Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EPIC] EarthScope: Restrict access to profiles based on scopes granted #3900

Closed
yuvipanda opened this issue Apr 3, 2024 · 4 comments
Closed

[EPIC] EarthScope: Restrict access to profiles based on scopes granted #3900

yuvipanda opened this issue Apr 3, 2024 · 4 comments
Assignees
@yuvipanda

Comments

@yuvipanda
Copy link
Member

yuvipanda commented Apr 3, 2024
edited by haroldcampbell
Loading

EarthScope wants to restrict access to profiles based on specific scopes granted to them.

I think the sustainable pathway to this is to do this based on group membership. This matches with a lot of the new work going on upstream. We can start this out in Earthscope, but eventually be able to expand this in other places. It also will eventually help us get rid of the hacky setup for restricting access to profiles based on GitHub Teams (

infrastructure/helm-charts/basehub/values.yaml

Line 979 in 120e88d

05-gh-teams: |
), but that's not a direct part of this ticket.

https://2i2c.freshdesk.com/a/tickets/1453 has additional information, and is our ongoing conversation with them.

The steps here are:

✅ Deploy latest OAuthenticator

jupyterhub/oauthenticator#708 was merged a couple months ago, allowing OAuthenticator to manage JupyterHub groups based on results from the OAuth2 provider. This I believe will be deployed whenever #3818 goes out. This allows us some more information about group management.

Switch to using GenericOAuthenticator for using Auth0

jupyterhub/oauthenticator#708 is specifically for GenericOAuthenticator. In #3883, we move EarthScope from Auth0Authenticator to GenericOAuthenticator, so we can make use of this feature.

Note: While there's upstream work from me to move this functionality away from just GenericOAuthenticator (jupyterhub/oauthenticator#735), I definitely do not want us to block this work on that. Those changes will be made in a backwards compatible way, and we can roll them out as and when that gets released.

Enable mapping granted scopes to JupyterHub user groups

This would be setting the equivalent of the following config:

GenericOAuthenticator:
  claims_groups_key: "scope"
  manage_groups: true

This should turn scopes granted by oauth2 into groups, and we should be able to see that in the JupyterHub admin UI.

Enable restricting scopes based on JupyterHub user groups

This would likely be a straight port of our GitHub code (

infrastructure/helm-charts/basehub/values.yaml

Line 979 in 120e88d

05-gh-teams: |
) but to use JupyterHub groups. At this point, this will be only in earthscope, but primed for proper upstream contribution.

Tasks
Beta Give feedback
No tasks being tracked yet.
@yuvipanda yuvipanda mentioned this issue Apr 3, 2024
Open
@yuvipanda yuvipanda mentioned this issue May 1, 2024
Open
@haroldcampbell
Copy link

haroldcampbell commented May 2, 2024
edited
Loading

The outstanding work is to review and merge the draft PR.

@yuvipanda yuvipanda self-assigned this May 2, 2024
@yuvipanda yuvipanda mentioned this issue May 3, 2024
Merged
@yuvipanda
Copy link
Member Author

@GeorgianaElena would you be able to work with me on this?

@GeorgianaElena
Copy link
Member

@yuvipanda, sure!

@yuvipanda
Copy link
Member Author

This has been completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuvipanda yuvipanda

Labels
None yet
Projects
No open projects
DEPRECATED Engineering and Product Backlog
Status: Complete
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuvipanda @haroldcampbell @GeorgianaElena