New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticator user group management #3548
Authenticator user group management #3548
Conversation
Thanks for submitting your first pull request! You are awesome! 🤗 |
f346b22
to
dbc4881
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! I think this makes sense in principle. Let's add some tests and make sure we iron out some details.
A few things to cover:
- How is group creation handled? (i.e. what happens if a group is not already present in the db?)
- Presumably when this flag is set, other group assignment mechanisms should fail (via config, via the API)
Is there any issue with users who have not logged in yet (i.e. have no auth state)?
@thomafred now that 2.0 is out, I'd like to make authenticator-managed groups my focus for 2.1. Do you have time to address some of the review to get this ready to merge, or would you prefer us to finish it up? |
Awesome! I will make the changes suggested quickly |
Great! I never want to assume availability when a PR's been waiting for months. |
@minrk - Responding to your questions:
The group is automatically created in the database. There is no need for the admin to manually create new groups provided by the authenticator the way things work now. However, I can see this being a bit controversial, so maybe this feature could be optional. What do you think?
I am not sure what would be best here. Ideally, this PR should provide the features needed to offload group management to the authenticator. In this case, having other mechanisms fail would make sense. |
I think that's fine. If the authenticator is in charge, it can be its responsibility.
I think the right thing to do here is to add a check to all endpoints that can modify group membership (includes, optionally, user creation): if self.authenticator.manage_groups:
raise web.HTTPError(400, "Group management via API is disabled") and do the same during startup if |
@minrk - I have implemented the changes you suggested. However, the unit-tests |
dbc4881
to
75c64b7
Compare
jupyterhub/orm.py
Outdated
@@ -222,7 +222,7 @@ class Group(Base): | |||
__tablename__ = 'groups' | |||
id = Column(Integer, primary_key=True, autoincrement=True) | |||
name = Column(Unicode(255), unique=True) | |||
users = relationship('User', secondary='user_group_map', backref='groups') | |||
users = relationship('User', secondary='user_group_map', back_populates='groups') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain this change? backref
is supposed to be equivalent to two instances of back_populates
, so I'm not sure why this is here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed to backref
…s to use back_populates instead of backref
…s back to backref
- Added hook function stub to authenticator base class - Added new config option `manage_groups` to base `Authenticator` class - Call authenticator hook from `refresh_auth`-function in `Base` handler class - Added example
@thomafred thanks! I think this is just about ready to go - I rebased the PR and added some tests and docs, but wasn't allowed to update the branch. Is it possible for you to either allow maintainers to update the branch (usually a checkbox on the right), or reset your branch to minrk:authenticator_user_group_management? Then I think this can be merged. If not, I can make a new PR from my own branch. I mostly added docs and tests, but fixed a few things revealed by the tests. I also updated the implementation to use the |
@minrk Was not able to find the "allow maintainers"-toggle, so I added as you a maintainer in the repo instead. |
3cdfa0e
to
b17ded3
Compare
- tests - docs - ensure all group APIs are rejected when auth is in control - use 'groups' field in return value of authenticate/refresh_user, instead of defining new method - log group changes in sync_groups
b17ded3
to
88be7a9
Compare
Ah, I didn't realize it was an org-to-org PR. I think the checkbox is only available from personal forks, for some reason. I think this is all set, I'll merge as soon as I finish making 2.1.1. |
Woo! Landed. Thanks so much. |
`manage_groups` was added in 2.2.0 (current version is 4.0.2) jupyterhub/jupyterhub#3548
Added authenticator hook for synchronizing user groups
authenticator_managed_group
to baseAuthenticator
classrefresh_auth
-function inBase
handler class