search

jupyterhub / zero-to-jupyterhub-k8s

Helm Chart & Documentation for deploying JupyterHub on Kubernetes
https://zero-to-jupyterhub.readthedocs.io
Other
1.56k stars 800 forks source link

All oauth users not being allowed by default #3332

Closed ajeffowens closed 10 months ago

ajeffowens commented 10 months ago

I am using jupyterhub helm chart version 3.2.1 with the generic-oauth authenticator. The authenticator works when I provided a user whitelist (hub.config.Authenticator.allowed_users). As in, users that are whitelisted can get in, but nobody else can. Everyone gets a 403 when the whitelist is not applied. I would like for all authenticated users to be allowed by default, but I am not seeing how to do that in the doc.

relevant section of helm values:

....
hub:
  config:
    Authenticator:
      enable_auth_state: true
      create_system_users: true
    GenericOAuthenticator:
      client_id:  jhubuser
      client_secret: f2***ef82
      oauth_callback_url: https://v***s.com/hub/oauth_callback
      authorize_url: https://v***s.com/***oauth/authorize
      token_url: https://v***s.com/***/oauth/token
      userdata_url: https://v***s.com/***/userinfo
      scope:
        - openid
      username_key: user_name
      login_service: '***'
      tls_verify: False
      userdata_params: {'state': 'state'}
    JupyterHub:
      authenticator_class: generic-oauth
      log_level: DEBUG
    CryptKeeper:
      keys:
        - "15d***59"
  extraConfig:
    myConfig.py: |
      async def add_auth_env(spawner):
        '''
        We set user's id, login and access token on single user image to
        enable repository integration for JupyterHub.
        See: https://gitlab.com/gitlab-org/gitlab-ce/issues/47138#note_154294790
        '''
        auth_state = await spawner.user.get_auth_state()

        if not auth_state:
          spawner.log.warning("No auth state for %s", spawner.user)
          return
        spawner.environment['ACCESS_TOKEN'] = auth_state['access_token']
        spawner.environment['REFRESH_TOKEN'] = auth_state['refresh_token']
      c.KubeSpawner.pre_spawn_hook = add_auth_env
...

Here is what the logs looks like when a user is denied. Either by way of not being in the allowed_users list or when user is not in whitelist:

hub-64bc8c9bd7-rqktb hub [I 2024-01-29 20:27:34.194 JupyterHub oauth2:97] OAuth redirect: https://v***s.com/hub/oauth_callback
hub-64bc8c9bd7-rqktb hub [D 2024-01-29 20:27:34.194 JupyterHub base:587] Setting cookie oauthenticator-state: {'httponly': True, 'secure': True, 'expires_days': 1}
hub-64bc8c9bd7-rqktb hub [I 2024-01-29 20:27:34.195 JupyterHub log:191] 302 GET /hub/oauth_login?next=%2Fhub%2F -> https://v***s.com/***/oauth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fv***s.com%2Fhub%2Foauth_callback&client_id=jhubuser&state=[secret]&scope=openid (@192.168.0.9) 1.17ms
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.002 JupyterHub auth:533] User '***' not allowed.
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.002 JupyterHub base:843] Failed login for unknown user
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.002 JupyterHub web:1869] 403 GET /hub/oauth_callback?code=Bhlh***J9 (192.168.0.4): Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.
hub-64bc8c9bd7-rqktb hub [D 2024-01-29 20:27:37.002 JupyterHub base:1371] No template for 403
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.015 JupyterHub log:191] 403 GET /hub/oauth_callback?code=[secret]&state=[secret] (@192.168.0.4) 186.30ms

As you can see, the auth is good, the callback happens, but the user is denied by jupyterhub.

This is running on aks 1.26.10

welcome[bot] commented 10 months ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

manics commented 10 months ago

You'll need to add allow_all to allow all users: https://oauthenticator.readthedocs.io/en/latest/reference/changelog.html#breaking-changes We made this change after several reports of admins not realising that by default OAuthenticator would allow all users in, which is a particular problem with public OAuth providers such as GitHub.

It looks like we're missing an upgrade guide for Z2JH 3 https://z2jh.jupyter.org/en/stable/administrator/upgrading/index.html

ajeffowens commented 10 months ago

Awesome, thank you @manics. hub.config.Authenticator.allow_all: true has resolved the issue

consideRatio commented 10 months ago

Awesome, thank you @manics. hub.config.Authenticator.allow_all: true has resolved the issue

Note that it should probably be either hub.config.OAuthenticator.allow_all: true or hub.config.GenericOAuthenticator.allow_all: true because its introduced in the OAutenticator class.