Merge pull request #3144 from consideRatio/pr/upgrade-oauth16

Upgrade to z2jh 3.1.0 with oauthenticator 16.1

config/clusters/2i2c-aws-us/cosmicds.values.yaml

@@ -65,26 +65,20 @@ jupyterhub:
         # Callback URL for the auth0 tenant, provided to us by auth0
         oauth_redirect_uri: https://dev-tbr72rd5whnwlyrg.us.auth0.com/login/callback
     config:
-      Authenticator:
-        admin_users:
-          - nmearl
-          - patudom
-        # When using JupyterHub as an auth *provider*, we don't want the
-        # end user to see the JupyterHub home page at all - just redirect
-        # them to the upstream auth provider (CILogon) directly.
-        auto_login_oauth2_authorize: true
       JupyterHub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
-        scope:
-          - "email"
-          - "profile"
         oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          - http://github.com/login/oauth/authorize
         allowed_idps:
-          # The username claim here is used to do *authorization*, for both
-          # admin use and any allow listing we want to do.
           http://github.com/login/oauth/authorize:
             username_derivation:
               username_claim: "preferred_username"
+            allow_all: true
+      Authenticator:
+        admin_users:
+          - nmearl
+          - patudom
+        # When using JupyterHub as an auth *provider*, we don't want the
+        # end user to see the JupyterHub home page at all - just redirect
+        # them to the upstream auth provider (CILogon) directly.
+        auto_login_oauth2_authorize: true

config/clusters/2i2c-aws-us/dask-staging.values.yaml

@@ -33,15 +33,6 @@ basehub:
         tag: "2022.06.02"
     hub:
       config:
-        Authenticator:
-          # This hub uses GitHub Org auth and so we don't set
-          # allowed_users in order to not deny access to valid members of
-          # the listed orgs.
-          #
-          # You must always set admin_users, even if it is an empty list,
-          # otherwise `add_staff_user_ids_to_admin_users: true` will fail
-          # silently and no staff members will have admin access.
-          admin_users: []
         JupyterHub:
           authenticator_class: "github"
         GitHubOAuthenticator:

config/clusters/2i2c-aws-us/itcoocean.values.yaml

@@ -57,11 +57,9 @@ jupyterhub:
       - name: volume-mount-ownership-fix
         image: busybox:1.36.1
         command:
-          [
-            "sh",
-            "-c",
-            "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ",
-          ]
+          - sh
+          - -c
+          - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan
         securityContext:
           runAsUser: 0
         volumeMounts:

config/clusters/2i2c-aws-us/researchdelight.values.yaml

@@ -30,19 +30,19 @@ basehub:
     hub:
       image:
         name: quay.io/2i2c/unlisted-choice-experiment
-        tag: "0.0.1-0.dev.git.7080.h0da36d1e"
+        tag: "0.0.1-0.dev.git.7130.h0bdc2d30"
       config:
         JupyterHub:
           authenticator_class: github
-        Authenticator:
-          enable_auth_state: true
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
           allowed_organizations:
             - 2i2c-org:hub-access-for-2i2c-staff
             - 2i2c-org:research-delight-team
           scope:
             - read:org
+        Authenticator:
+          enable_auth_state: true
     singleuser:
       image:
         name: quay.io/2i2c/researchdelight-image

config/clusters/2i2c-aws-us/staging.values.yaml

@@ -28,15 +28,6 @@ jupyterhub:
           url: https://2i2c.org
   hub:
     config:
-      Authenticator:
-        # This hub uses GitHub Org auth and so we don't set
-        # allowed_users in order to not deny access to valid members of
-        # the listed orgs.
-        #
-        # You must always set admin_users, even if it is an empty list,
-        # otherwise `add_staff_user_ids_to_admin_users: true` will fail
-        # silently and no staff members will have admin access.
-        admin_users: []
       JupyterHub:
         authenticator_class: "github"
       GitHubOAuthenticator:

config/clusters/2i2c-uk/lis.values.yaml

@@ -49,17 +49,14 @@ jupyterhub:
     config:
       JupyterHub:
         authenticator_class: github
-      Authenticator:
-        # This hub uses GitHub Orgs auth and so we don't set
-        # allowed_users in order to not deny access to valid members of
-        # the listed orgs. These people should have admin access though.
-        admin_users:
-          - LaCrecerelle
-          - matthew-brett
       GitHubOAuthenticator:
+        oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback"
         allowed_organizations:
           - 2i2c-org
           - lisacuk
         scope:
           - read:org
-        oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback"
+      Authenticator:
+        admin_users:
+          - LaCrecerelle
+          - matthew-brett

config/clusters/2i2c-uk/staging.values.yaml

@@ -39,8 +39,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://google.com/accounts/o8/id
         allowed_idps:
           http://google.com/accounts/o8/id:
             username_derivation:

config/clusters/2i2c/aup.values.yaml

@@ -37,21 +37,40 @@ jupyterhub:
       JupyterHub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
-        scope:
-          - "profile"
         oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://github.com/login/oauth/authorize
         allowed_idps:
           http://github.com/login/oauth/authorize:
             username_derivation:
               username_claim: "preferred_username"
+      OAuthenticator:
+        # WARNING: Don't use allow_existing_users with config to allow an
+        #          externally managed group of users, such as
+        #          GitHubOAuthenticator.allowed_organizations, as it breaks a
+        #          common expectations for an admin user.
+        #
+        #          The broken expectation is that removing a user from the
+        #          externally managed group implies that the user won't have
+        #          access any more. In practice the user will still have
+        #          access if it had logged in once before, as it then exists
+        #          in JupyterHub's database of users.
+        #
+        allow_existing_users: True
       Authenticator:
-        # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies
-        #        allow_existing_users=True, while in z3jh 3.0.0 this needs to be
-        #        configured explicitly.
+        # WARNING: Removing a user from admin_users or allowed_users doesn't
+        #          revoke admin status or access.
+        #
+        #          OAuthenticator.allow_existing_users allows any user in the
+        #          JupyterHub database of users able to login. This includes
+        #          any previously logged in user or user previously listed in
+        #          allowed_users or admin_users, as such users are added to
+        #          JupyterHub's database on startup.
+        #
+        #          To revoke admin status or access for a user when
+        #          allow_existing_users is enabled, first remove the user from
+        #          admin_users or allowed_users, then deploy the change, and
+        #          finally revoke the admin status or delete the user via the
+        #          /hub/admin panel.
         #
-        allowed_users: &aup_users
+        admin_users:
           - swalker
           - shaolintl
-        admin_users: *aup_users

config/clusters/2i2c/binder-staging.values.yaml

@@ -70,6 +70,14 @@ binderhub:
           auth_enabled: true
         JupyterHub:
           authenticator_class: cilogon
+        CILogonOAuthenticator:
+          oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback"
+          allowed_idps:
+            http://google.com/accounts/o8/id:
+              username_derivation:
+                username_claim: "email"
+              allowed_domains:
+                - "2i2c.org"
         Authenticator:
           admin_users:
             - [email protected]
@@ -81,16 +89,6 @@ binderhub:
             - [email protected]
             - [email protected]
             - [email protected]
-        CILogonOAuthenticator:
-          oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback"
-          shown_idps:
-            - http://google.com/accounts/o8/id
-          allowed_idps:
-            http://google.com/accounts/o8/id:
-              username_derivation:
-                username_claim: "email"
-              allowed_domains:
-                - "2i2c.org"
     singleuser:
       # to make notebook servers aware of hub
       cmd: jupyterhub-singleuser

config/clusters/2i2c/climatematch.values.yaml

@@ -39,11 +39,9 @@ jupyterhub:
       - name: volume-mount-ownership-fix
         image: busybox:1.36.1
         command:
-          [
-            "sh",
-            "-c",
-            "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ",
-          ]
+          - sh
+          - -c
+          - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan
         securityContext:
           runAsUser: 0
         volumeMounts:

config/clusters/2i2c/dask-staging.values.yaml

@@ -44,12 +44,7 @@ basehub:
         JupyterHub:
           authenticator_class: cilogon
         CILogonOAuthenticator:
-          scope:
-            - "email"
-            - "profile"
           oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback"
-          shown_idps:
-            - http://accounts.google.com/o/oauth2/auth
           allowed_idps:
             http://google.com/accounts/o8/id:
               username_derivation:

config/clusters/2i2c/demo.values.yaml

@@ -31,15 +31,12 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          # Allow Google for 2i2c.org anr dmbl
-          - https://accounts.google.com/o/oauth2/auth
-          - https://enterprise.login.utexas.edu/idp/shibboleth
         allowed_idps:
           # UTexas hub
           https://enterprise.login.utexas.edu/idp/shibboleth:
             username_derivation:
               username_claim: "eppn"
+            allow_all: true
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"

config/clusters/2i2c/imagebuilding-demo.values.yaml

@@ -129,7 +129,7 @@ jupyterhub:
         url: http://imagebuilding-demo-binderhub-service:8090
     image:
       name: quay.io/2i2c/dynamic-image-building-experiment
-      tag: "0.0.1-0.dev.git.7080.h0da36d1e"
+      tag: "0.0.1-0.dev.git.7130.h0bdc2d30"
     config:
       JupyterHub:
         authenticator_class: github

config/clusters/2i2c/mtu.values.yaml

@@ -31,17 +31,10 @@ jupyterhub:
       tag: "6286b77ae45c"
   hub:
     config:
-      Authenticator:
-        admin_users:
-          - "[email protected]"
-          - "[email protected]"
       JupyterHub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://google.com/accounts/o8/id
-          - https://sso.mtu.edu/idp/shibboleth
         allowed_idps:
           # Allow 2i2c staff to login with Google
           http://google.com/accounts/o8/id:
@@ -55,3 +48,7 @@ jupyterhub:
               username_claim: "email"
             allowed_domains:
               - "mtu.edu"
+      Authenticator:
+        admin_users:
+          - "[email protected]"
+          - "[email protected]"

config/clusters/2i2c/neurohackademy.values.yaml

@@ -55,24 +55,43 @@ jupyterhub:
     config:
       JupyterHub:
         authenticator_class: cilogon
-      Authenticator:
-        # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies
-        #        allow_existing_users=True, while in z3jh 3.0.0 this needs to be
-        #        configured explicitly.
-        #
-        allowed_users: &neurohackademy_users
-          - arokem
-        admin_users: *neurohackademy_users
       CILogonOAuthenticator:
-        scope:
-          - "profile"
         oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          - https://github.com/login/oauth/authorize
         allowed_idps:
           http://github.com/login/oauth/authorize:
             username_derivation:
               username_claim: "preferred_username"
+      OAuthenticator:
+        # WARNING: Don't use allow_existing_users with config to allow an
+        #          externally managed group of users, such as
+        #          GitHubOAuthenticator.allowed_organizations, as it breaks a
+        #          common expectations for an admin user.
+        #
+        #          The broken expectation is that removing a user from the
+        #          externally managed group implies that the user won't have
+        #          access any more. In practice the user will still have
+        #          access if it had logged in once before, as it then exists
+        #          in JupyterHub's database of users.
+        #
+        allow_existing_users: True
+      Authenticator:
+        # WARNING: Removing a user from admin_users or allowed_users doesn't
+        #          revoke admin status or access.
+        #
+        #          OAuthenticator.allow_existing_users allows any user in the
+        #          JupyterHub database of users able to login. This includes
+        #          any previously logged in user or user previously listed in
+        #          allowed_users or admin_users, as such users are added to
+        #          JupyterHub's database on startup.
+        #
+        #          To revoke admin status or access for a user when
+        #          allow_existing_users is enabled, first remove the user from
+        #          admin_users or allowed_users, then deploy the change, and
+        #          finally revoke the admin status or delete the user via the
+        #          /hub/admin panel.
+        #
+        admin_users:
+          - arokem
     extraFiles:
       configurator-schema-default:
         data:

config/clusters/2i2c/staging.values.yaml

@@ -56,8 +56,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://google.com/accounts/o8/id
         allowed_idps:
           http://google.com/accounts/o8/id:
             username_derivation:

config/clusters/2i2c/temple.values.yaml

@@ -45,22 +45,20 @@ jupyterhub:
       limit: 2G
   hub:
     config:
-      Authenticator:
-        admin_users:
-          - [email protected]
       JupyterHub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          - https://fim.temple.edu/idp/shibboleth
-          - https://accounts.google.com/o/oauth2/auth
         allowed_idps:
           https://fim.temple.edu/idp/shibboleth:
             username_derivation:
               username_claim: "eppn"
+            allow_all: true
           http://google.com/accounts/o8/id:
             username_derivation:
               username_claim: "email"
             allowed_domains:
               - "2i2c.org"
+      Authenticator:
+        admin_users:
+          - [email protected]