterhub: | |||
| GitHubOAuthenticator: | |||
| oauth_callback_url: https://go-bgc.2i2c.cloud/hub/oauth_callback | |||
| allowed_organizations: | |||
| - 2i2c-org:hub-access-for-2i2c-staff | |||
There was a problem hiding this comment.
Removing ourselves from allowed_organization is fine, because we are added to admin_users.
Doing this also isn't influencing the filtering of profile_list entries using our basehub injected allowed_teams config.
| allowed_domains: | ||
| - "2i2c.org" |
There was a problem hiding this comment.
Removing ourselves from a CILogonOAuthenticator allowed_domains is also fine, we are allowed by being added to admin_users.
| # Allow 2i2c staff to login with Google | ||
| http://google.com/accounts/o8/id: | ||
| username_derivation: | ||
| username_claim: "email" | ||
| allowed_domains: | ||
| - "2i2c.org" | ||
| # Allow MTU to login via Shibboleth | ||
| https://sso.mtu.edu/idp/shibboleth: | ||
| username_derivation: | ||
| username_claim: "email" | ||
| allowed_domains: | ||
| - "mtu.edu" | ||
| # Allow 2i2c staff to login with Google accounts | ||
| http://google.com/accounts/o8/id: | ||
| username_derivation: | ||
| username_claim: "email" |
There was a problem hiding this comment.
This was a re-ordering of config entries. I want us to put the user-facing idp's first as a way to prepare for letting that lead to presenting that option by default in favor of presenting the option only relevant to us admin first.
For more details about this, see jupyterhub/oauthenticator#690
| # add_staff_user_ids_to_admin_users is disabled because the usernames | ||
| # aren't github id or email based, individual 2i2c members have added | ||
| # their user to admin_users manually instead. | ||
| add_staff_user_ids_to_admin_users: false | ||
| # add_staff_user_ids_of_type: "google" |
There was a problem hiding this comment.
In this hub where we aren't added to admin_users, it remains important to not remove allowing us via allowed_domains.
| @@ -76,7 +75,6 @@ basehub: | |||
| description: &profile_list_description "Start a container with at least a chosen share of capacity on a node of this type" | |||
| slug: small | |||
| default: true | |||
| allowed_teams: *allowed_github_orgs | |||
There was a problem hiding this comment.
Its better if we just allow all users by default instead, because otherwise we need to make a few extra API calls to check for membership etc for no real reason.
Since #3234 (comment), removing allowed_teams makes all users logged in to the hub be able to see this like we want.
There was a problem hiding this comment.
I think this is good to go so it doesn't get into conflict with future work.
Note, that I believe documenting the oauthenticator > 16 new behaviour in the context of 2i2c config is really important, as I often find myself confused by the new defaults, even though I stayed pretty up to date with the work that into into that release.
So, I believe it is really important to have the docs up to date with the new version, so we can all relate to it when uncertain.
We should prioritize getting #3247 ready soon, as atm, after we merge this PR, the examples in the docs are not complete and might cause confusion.
Until #3247 gets implemented, since we are removing the need to explicitly allow the 2i2c org or the 2i2c domain from the examples in the docs in this PR, what do you think about adding a really quick warning message in the docs pages of both authentication options that says something like:
This examples assume that `add_staff_user_ids_to_admin_user` and `add_staff_user_ids_of_type` were configured for this hub to allow 2i2c staff access as admins.
If this is not the case, consider making the appropriate changes to allow such access.
| @@ -37,7 +37,6 @@ basehub: | |||
| authenticator_class: "github" | |||
| GitHubOAuthenticator: | |||
| oauth_callback_url: "https://dask-staging.aws.2i2c.cloud/hub/oauth_callback" | |||
| allowed_organizations: | |||
| - 2i2c-org | |||
| allowed_organizations: [] | |||
There was a problem hiding this comment.
@consideRatio, not setting allowed_organizations at all has the same effect as setting it to be an empty list?
There was a problem hiding this comment.
Yepp, this could also be removed entirely. I'll do so!
There was a problem hiding this comment.
Resolved via 2bd0faf
| @@ -97,7 +97,6 @@ You can remove yourself from the org once you have confirmed that login is worki | |||
| GitHubOAuthenticator: | |||
| oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback | |||
| allowed_organizations: | |||
| - 2i2c-org:hub-access-for-2i2c-staff | |||
There was a problem hiding this comment.
Since we're updating the GitHub authentication example to not include the 2i2c org, let's also update the example in https://infrastructure.2i2c.org/hub-deployment-guide/configure-auth/cilogon/#configure-the-authenticator to not include 2i2c in the allowed_domains.
There was a problem hiding this comment.
Resolved via 53c8e49
With oauthenticator 16, being listed in `admin_users` makes 2i2c members have access even if they are now listed in `allowed_domains` or `allowed_organizations`. Due to this, we can avoid the need to declare `2i2c.org` and `2i2c-org` there and rely on being listed in `admin_users`.
consideRatio
force-pushed
the
pr/tighten-auth-config-for-2i2c-members
branch
from
2403389 to
53c8e49
Compare
|
🎉🎉🎉🎉 Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/6470657250 |
|
Thank you for reviewing this @GeorgianaElena!!! I agree on the importance of following up in #3247, and I've done some steps towards it in 53c8e49 as a start. |
With oauthenticator 16, being listed in
admin_usersmakes 2i2c members have access even if they are now listed inallowed_domainsorallowed_organizations. Due to this, we can avoid the need to declare2i2c.organd2i2c-orgthere and rely on being listed inadmin_users.I've provided a few comments, one per kind of change made.
Related