Merge pull request #4982 from consideRatio/pr/victor-transition

victor: transition to cilogon with github, google, and microsoft idps
2i2c-org · Oct 18, 2024 · 41f03e3 · 41f03e3
2 parents 8942370 + c2b0112
commit 41f03e3
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 46 deletions.
diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml
@@ -41,13 +41,54 @@ basehub:
     hub:
       config:
         JupyterHub:
-          authenticator_class: github
-        GitHubOAuthenticator:
-          allowed_organizations:
-            - VICTOR-Community:victoraccess
-          scope:
-            - read:org
+          authenticator_class: cilogon
+        CILogonOAuthenticator:
+          allowed_idps:
+            # Choice of idps was discussed in
+            # https://2i2c.freshdesk.com/a/tickets/2080
+            http://github.com/login/oauth/authorize:
+              default: true
+              username_derivation:
+                username_claim: "preferred_username"
+            http://google.com/accounts/o8/id:
+              username_derivation:
+                username_claim: "email"
+                action: prefix
+                prefix: g
+            http://login.microsoftonline.com/common/oauth2/v2.0/authorize:
+              username_derivation:
+                username_claim: "email"
+                action: prefix
+                prefix: ms
+        OAuthenticator:
+          # WARNING: Don't use allow_existing_users with config to allow an
+          #          externally managed group of users, such as
+          #          GitHubOAuthenticator.allowed_organizations, as it breaks a
+          #          common expectations for an admin user.
+          #
+          #          The broken expectation is that removing a user from the
+          #          externally managed group implies that the user won't have
+          #          access any more. In practice the user will still have
+          #          access if it had logged in once before, as it then exists
+          #          in JupyterHub's database of users.
+          #
+          allow_existing_users: True
         Authenticator:
+          # WARNING: Removing a user from admin_users or allowed_users doesn't
+          #          revoke admin status or access.
+          #
+          #          OAuthenticator.allow_existing_users allows any user in the
+          #          JupyterHub database of users able to login. This includes
+          #          any previously logged in user or user previously listed in
+          #          allowed_users or admin_users, as such users are added to
+          #          JupyterHub's database on startup.
+          #
+          #          To revoke admin status or access for a user when
+          #          allow_existing_users is enabled, first remove the user from
+          #          admin_users or allowed_users, then deploy the change, and
+          #          finally revoke the admin status or delete the user via the
+          #          /hub/admin panel.
+          #
           admin_users:
             - einatlev-ldeo
             - SamKrasnoff

diff --git a/config/clusters/victor/enc-prod.secret.values.yaml b/config/clusters/victor/enc-prod.secret.values.yaml
@@ -1,21 +1,21 @@
 basehub:
-    jupyterhub:
-        hub:
-            config:
-                GitHubOAuthenticator:
-                    client_id: ENC[AES256_GCM,data:mETzwJkMDjNm4NVFjdn8qM/i4r8=,iv:eOi5X2bPpuAdL962n2+vVppQ16BfvMHQkDjzwOyOvqg=,tag:Xj6OvAGTTf6zEU5pV2W+Gw==,type:str]
-                    client_secret: ENC[AES256_GCM,data:KIgNcTzW27gfTDaUrxaSI8/asyB8r0QCna95u1X89Rvrxdw8bmA3XQ==,iv:LwsnNw/7c5EMW1RBPnPPQ4+Y7m5BICYl7sWSFuMqLvg=,tag:yoal90cYtv1rZAjm3fym+w==,type:str]
+  jupyterhub:
+    hub:
+      config:
+        CILogonOAuthenticator:
+          client_id: ENC[AES256_GCM,data:1CGy1/P5M99SwIhPuw7dGkuBwcgeEHiw9I07W3hHBn+HH0Frxjqxjq78qvQxzHchfMts,iv:zaOb1RDhOPzoJ30bpWK2QX0+Zx8aiYNrAxuKbIbe8IY=,tag:hHeo+u3sBfqUoTU0nL5ukA==,type:str]
+          client_secret: ENC[AES256_GCM,data:hyUnI8iKzIHWRrPS3iEBjgALdUd/kdNcLL6BZ/sf6anR/6UIegt8kGUTyva74CPt/VdbzXXOBxpPSSBLR83xouFG3thUWaMhlQgfnBfQvdapVHPCeoM=,iv:5ef+sL5UF2bxLYf98I++3DMJ3kg12q4v/J+kqs6DCuY=,tag:fBmA6s8bJKbo51VwTyEDGA==,type:str]
 sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
-          created_at: "2022-10-27T14:03:16Z"
-          enc: CiQA4OM7ePBq3xoyJ+cqQzQAMRzdedwvl7aB8Xvb9MuuuJ7gEaoSSQDuy/p8F597q4v2lvFBC9j9laAaX/r+KoeNhpgOlhTim7pP0ORGKcMjdZwSOd7f5p9msi49+0h+TdVTl87xjNoHEUVY1KW98Ig=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2022-11-07T16:01:16Z"
-    mac: ENC[AES256_GCM,data:ypKKVXalN55VYruPHNpb7h8sfaNC6gKmzErXm9nQI+66simIqMCEDcfJ4W7JJK+35dogtDh6sxbN5Vrx+JUbbV14qVlqiF7w96+Nz3vIFERz141FHzZ6DFXFRLZ2yQdirZXIWqLBgX+1Yocr1xoQzKP4YN+GOTsqW4u4a5VkViA=,iv:MQaHDSYNcJo4whi+N8EfxyHamsVnLzS/vCvMt8RFGzI=,tag:IdwOBEBKQaBO6DuPX4RsyQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+  kms: []
+  gcp_kms:
+    - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+      created_at: "2024-10-18T14:51:47Z"
+      enc: CiUA4OM7eE1+oWrbKDT/Yt8DxHpHaulb84lX39gyROwFLb53tLblEkkA5dG1Q+vMvmVn/CfK5e2oAxajjCo/oHnXPw1Eq5WOTFcLzjDzaK4VeWG34FFhD3/0s1VmChnIwyAo0FhwtJk39bgoMwOB98/9
+  azure_kv: []
+  hc_vault: []
+  age: []
+  lastmodified: "2024-10-18T14:57:24Z"
+  mac: ENC[AES256_GCM,data:VaFjMJzVz4Bm6LGoyMmfzFGoiw+fgnIAq//neKTHhIyES6FD/N2kdJKyT8SWxaBu3O5dky6Sgs8ZiaXNBgBQIEv7QgBGteVO8qnIMNfJrFqrikaD/iSoCso+die6xDyZjJi1VVrnhPXtjbmbjizhe7sED2wdcvpSB+iWBEs6de4=,iv:ok1YmYflV6Bj+WPPQvedPelKvhI7Qpz6uknK7V/IJQk=,tag:Ep2G8YnlXSAoAywGW3eSnA==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
diff --git a/config/clusters/victor/enc-staging.secret.values.yaml b/config/clusters/victor/enc-staging.secret.values.yaml
@@ -1,21 +1,21 @@
 basehub:
-    jupyterhub:
-        hub:
-            config:
-                GitHubOAuthenticator:
-                    client_id: ENC[AES256_GCM,data:DMX+ifQeCG2R1NztlJboVUMmJWk=,iv:w0CGmYlg5vYiOLTlnTEAxi5zOjMkH80fVAnzBmCHY5A=,tag:LZNgligPIyHjbpCNa01KZg==,type:str]
-                    client_secret: ENC[AES256_GCM,data:521xf5AyhOsh6j3bct6TPfvEV4bcRws2olujelgx8JcAfIoK/fQypA==,iv:IcwANgsgzAUhR0eBcC8WrraRx7Px0SQqFZo3vdrgJTY=,tag:SzCtKdSBPXtX0AFVxEzmxg==,type:str]
+  jupyterhub:
+    hub:
+      config:
+        CILogonOAuthenticator:
+          client_id: ENC[AES256_GCM,data:l7Vj9VjpttEjhFksDPPp2gUu+UIfKO3Hw42v7iXZ/rTxoK3V40npzXkfFYVhh8eyCdpi,iv:FQR3NgwKN03m8JhYLhdC3oL+oDFw7BcKp7jDQ7scyWU=,tag:uWm/kFuGEi1RX4F3NIlqog==,type:str]
+          client_secret: ENC[AES256_GCM,data:656K9IIk1Q+IY526vdtPshy6Cu0uo6km0H1pfTLpYP1AFMxNXZgNdFYJXsYmSxWYKclIl7p4wvvz3xcro4ZrQKEbOmRI5BkAdn0uy+PuR4rSDUskZV8=,iv:F2N5vsCdLdKcotA4/llWVC9Hp74pDMWyByCfRdI3xFk=,tag:WeljKMoZJHDWI9oZwWf2+Q==,type:str]
 sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
-          created_at: "2022-10-27T13:48:39Z"
-          enc: CiQA4OM7eCe5Z4OXrimcHrJLaV6PvjKhd9DdOe0RZfg24j1wIRgSSQDuy/p8pF1vb4Y2QfNFC00np51If00lMog4tOCYg3OO8w4mvRazf9PRv6IvJKJ5ZDiyUETc2p5HJWmF3ltHcyOYhNgNKUrQ2L4=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2022-11-07T15:57:50Z"
-    mac: ENC[AES256_GCM,data:D2kCe99nRdPYTB6siv79lhHjGJgnFBfxjA+HFhkApFfWLKW8FwaVmkvDBjJ802J5KQ2IxsRQfa4SUX5nLXuT0gs4k3sGm8PPKDQQb49gAJLj27VxlhfZlZ0n79BLt8CwiaZjo8q2LTUoJdcHnBuJQdRuNlhbaPoslnXqvNqCvk4=,iv:k/yhxvgDaVI9KHcIZzKtgt+oP0YkVvK9MbzEz3y9rEw=,tag:gEn5FENRv6QRUA0vXK2snQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+  kms: []
+  gcp_kms:
+    - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+      created_at: "2024-10-18T14:51:32Z"
+      enc: CiUA4OM7eHGLgeDCrHeNL+FclK8wSDk7Gum048uOyDR7sfKefIJAEkkA5dG1Q/2wTZSv6076SV76+2kjrwVvt8N2ik79il2NashCHPAlcjc4NJ2qZn1pRr3Nvv+g/RCCKUIHbGCoOyfCVhHzW8OzMSy+
+  azure_kv: []
+  hc_vault: []
+  age: []
+  lastmodified: "2024-10-18T14:57:17Z"
+  mac: ENC[AES256_GCM,data:+9Ks3IVP2u4joibmQlQRY3AoFHYkSRoigNW+dUR/AjG4kbjw5QU+BL5SQQ1YcNnRgtT9BybTXxvsd92YEWuj8jSKvPaiEhJBN7WddY3y+6FrDjp5ErdWYtjoawm3GPmZHNt0i3mj6BLfTXSGoSvOzULODocIvta1R/xlDl8F87c=,iv:3LjmZ+U6x0ff9MuHiFyzjzpygDNExdMC/uIcHYP1lSU=,tag:A533NdF5bj3RzULDCQslfA==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
diff --git a/config/clusters/victor/prod.values.yaml b/config/clusters/victor/prod.values.yaml
@@ -11,7 +11,7 @@ basehub:
           secretName: https-auto-tls
     hub:
       config:
-        GitHubOAuthenticator:
+        CILogonOAuthenticator:
           oauth_callback_url: https://hub.victorproject.org/hub/oauth_callback
     singleuser:
       profileList:

diff --git a/config/clusters/victor/staging.values.yaml b/config/clusters/victor/staging.values.yaml
@@ -11,7 +11,7 @@ basehub:
           secretName: https-auto-tls
     hub:
       config:
-        GitHubOAuthenticator:
+        CILogonOAuthenticator:
           oauth_callback_url: https://staging.hub.victorproject.org/hub/oauth_callback
     singleuser:
       profileList: