-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[All] Authorize allowed_users
, admin_users
, _or_ other allowed/admin groups
#594
Conversation
I haven't reviewed this, but I've marked it as a breaking bug fix since it changes who is authorised, and I think this should be highlighted to admins just in case. What's the expected behaviour when both The docs for
which makes sense when there are no |
In this PR, if both The Proposed solutionSince for deciding whether an user is admin, we're using the union of both the |
Intuitively I think the union of Do you think we should treat the LocalAuthenticator behaviour as an anomaly and use the union behaviour here? Regarding the union of According to the JupyterHub docs
which implies |
2949cec
to
3484ede
Compare
@manics, after doing a bit more reading, I realized that:
So maybe we shouldn't care too much about taking any action about
For the
I would incline towards option 2 (which is what I ended up doing in this PR), as it makes more sense in my head and it's what I would be expecting if I wasn't reading the docs. (cc @minrk, what do you think?) |
I think I align with your thinking @GeorgianaElena!
I'm in the process of developing a PR to this PR with some fixes, I'll keep working on it tomorrow. |
Technical backgroundA key challenge for us is that we implement I look to provide a technical background to help answer if we can do what we want from the implementation of About
|
How much of this is specific to OAuthenticator, and how much is applicable to all remote authenticators? Can we push any of this logic into jupyterhub.auth instead, either in the existing abstract Authenticator, or a new abstract RemoteAuthenticator? It's more work, but it means we can standardise and document the behaviour across more authenticators instead of having each authenticator package doing it's own thing. |
|
@GeorgianaElena I wanted to expedite this work to get 16.0.0 out faster, and ended up immersed in the logic and worked it onwards from your latest commit (bece7b8). @GeorgianaElena is it okay if I add commits or make a PR to this PR to keep working this, and switching the roles a bit - letting you review? Strategy in progress
Strategy exemplified
|
8a5a8b4
to
bece7b8
Compare
Status updateI've had a video call with @GeorgianaElena about this where we decided to git push changes I've partially developed on top of this PR for now. We agreed on the goal of authorizing users either part of I need to switch focus to https://github.com/2i2c-org/binderhub-service until my vacation starting at the end of the week, I'll be able to consider focusing on this again after May 13. I'm hands off until after my vacation ending after May 8th at least. OAuthenticator base classI've updated the OAuthenticator base class'
GenericOAuthenticatorThis is a good authenticator to look into extra, because other authenticators will make very similar changes for the additional features they provide over the
All other authenticatorsThe comments below indicates noteworthy complexities touched.
Breaking changes
|
deefe70
to
f88ce46
Compare
352ad44
to
d756f30
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wieee I think we are starting to reach the goal here!!
@GeorgianaElena I updated the PR title and description, and classified this as an enhancement. @minrk thank you soo much for helping out discussing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to do a final review pass, and I plan to do so today - submitting this dummy review to indicate that.
The idea is to offload future commits by making these comment changes separately.
@GeorgianaElena I pushed a few commits and structured them to be realtively easy to review.
I've looked at the code in detail to make sure we avoid breaking changes, and I think its looks good! If you agree, I think we should go for a merge. |
allowed_users
, admin_users
, _or_ allowed groups
allowed_users
, admin_users
, _or_ allowed groupsallowed_users
, admin_users
, _or_ other allowed/admin groups
Thank you @consideRatio! I did a quick check and the changes look ok. Let's merge 🚀 |
Wieeeeeeeeee nice work @GeorgianaElena!!!! Your work with this has made this project far more easy to think about and maintain!! |
Many thanks, I tested it with gitlab and it solves #545! Just a small question, is there any reason that I missed for limiting the members of allowed_projects_ids to those with Developper and above access level to the project? Personnaly, I would also allow reporters, as they would have access with read-only permission to the content of a private gitlab project (which would be the case of members of a tutorial for example). As a workaround, it can still be done creating a group with these reporters. |
Updated PR description
Previously authorization logic resided in
OAuthenticator.user_is_authorized
called byOAuthenticator.authenticate
. The downside is that theAuthenticator.get_authenticated_user
that in turn calledauthenticate
also ranAuthenticator.check_allowed
after authenticate, which included a check if the user was part ofAuthenticator.allowed_users
. This led to authorization done in two places, one called fromauthenticate
, and one later. That meant that even if for exampleGitHubOAuthenticator.allowed_organizations
made a user authorized, it could still be denied access ifallowed_users
was configured by the later call tocheck_allowed
.Due to this, we decided to put authorization logic in
check_allowed
directly, allowing us to declare for example that either the user was part ofallowed_users
or part ofallowed_organizations
.Not all logic in the
OAuthenticator.user_is_authorized
methods was relocated to the new overrides ofAuthenticator.check_allowed
, logic related to getting information about the user was mostly put inOAuthenticator.update_auth_model
while the logic making authorization decisions on such information was put in thecheck_allowed
overrides.Breaking changes
The changelog is updated with the following breaking changes.
Breaking changes
Related
Outdated PR description
Fixes #591 for
GenericOAuthenticator
, but also for the other oauthenticators with the same bug.The main changes this PR introduces are:
See #594 (comment) for the latest decided changes. The list below might be outdated.
Changes planned initially
authenticate
function (through theupdate_auth_model
) will return info about the admin status of the user only if user is not already inadmin_users
list and anadmin_groups
type of config was specified. Otherwise, the admin status will be added throughget_authenticated_user
allowed_users
allowed_groups
Related
Todos after merging PR:
populate_teams_in_auth_state
in all authenticators and the naming for theteams
key, holding the info about the teams the user is a member of. (Eg. inbitbucket.py
the key is calleduser_teams
and we set it by default without any flag, but ingithub.py
we have a flag and call itteams
). Considerallowed_orgs
too as for standadization.