how to specify access?

[rabernat]

Where is the configuration which says who has access to the cluster, who has admin privileges, etc?

[raphaeldussin]

it's not specified yet (that's something I'd like to discuss) it will be added to deployments/ocean.pangeo.io/config/common.yaml

[rabernat]

So right now it is open to anyone?

[rabernat]

I authenticated with github, so at least that part must be specified somewhere, no?

I don't see anything about this in https://github.com/raphaeldussin/example.pangeo.io-deploy/blob/staging/deployments/ocean.pangeo.io/config/common.yaml

[raphaeldussin]

the authentication part goes through an OAuth app in github so you need a github account to get in. I agree we need to be more specific than this. Which users/group should be authorized to start with? How do we handle requests? through pangeo-data? or a more specific ocean oriented group?

[rabernat]

https://github.com/orgs/pangeo-data/teams/pangeo-ocean

[raphaeldussin]

the org_whitelist doesn't work here. I wonder if it's because I created the OAuth app on github before I added it. If so, would recreating the OAuth app solve the problem? @rabernat @dsludwig what do you think?

[rabernat]

I wonder if it's because I created the OAuth app on github before I added it.

I doubt that is the problem.

[rabernat]

Does this help?

https://github.com/pangeo-data/dev.pangeo.io-deploy/blob/staging/deployments/dev.pangeo.io/config/common.yaml

[raphaeldussin]

that's what I based my config on

https://github.com/raphaeldussin/example.pangeo.io-deploy/blob/staging/deployments/ocean.pangeo.io/config/common.yaml

but I don't think it works. I have a test user account that doesn't belong to pangeo-data and I can connect with it. I first signed up to the ocean.pangeo.io before setting up the org_whitelist. Maybe that's why ? I am considering deleting the OAuth app and recreating it.

[rabernat]

Any progress on the authentication front?

I notice several people have now logged in:

[raphaeldussin]

no, I'm stuck. I really don't understand why it's not working. Do you need ocean.pangeo.io up this week or can I try to delete/re-create the OAuth app ?

[guillaumeeb]

I don't see the github secret or app id in the file you linked above. It's probably in another crypted file. Maybe all the auth option should be un the same file? At least the github part ?

[rabernat]

Please do not do anything that could disrupt the staging cluster right now (I'm using it heavily). Maybe setting up the dev environment would be the way to go?

[raphaeldussin]

Right now my auth is in https://github.com/raphaeldussin/example.pangeo.io-deploy/blob/staging/deployments/ocean.pangeo.io/config/common.yaml (end of file) as is done with other deployments and the content of my secrets/staging.yaml is :

jupyterhub:
  proxy:
    secretToken: somethingrandom
  auth:
    type: github
    github:
      clientId: "something"
      clientSecret: somethingelse
      callbackUrl: "https://ocean.pangeo.io/hub/oauth_callback

I have tried adding the auth part from common.yaml into the secrets/staging.yaml file but it didn't solve the problem.

@rabernat no worries, I am not taking the cluster down. I am not sure how I can deploy a dev one out of the same deployment repo since the circleCI depends on env variables that are specific to a single cluster. Will put a separate ocean.pangeo.io-deploy repo together and start from scratch.

[guillaumeeb]

Did you try the button "revoke all user tokens" in you github OAuth application settings? Maybe your non Pangeo user got a token before setting whitelist? Not sure how it works, so maybe this is another silly idea. Be careful that it does not disconnect @rabernat.

[raphaeldussin]

@guillaumeeb that's one thing I wanted to try. It looks like some users got in after I set up the whitelist though so that might not solve it but again I am not sure what that thing does behind the scenes so it's worth a shot. Obviously I am gonna wait a bit so that I don't throw @rabernat off the cluster.

[raphaeldussin]

@rabernat @guillaumeeb revoking tokens didn't solve the auth problem :(