search

HewlettPackard / jupyterhub-samlauthenticator

jupyterhub-samlauthenticator
MIT License
36 stars 25 forks source link

c.Authenticator.whitelist not supported? #57

Closed jeffmaley closed 3 years ago

jeffmaley commented 3 years ago

From testing, it doesn't look like c.Authenticator.whitelist is supported by this authenticator. Is that expected and, if so, is it planned for a future release?

distortedsignal commented 3 years ago

Hmmmm... it should be. Could you go into the behavior that you're seeing, the behavior that you expect to see, and any logs that might help shed light on the issue?

jeffmaley commented 3 years ago

Regardless of what names I configure in c.Authenticator.whitelist in jupyterhub_config.py, any user seems to be able to authenticate and get in. My goal is to allow only a specified user to login. I can see that's it's acknowledging the line exists because there's no log entry like: Not using whitelist. Any authenticated user will be allowed.

It looks like the jupyterhub made some changes (github.com/jupyterhub/jupyterhub/pull/3090), but it looks like they should still support the existing language.

distortedsignal commented 3 years ago

Good catch. Could you send me the relevant lines in your config file?

jeffmaley commented 3 years ago

Here's the config:

c.JupyterHub.authenticator_class = 'samlauthenticator.SAMLAuthenticator'
c.SAMLAuthenticator.metadata_filepath = <redacted>
c.SAMLAuthenticator.audience = 'http://localhost:8000/'
c.SAMLAuthenticator.recipient = 'http://localhost:8002/hub/login'
c.SAMLAuthenticator.acs_endpoint_url = 'http://localhost:8001:/hub/login'
c.SAMLAuthenticator.time_format_string = '%Y-%m-%dT%H:%M:%S.%fZ'
c.SAMLAuthenticator.create_system_users = True
c.SAMLAuthenticator.slo_forward_on_logout = True
c.Authenticator.whitelist = {'maleyjm'}
distortedsignal commented 3 years ago

Ah, I see the issue - I think that c.Authenticator.whitelist should probably be c.SAMLAuthenticator.whitelist.

jeffmaley commented 3 years ago

I gave that a whirl and jupyterhub logged that no whitelist was configured. I'm going to start with a fresh instance tomorrow, as I've done a number of things to this one and the behavior is completely different from the first instance I setup.

jeffmaley commented 3 years ago

I did a fresh setup and the whitelist works, so I'm assuming I screwed something up on the previous installs.

distortedsignal commented 3 years ago

It happens. I'm glad that the whitelist feature works now :)