Skip to content

Commit

Permalink
Allow disabling PAM sessions
Browse files Browse the repository at this point in the history 
it's often buggy and rarely necessary,
so allow it to be disabled when it's causing problems.

It's still on by default for backward-compatibility,
though maybe it shouldn't be.
  • Loading branch information
@minrk
minrk committed Mar 23, 2016
1 parent 28c8265 commit 40368b8
Showing 1 changed file with 21 additions and 1 deletion.
22 changes: 21 additions & 1 deletion jupyterhub/auth.py
View file
Expand Up @@ -357,6 +357,18 @@ class PAMAuthenticator(LocalAuthenticator):
service = Unicode('login', config=True,
help="""The PAM service to use for authentication."""
)
open_sessions = Bool(True, config=True,
help="""Whether to open PAM sessions when spawners are started.
This may trigger things like mounting shared filsystems,
loading credentials, etc. depending on system configuration,
but it does not always work.
It can be disabled with::
c.PAMAuthenticator.open_sessions = False
"""
)

@gen.coroutine
def authenticate(self, handler, data):
Expand All @@ -369,23 +381,31 @@ def authenticate(self, handler, data):
pamela.authenticate(username, data['password'], service=self.service)
except pamela.PAMError as e:
if handler is not None:
self.log.warn("PAM Authentication failed (@%s): %s", handler.request.remote_ip, e)
self.log.warn("PAM Authentication failed (%s@%s): %s", username, handler.request.remote_ip, e)
else:
self.log.warn("PAM Authentication failed: %s", e)
else:
return username

def pre_spawn_start(self, user, spawner):
"""Open PAM session for user"""
if not self.open_sessions:
return
try:
pamela.open_session(user.name, service=self.service)
except pamela.PAMError as e:
self.log.warn("Failed to open PAM session for %s: %s", user.name, e)
self.log.warn("Disabling PAM sessions from now on.")
self.open_sessions = False

def post_spawn_stop(self, user, spawner):
"""Close PAM session for user"""
if not self.open_sessions:
return
try:
pamela.close_session(user.name, service=self.service)
except pamela.PAMError as e:
self.log.warn("Failed to close PAM session for %s: %s", user.name, e)
self.log.warn("Disabling PAM sessions from now on.")
self.open_sessions = False

1 comment on commit 40368b8

@pacosoplas
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi:
After configure everythinh to start jupyterhub as not root user, I have this error:

[E 2017-01-02 16:43:07.215 JupyterHub user:245] Unhandled error starting u029550's server: substring not found
[E 2017-01-02 16:43:07.228 JupyterHub web:1548] Uncaught exception POST /hub/login?next= (10.11.14.86)
HTTPServerRequest(protocol='http', host='10.11.14.201:8000', method='POST', uri='/hub/login?next=', version='HTTP/1.1', remote_ip='10.11.14.86', headers={'Accept-Encoding': 'gzip, deflate', 'X-Forwarded-Port': '8000', 'X-Forwarded-Host': '10.11.14.201:8000', 'X-Forwarded-For': '10.11.14.86', 'Origin': 'http://10.11.14.201:8000', 'Upgrade-Insecure-Requests': '1', 'Referer': 'http://10.11.14.201:8000/hub/login?next=', 'X-Forwarded-Proto': 'http', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8', 'Accept-Language': 'es-ES,es;q=0.8', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36', 'Cache-Control': 'max-age=0', 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close', 'Host': '10.11.14.201:8000', 'Content-Length': '33'})
Traceback (most recent call last):
File "/opt/Python-3.5.2/lib/python3.5/site-packages/tornado/web.py", line 1469, in _execute
result = yield result
File "/opt/Python-3.5.2/lib/python3.5/site-packages/jupyterhub/handlers/login.py", line 84, in post
yield self.spawn_single_user(user)
File "/opt/Python-3.5.2/lib/python3.5/site-packages/jupyterhub/handlers/base.py", line 327, in spawn_single_user
yield gen.with_timeout(timedelta(seconds=self.slow_spawn_timeout), f)
File "/opt/Python-3.5.2/lib/python3.5/site-packages/jupyterhub/user.py", line 255, in spawn
raise e
File "/opt/Python-3.5.2/lib/python3.5/site-packages/jupyterhub/user.py", line 229, in spawn
ip_port = yield gen.with_timeout(timedelta(seconds=spawner.start_timeout), f)
File "/opt/Python-3.5.2/lib/python3.5/site-packages/sudospawner/spawner.py", line 83, in start
reply = yield self.do(action='spawn', args=self.get_args(), env=self.get_env())
File "/opt/Python-3.5.2/lib/python3.5/site-packages/sudospawner/spawner.py", line 69, in do
data_str = data_str[data_str.index('{'):data_str.rindex('}')+1]
ValueError: substring not found

[D 2017-01-02 16:43:07.232 JupyterHub base:461] No template for 500
[E 2017-01-02 16:43:07.238 JupyterHub log:99] {
"Accept-Encoding": "gzip, deflate",
"X-Forwarded-Port": "8000",
"X-Forwarded-Host": "10.11.14.201:8000",
"X-Forwarded-For": "10.11.14.86",
"Origin": "http://10.11.14.201:8000",
"Upgrade-Insecure-Requests": "1",
"Referer": "http://10.11.14.201:8000/hub/login?next=",
"X-Forwarded-Proto": "http",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8",
"Accept-Language": "es-ES,es;q=0.8",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"Cache-Control": "max-age=0",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "close",
"Host": "10.11.14.201:8000",
"Content-Length": "33"
}
[E 2017-01-02 16:43:07.238 JupyterHub log:100] 500 POST /hub/login?next= (@10.11.14.86) 91.59ms
16:43:07.267 - debug: [ConfigProxy] PROXY WEB /favicon.ico to http://10.11.14.201:8081
[D 2017-01-02 16:43:07.269 JupyterHub log:100] 304 GET /favicon.ico (@10.11.14.86) 0.81ms

Any suggestions??

Please sign in to comment.