yuvipanda / jupyterhub-ssh

SSH Access to JupyterHubs
BSD 3-Clause "New" or "Revised" License
96 stars 29 forks source link

sftp: expose non-user directories for high credentials users? #71

Open consideRatio opened 2 years ago

consideRatio commented 2 years ago

In the hub.jupytearth.org JupyterHub, admin users get read/write access to a shared folder, and normal users get read access to a shared folder - besides their normal user folder.

@abbyazari, an admin user who wanted to copy large amounts of data to the shared folder, asked if sftp access to that could be granted somehow. And here I am, raising this for consideration.

Can jupyterhub-sftp expose access to a shared folder in the mounted storage or similar somehow?

I'm not sure at all about that. I think it must be an elegant generally helpful solution that is documentable, and not a solution that makes the logic unsustainable to maintain. Is there a technical solution to accomplish that? I'm not sure...

Technical exploration

Brainstorming

Discarded idea: ugly workaround

If the shared storage would be named as a dummy username, it could be accessed using the same system where a dummy user's token is used etc...

Discarded idea: arbitrary NFS server path if you are a JupyterHub admin

Would it be reasonable for a JupyterHub admin associated token to be used to provide arbitrary credentials to the NFS server storage, or alternatively, arbitrary storage that isn't user home folder storage?

I imagine for example being able to mount the root directory of the NFS storage, or being able to request some kind specific storage path, as declared via the username when opening the connection?

Discarded idea: root access for hardcoded JupyterHub RBAC role's associated tokens

With JupyterHub 2.0, we can create custom rules and grant them to custom people. What if we for example allow access via sftp root@myhub.com where a token needs to be provided to have a certain custom role defined ahead of time, granting access to the root folder of the storage?

The UX would be that:

  1. Some system admin would setup a JupyterHub role and an associated jupyterhub api-token bound to that role.
  2. jupyterhub-sftp would look for that role specifically.

Hmmm... rethinking this.

Still considered idea: configurable path access for configurable JupyterHub RBAC roles' tokens

The UX would be that:

  1. Some system admin would setup a JupyterHub role and an associated jupyterhub api-token bound to that role.
  2. Some system admin would configure jupyterhub-sftp via some new configuration API to recognize a request for custom storage via a sftp username like a role-<role-name> pattern, which would based on the jupyterhub-sftp configuration be coupled with a custom storage path.