search

alan-turing-institute / bridge-data-platform

Repository that manages the Kubernetes JupyterHub deployment that hosts the 3D bridge data platform
MIT License
1 stars 1 forks source link

Migrate Authentication from GitHub to Azure Active Directory #25

Open sgibson91 opened 4 years ago

sgibson91 commented 4 years ago

If we use Kerberos authentication against Azure AD for accessing data (#10) then we should also use this to authenticate user access to the Hub prior.

sgibson91 commented 4 years ago

Requirements from JupyterHub: https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/authentication.html#azure-active-directory

TODO: Submit top desk ticket requesting Service Principal to authenticate against Turing's Active Directory Update: Ticket submitted 2020/03/26

sgibson91 commented 4 years ago

Ticket has been completed but it required HTTPS. #7 really needs to be pushed forward before we can implement this.

annahadji commented 4 years ago

New ticket opened requesting to edit the AD auth app with the new domain name (now HTTPS encryption is enabled) and enquiring about client secret etc., Ticket number I2009-450.

sgibson91 commented 4 years ago

Just a note that I don't think secrets can be retrieved once they've been created, so probably a new AD auth app will need to be generated.

annahadji commented 4 years ago

IT exchanged secrets of original Azure AD app & edited its redirect URL. Access to the JupyterHub now requires Turing account authentication. Commit enabling Azure AD auth: 0770d23e06c5d677af48dee70acfed1db1819d6b.

Next: need process for restricting/granting access to data within Turing (currently all Turing accounts would have access).

sgibson91 commented 4 years ago

If you reinstate the below lines, this will give admin access to you, me and Eric. The regex will exclude everyone else, but then you can start adding permitted users to the whitelist.

Question to think about: How do we decide who gets added to the whitelist?

Also, double check which version of JupyterHub that's running, we recently did some work to replace insensitive language like "whitelist" for "allowlist" (or something similar).

https://github.com/alan-turing-institute/bridge-data-platform/blob/0770d23e06c5d677af48dee70acfed1db1819d6b/config/config-template.yaml#L10-L15

annahadji commented 4 years ago

Ah yes, thanks! I'm assuming the format of those users will need to be our Turing usernames now?

Regarding who gets added - this still needs to be finalised, I see we have number 5 in the roadmap which I'll start looking into next.

sgibson91 commented 4 years ago

Ah yes, thanks! I'm assuming the format of those users will need to be our Turing usernames now?

Yes I believe so. Excellent work!