Comments (20)
Sure .. that works. @lwasser should be looped in here also so thats good.
from hub-ops.
@lwasser Yep internal [GREQ0172580]
from hub-ops.
hey @kevinfoote i'll circle back with @betatim there are a few technical details here that i don't fully understand enough to be able to respond. tim and I are going to try to connect early next week to chat a bit more and then we will get back to you! thank you for the ping!!
from hub-ops.
Leah needs to ask CS about this info:
auth:
type: google
google:
clientId: "yourlongclientidstring.apps.googleusercontent.com"
clientSecret: "adifferentlongstring"
callbackUrl: "http://<your_jupyterhub_host>/hub/oauth_callback" <- we define this
hostedDomain: "colorado.edu"
loginService: "University of Colorado Boulder"
OK @betatim i got half of this. i just need the callbackURL to get the other half. Is the callback associated with the domain? I"m guessing it is.
from hub-ops.
ok @betatim slowly but surely i'm making progress. they can provide an Id and secret. But they need the following - (i've literally copied the email that i got so as not to confusing anything)
We can create a client ID and Secret, but will first need the following information from the jupyterhub_conf.py file .
c.LocalGoogleOAuthenticator.oauth_callback_url
if you sent me that callback info - they can get us the rest!
from hub-ops.
Cool. Let's get the domain name sorted, then we will know what the value of c.LocalGoogleOAuthenticator.oauth_callback_url
will be.
from hub-ops.
I think we can ask for the auth system for the first hub using https://hub.earthdatascience.org/earthhub/hub/oauth_callback as the callbackUrl
from hub-ops.
@lwasser @betatim
For CU does the Jupyter hub / stack make use of SAML (via omniauth-saml something maybe?)
This is how we should do this from the CU-IAM standpoint..
Just realized this was PY rather than Ruby.. :)
from hub-ops.
@lwasser @betatim
Recommending you all pursuing REMOTE_USER via jhub_remote_user_authenticator
see ... authenticators
I can answer any questions ..
from hub-ops.
hey @kevinfoote is this related to the IT request email that i think i just got. I will need @betatim input here ! thank you for your help!
from hub-ops.
@kevinfoote wonderful. thank you so much for finding us on GH! i'm going to let @betatim respond to this suggestion as he is our technical ninja!!
from hub-ops.
@lwasser sounds good .. I don't know if he is attached to that internal ticket as well. You might want to forward that infrastructure question along as well.
from hub-ops.
@kevinfoote he's not but i did just forward the email to him. THANK YOU very much!! we are pretty excited to get this setup!
from hub-ops.
Hi Kevin! I can't see the internal ticket.
From the comment above I thought we could have a OAuth based setup.
The hub(s) are deployed on Google's cloud and we currently use nginx-ingress to play the role of the reverse proxy. So the proxy doesn't add the REMOTE_USER header.
As I don't know anything about the IT setup at CU could you point me at a guide for what kind of authentication systems/options there are?
from hub-ops.
Just to make sure we are all talking about the same thing when we use the same words :)
from hub-ops.
Makes perfect sense..
I was hoping for an Apache r-proxy :( (makes things simple)
At CUBoulder we push people to use our SAML IdP.. we are not quite there yet with OAuth delivered from the IdP unfortunately.
We do have another nginx integration that gets lots of use. They based their ingress r-proxy off of this build shibboleth-nginx
Not sure if you all can make use of this.
Again I'm happy to help here .. just let me know
from hub-ops.
I will investigate the docker container.
Will have to do a bit of thinking and poking around tomorrow. Is posting here a good way to reach you?
from hub-ops.
@lwasser @betatim quick checkin to see if any progress. here to help
from hub-ops.
For now we will use a Google OAuth application where people can auth with their colorado.edu account. When the user returns to the hub we check that their identity ends in @colorado.edu
to stop people from other domains.
This is the oauthenticator: https://github.com/jupyterhub/oauthenticator/blob/master/oauthenticator/google.py
To do Shibboleth properly there is https://github.com/gesiscss/orc/tree/master/nginx_shibboleth which is in use at an institute in Germany together with a JupyterHub deployed using kubernetes. It is significantly more complex to setup, so I'd keep it in our back pocket for when we need it but see how far we can go with the OAuth setup.
from hub-ops.
@betatim I'm not sure of your complexity comment above but, you are putting an nginx node ahead of your stuff anyway. The SAML stuff is not hard that is why we (OIT-IAM) are here.
As far as I can tell ... while OAuth via the colorado.edu google realm is do able ymmv as to its future availability.
I'm leaning toward the ORC deploy model..
from hub-ops.
Related Issues (20)
- git puller quirk / fail HOT 2
- Every commit is taking hours to build HOT 1
- Travis and Hub Deployment - Currently I can't deploy hub updates HOT 5
- Update location of grafana and prometheus charts HOT 5
- Migrate deployment from Travis to Actions HOT 4
- Update docs on how to setup gcloud for cu
- Resource tracking on the hub
- Vector notebooks failing grading on the hub HOT 2
- nbgrader-hub for the spring HOT 1
- revoke user tokens at end of class HOT 5
- migrate new hub to main branch HOT 2
- Move Applications to the Earth lab ORGANIZATION and update docs HOT 3
- PR only build? HOT 7
- remove travis secrets from repo HOT 2
- issues launching the hub HOT 3
- uploading files to the new hub is hanging HOT 1
- hub launch throwing memory errors and is very slow HOT 5
- Remove students from ea-hub
- shut down grading hub for the summer
- issues shutting down the hub HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hub-ops.