Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticator user group management #3548

Merged
merged 2 commits into from Jan 25, 2022
Merged

Authenticator user group management #3548

merged 2 commits into from Jan 25, 2022

Conversation

thomafred
Copy link

Added authenticator hook for synchronizing user groups

  • Added hook function stub to authenticator base class
  • Added new argument authenticator_managed_group to base Authenticator class
  • Call authenticator hook from refresh_auth-function in Base handler class
  • Added example

@welcome
Copy link

welcome bot commented Jul 23, 2021

Thanks for submitting your first pull request! You are awesome! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please make sure you followed the pull request template, as this will help us review your contribution more quickly.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also a intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@thomafred thomafred force-pushed the authenticator_user_group_management branch from f346b22 to dbc4881 Compare July 23, 2021 12:35
@thomafred thomafred mentioned this pull request Jul 23, 2021
Closed
minrk
minrk reviewed Aug 24, 2021
View reviewed changes
Copy link
Member

@minrk minrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! I think this makes sense in principle. Let's add some tests and make sure we iron out some details.

A few things to cover:

  • How is group creation handled? (i.e. what happens if a group is not already present in the db?)
  • Presumably when this flag is set, other group assignment mechanisms should fail (via config, via the API)

Is there any issue with users who have not logged in yet (i.e. have no auth state)?

jupyterhub/user.py Outdated Show resolved Hide resolved
@minrk minrk mentioned this pull request Oct 29, 2021
Closed
@minrk
Copy link
Member

minrk commented Dec 2, 2021

@thomafred now that 2.0 is out, I'd like to make authenticator-managed groups my focus for 2.1.

Do you have time to address some of the review to get this ready to merge, or would you prefer us to finish it up?

@thomafred
Copy link
Author

Awesome!

I will make the changes suggested quickly

@minrk
Copy link
Member

minrk commented Dec 2, 2021

Great! I never want to assume availability when a PR's been waiting for months.

@thomafred
Copy link
Author

@minrk - Responding to your questions:

How is group creation handled? (i.e. what happens if a group is not already present in the db?)

The group is automatically created in the database. There is no need for the admin to manually create new groups provided by the authenticator the way things work now. However, I can see this being a bit controversial, so maybe this feature could be optional. What do you think?

Presumably when this flag is set, other group assignment mechanisms should fail (via config, via the API)

I am not sure what would be best here. Ideally, this PR should provide the features needed to offload group management to the authenticator. In this case, having other mechanisms fail would make sense.

@minrk
Copy link
Member

minrk commented Dec 7, 2021

What do you think?

I think that's fine. If the authenticator is in charge, it can be its responsibility.

this PR should provide the features needed to offload group management to the authenticator.

I think the right thing to do here is to add a check to all endpoints that can modify group membership (includes, optionally, user creation):

if self.authenticator.manage_groups:
    raise web.HTTPError(400, "Group management via API is disabled")

and do the same during startup if JupyterHub.load_groups is defined.

@minrk minrk added the new new features label Dec 8, 2021
@thomafred
Copy link
Author

@minrk - I have implemented the changes you suggested. However, the unit-tests test_auth.py appear to be failing stating AttributeError: 'MockPAMAuthenticator' object has no attribute 'load_groups'.

@thomafred thomafred force-pushed the authenticator_user_group_management branch from dbc4881 to 75c64b7 Compare December 16, 2021 08:53
thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Dec 16, 2021
@thomafred
jupyterhub#3548 - Implemented suggested fix
6387f29
@minrk minrk mentioned this pull request Dec 16, 2021
Open
minrk
minrk reviewed Dec 16, 2021
View reviewed changes
jupyterhub/app.py Outdated Show resolved Hide resolved
jupyterhub/auth.py Outdated Show resolved Hide resolved
jupyterhub/auth.py Outdated Show resolved Hide resolved
jupyterhub/auth.py Outdated Show resolved Hide resolved
jupyterhub/orm.py Outdated
@@ -222,7 +222,7 @@ class Group(Base):
__tablename__ = 'groups'
id = Column(Integer, primary_key=True, autoincrement=True)
name = Column(Unicode(255), unique=True)
users = relationship('User', secondary='user_group_map', backref='groups')
users = relationship('User', secondary='user_group_map', back_populates='groups')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain this change? backref is supposed to be equivalent to two instances of back_populates, so I'm not sure why this is here.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to backref

thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Jan 14, 2022
@thomafred
Updated auth group handling according to PR jupyterhub#3548 comments
c7437af
thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Jan 14, 2022
@thomafred
Updated auth group handling according to PR jupyterhub#3548 comments
d459c9d
thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Jan 14, 2022
@thomafred
PR jupyterhub#3548 - Reverted ORM change
14debcb
minrk
minrk reviewed Jan 14, 2022
View reviewed changes
jupyterhub/handlers/base.py Outdated Show resolved Hide resolved
jupyterhub/handlers/base.py Outdated Show resolved Hide resolved
thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Jan 14, 2022
@thomafred
PR jupyterhub#3548 - Reverted ORM change
49d0304
thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Jan 14, 2022
@thomafred
PR jupyterhub#3548 - Changed User.groups and Group.users relationship…
8bedf00 
…s to use back_populates instead of backref
thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Jan 14, 2022
@thomafred
PR jupyterhub#3548 - Changed User.groups and Group.users relationship…
d45d514 
…s back to backref
thomafred added a commit to C4IROcean/jupyterhub that referenced this pull request Jan 18, 2022
@thomafred
PR jupyterhub#3548 - Changed some function signatures
3cdfa0e
@thomafred @minrk
Added authenticator hook for synchronizing user groups
144abcb 
- Added hook function stub to authenticator base class
- Added new config option `manage_groups` to base `Authenticator` class
- Call authenticator hook from `refresh_auth`-function in `Base` handler class
- Added example
@minrk
Copy link
Member

minrk commented Jan 20, 2022

@thomafred thanks! I think this is just about ready to go - I rebased the PR and added some tests and docs, but wasn't allowed to update the branch. Is it possible for you to either allow maintainers to update the branch (usually a checkbox on the right), or reset your branch to minrk:authenticator_user_group_management? Then I think this can be merged. If not, I can make a new PR from my own branch.

I mostly added docs and tests, but fixed a few things revealed by the tests. I also updated the implementation to use the groups field returned by authenticate, which I think better matches how other fields are already populated (auth_state, admin), and what's in #3307.

@thomafred
Copy link
Author

thomafred commented Jan 24, 2022
edited

@minrk Was not able to find the "allow maintainers"-toggle, so I added as you a maintainer in the repo instead.

@minrk minrk force-pushed the authenticator_user_group_management branch from 3cdfa0e to b17ded3 Compare January 24, 2022 12:43
@minrk
test coverage for Authenticator.managed_groups
88be7a9 
- tests
- docs
- ensure all group APIs are rejected when auth is in control
- use 'groups' field in return value of authenticate/refresh_user, instead of defining new method
- log group changes in sync_groups
@minrk minrk force-pushed the authenticator_user_group_management branch from b17ded3 to 88be7a9 Compare January 24, 2022 12:45
@minrk
Copy link
Member

minrk commented Jan 25, 2022

Was not able to find the "allow maintainers"-toggle,

Ah, I didn't realize it was an org-to-org PR. I think the checkbox is only available from personal forks, for some reason.

I think this is all set, I'll merge as soon as I finish making 2.1.1.

@minrk minrk merged commit bb5ec39 into jupyterhub:main Jan 25, 2022
@welcome
Copy link

welcome bot commented Jan 25, 2022

Congrats on your first merged pull request in this project! 🎉
congrats
Thank you for contributing, we are very proud of you! ❤️

@minrk minrk deleted the authenticator_user_group_management branch January 25, 2022 13:36
@minrk
Copy link
Member

minrk commented Jan 25, 2022

Woo! Landed. Thanks so much.

@toms-place toms-place mentioned this pull request Feb 2, 2022
Closed
@eliaswimmer eliaswimmer mentioned this pull request Feb 3, 2022
Closed
@kkaraivanov1 kkaraivanov1 mentioned this pull request Feb 16, 2022
Open
@thomafred thomafred mentioned this pull request Feb 7, 2023
Merged
@yuvipanda yuvipanda mentioned this pull request Sep 29, 2023
Closed
benjimin added a commit to benjimin/oauthenticator that referenced this pull request Nov 29, 2023
@benjimin
Bump minimum jupyterhub version
8f7bd64 
`manage_groups` was added in 2.2.0 (current version is 4.0.2)
jupyterhub/jupyterhub#3548
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minrk minrk minrk approved these changes

Assignees
No one assigned
Labels
new new features
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@thomafred @minrk