New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JupyterHub spawns multiple server for one user #2129

Open
Jamesits opened this Issue Sep 4, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@Jamesits
Copy link

Jamesits commented Sep 4, 2018

Describe the bug
A Linux user with one UID but multiple username can make JupyterHub (or the systemd spawner? I'm not familiar with the spawner so not very sure if I'm reporting to the correct repository) spawn multiple servers, one per username, effectively bypass some security and resource limitations.

To Reproduce
Steps to reproduce the behavior:

  1. Link a UID to multiple username
  2. login using all those usernames from different browser sessions
  3. try open different notebooks from different sessions
  4. look at the running tab, see if they are the same server

Expected behavior
There should be only one server per UID.

Screenshots
Nope

Server

  • OS: Fedora 28
  • JupyterHub: 0.9.2

Desktop (please complete the following information):

  • OS: Windows 10 1803
  • Browser: Firefox
  • Version 61.0.2

PS: If you wonder why this kind of setup will be done in production, this is common in systems with kerberos authentication, where you might have multiple names mapped to the same uid. Users can login using username, domain\username or username@domain.

@willingc willingc added the question label Sep 4, 2018

@minrk

This comment has been minimized.

Copy link
Member

minrk commented Sep 12, 2018

If multiple usernames map onto one user, this should be handled in .authenticate or possibly .normalize_username. What Authenticator are you using?

@Jamesits

This comment has been minimized.

Copy link

Jamesits commented Sep 12, 2018

@minrk I'm using the default authenticator, i.e. the one that looks up the Linux user database.

@willingc

This comment has been minimized.

Copy link
Contributor

willingc commented Sep 19, 2018

Would you be able to share your debug log with us (please remove any private information)? Thanks.

@minrk

This comment has been minimized.

Copy link
Member

minrk commented Sep 19, 2018

Since this is PAM, my first thought was to have a default normalize_username that runs through username->userid->username, which should get a deterministic answer:

uid = pwd.getpwnam(username).pw_uid
username = pwd.getpwuid(uid).pw_name

Can you run that snippet for your deployment and see if it works?

But then I read about some use cases where different users should have the same UID, so I'm not sure about this as the default behavior.

Regardless of what we end up doing by default, in the meantime you can implement this as configuration for your deployment:

# in jupyterhub_config.py
from jupyterhub.auth import PAMAuthenticator

class MyPAMAuthenticator(PAMAuthenticator):

    def normalize_username(self, username):
        # pass through uid to ensure that all names that
        # correspond to one uid map to the same jupyterhub user
        uid = pwd.getpwnam(username).pw_uid
        return super().normalize_username(pwd.getpwuid(uid).pw_name)

c.JupyterHub.authenticator_class = MyPAMAuthenticator
@Jamesits

This comment has been minimized.

Copy link

Jamesits commented Sep 23, 2018

@minrk Sorry for the late reply, I've been on a trip for some day with no computer access.

The snippet

uid = pwd.getpwnam(username).pw_uid
username = pwd.getpwuid(uid).pw_name

did give me a deterministic UID and username for all the usernames I tried. In my case the username returned is user@main.upn.suffix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment