Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grant access for 2i2c members only via admin_users #3233

Conversation

consideRatio
Copy link
Contributor

@consideRatio consideRatio commented Oct 5, 2023

With oauthenticator 16, being listed in admin_users makes 2i2c members have access even if they are now listed in allowed_domains or allowed_organizations. Due to this, we can avoid the need to declare 2i2c.org and 2i2c-org there and rely on being listed in admin_users.

I've provided a few comments, one per kind of change made.

Related

@consideRatio consideRatio requested a review from a team as a code owner October 5, 2023 13:35
@github-actions

This comment was marked as resolved.

@consideRatio consideRatio force-pushed the pr/tighten-auth-config-for-2i2c-members branch 2 times, most recently from 969e459 to 2844cc2 Compare October 5, 2023 16:22
@@ -33,7 +33,6 @@ jupyterhub:
GitHubOAuthenticator:
oauth_callback_url: https://go-bgc.2i2c.cloud/hub/oauth_callback
allowed_organizations:
- 2i2c-org:hub-access-for-2i2c-staff
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing ourselves from allowed_organization is fine, because we are added to admin_users.

Doing this also isn't influencing the filtering of profile_list entries using our basehub injected allowed_teams config.

Comment on lines -46 to -47
allowed_domains:
- "2i2c.org"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing ourselves from a CILogonOAuthenticator allowed_domains is also fine, we are allowed by being added to admin_users.

Comment on lines -39 to +48
# Allow 2i2c staff to login with Google
http://google.com/accounts/o8/id:
username_derivation:
username_claim: "email"
allowed_domains:
- "2i2c.org"
# Allow MTU to login via Shibboleth
https://sso.mtu.edu/idp/shibboleth:
username_derivation:
username_claim: "email"
allowed_domains:
- "mtu.edu"
# Allow 2i2c staff to login with Google accounts
http://google.com/accounts/o8/id:
username_derivation:
username_claim: "email"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a re-ordering of config entries. I want us to put the user-facing idp's first as a way to prepare for letting that lead to presenting that option by default in favor of presenting the option only relevant to us admin first.

For more details about this, see jupyterhub/oauthenticator#690

Comment on lines +22 to 26
# add_staff_user_ids_to_admin_users is disabled because the usernames
# aren't github id or email based, individual 2i2c members have added
# their user to admin_users manually instead.
add_staff_user_ids_to_admin_users: false
# add_staff_user_ids_of_type: "google"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this hub where we aren't added to admin_users, it remains important to not remove allowing us via allowed_domains.

config/clusters/meom-ige/common.values.yaml Outdated Show resolved Hide resolved
@@ -76,7 +75,6 @@ basehub:
description: &profile_list_description "Start a container with at least a chosen share of capacity on a node of this type"
slug: small
default: true
allowed_teams: *allowed_github_orgs
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its better if we just allow all users by default instead, because otherwise we need to make a few extra API calls to check for membership etc for no real reason.

Since #3234 (comment), removing allowed_teams makes all users logged in to the hub be able to see this like we want.

Copy link
Member

@GeorgianaElena GeorgianaElena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good to go so it doesn't get into conflict with future work.

Note, that I believe documenting the oauthenticator > 16 new behaviour in the context of 2i2c config is really important, as I often find myself confused by the new defaults, even though I stayed pretty up to date with the work that into into that release.

So, I believe it is really important to have the docs up to date with the new version, so we can all relate to it when uncertain.

We should prioritize getting #3247 ready soon, as atm, after we merge this PR, the examples in the docs are not complete and might cause confusion.

Until #3247 gets implemented, since we are removing the need to explicitly allow the 2i2c org or the 2i2c domain from the examples in the docs in this PR, what do you think about adding a really quick warning message in the docs pages of both authentication options that says something like:

This examples assume that `add_staff_user_ids_to_admin_user` and `add_staff_user_ids_of_type` were configured for this hub to allow 2i2c staff access as admins.

If this is not the case, consider making the appropriate changes to allow such access.

@@ -37,7 +37,6 @@ basehub:
authenticator_class: "github"
GitHubOAuthenticator:
oauth_callback_url: "https://dask-staging.aws.2i2c.cloud/hub/oauth_callback"
allowed_organizations:
- 2i2c-org
allowed_organizations: []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@consideRatio, not setting allowed_organizations at all has the same effect as setting it to be an empty list?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yepp, this could also be removed entirely. I'll do so!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved via 2bd0faf

@@ -97,7 +97,6 @@ You can remove yourself from the org once you have confirmed that login is worki
GitHubOAuthenticator:
oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback
allowed_organizations:
- 2i2c-org:hub-access-for-2i2c-staff
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're updating the GitHub authentication example to not include the 2i2c org, let's also update the example in https://infrastructure.2i2c.org/hub-deployment-guide/configure-auth/cilogon/#configure-the-authenticator to not include 2i2c in the allowed_domains.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved via 53c8e49

With oauthenticator 16, being listed in `admin_users` makes 2i2c members
have access even if they are now listed in `allowed_domains` or
`allowed_organizations`. Due to this, we can avoid the need to declare
`2i2c.org` and `2i2c-org` there and rely on being listed in
`admin_users`.
@consideRatio consideRatio force-pushed the pr/tighten-auth-config-for-2i2c-members branch from 2403389 to 53c8e49 Compare October 10, 2023 12:58
@consideRatio consideRatio merged commit 307bbcf into 2i2c-org:master Oct 10, 2023
@github-actions
Copy link

🎉🎉🎉🎉

Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/6470657250

@consideRatio
Copy link
Contributor Author

Thank you for reviewing this @GeorgianaElena!!! I agree on the importance of following up in #3247, and I've done some steps towards it in 53c8e49 as a start.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Status: Done 🎉
Development

Successfully merging this pull request may close these issues.

2 participants