From c83513bc63ab59ef90e6b64feaaca9e9d29378eb Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Thu, 9 Nov 2023 14:05:13 -0500 Subject: [PATCH 1/4] periodically check whether a jupyterhub user still has permission to access it --- CHANGES.md | 12 +++++++++++- birdhouse/config/jupyterhub/default.env | 12 +++++++++++- .../config/jupyterhub/docker-compose-extra.yml | 1 + .../jupyterhub/jupyterhub_config.py.template | 5 +++++ birdhouse/env.local.example | 17 +++++++++++++++++ 5 files changed, 45 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 5f0cd08a4..b9e45e58f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -15,7 +15,17 @@ [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest) ------------------------------------------------------------------------------------------------------------------ -[//]: # (list changes here, using '-' for each new entry, remove this when items are added) +## Changes + +- Jupyterhub: periodically check whether the logged-in user still have permission to access + + By setting the `JUPYTERHUB_CRYPT_KEY` environment variable in the `env.local` file, jupyterhub will store user's + authentication information (session cookie) in the database. This allows jupyterhub to periodically check whether the + user still has permission to access jupyterhub (the session cookie is not expired and the permission have not + changed). + + The minimum duration between checks can be set with the `JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE` variable which is an + integer (in seconds). [1.37.1](https://github.com/bird-house/birdhouse-deploy/tree/1.37.1) (2023-11-03) ------------------------------------------------------------------------------------------------------------------ diff --git a/birdhouse/config/jupyterhub/default.env b/birdhouse/config/jupyterhub/default.env index d8ffba773..f47597d5e 100644 --- a/birdhouse/config/jupyterhub/default.env +++ b/birdhouse/config/jupyterhub/default.env @@ -5,7 +5,7 @@ # are applied and must be added to the list of DELAYED_EVAL. export JUPYTERHUB_DOCKER=pavics/jupyterhub -export JUPYTERHUB_VERSION=4.0.2-20231002 +export JUPYTERHUB_VERSION=4.0.2-20231024 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601" @@ -64,6 +64,15 @@ export JUPYTERHUB_CONFIG_OVERRIDE="" # recommended as it may permit unauthorized users from accessing jupyterhub. export JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL='http://twitcher:8000/ows/verify/jupyterhub' +# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database. +# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie) +export JUPYTERHUB_CRYPT_KEY= + +# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie) +# if their authentication information is older that this value (in seconds). This value is only applied if +# JUPYTERHUB_CRYPT_KEY is set. +export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=300 + export DELAYED_EVAL=" $DELAYED_EVAL JUPYTERHUB_USER_DATA_DIR @@ -86,6 +95,7 @@ OPTIONAL_VARS=" \$JUPYTERHUB_DOCKER \$JUPYTERHUB_VERSION \$JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL + \$JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE \$JUPYTER_IDLE_SERVER_CULL_TIMEOUT \$JUPYTER_IDLE_KERNEL_CULL_TIMEOUT \$JUPYTER_IDLE_KERNEL_CULL_INTERVAL diff --git a/birdhouse/config/jupyterhub/docker-compose-extra.yml b/birdhouse/config/jupyterhub/docker-compose-extra.yml index e2a489590..32dd395ed 100644 --- a/birdhouse/config/jupyterhub/docker-compose-extra.yml +++ b/birdhouse/config/jupyterhub/docker-compose-extra.yml @@ -27,6 +27,7 @@ services: MOUNT_IMAGE_SPECIFIC_NOTEBOOKS: ${MOUNT_IMAGE_SPECIFIC_NOTEBOOKS} USER_WORKSPACE_UID: ${USER_WORKSPACE_UID} USER_WORKSPACE_GID: ${USER_WORKSPACE_GID} + JUPYTERHUB_CRYPT_KEY: ${JUPYTERHUB_CRYPT_KEY} volumes: - ./config/jupyterhub/jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro - ./config/jupyterhub/custom_templates:/custom_templates:ro diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index d7bda1ec6..df89ad9c2 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -19,6 +19,11 @@ c.MagpieAuthenticator.magpie_url = "http://magpie:2001" c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}" c.MagpieAuthenticator.authorization_url = "${JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL}" +if os.getenv("JUPYTERHUB_CRYPT_KEY"): + c.MagpieAuthenticator.enable_auth_state = True + c.MagpieAuthenticator.refresh_pre_spawn = True + c.MagpieAuthenticator.auth_refresh_age = int("${JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE}") + c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret' c.JupyterHub.db_url = '/persist/jupyterhub.sqlite' diff --git a/birdhouse/env.local.example b/birdhouse/env.local.example index 71b1e3de7..b91f48587 100644 --- a/birdhouse/env.local.example +++ b/birdhouse/env.local.example @@ -351,6 +351,23 @@ export GEOSERVER_ADMIN_PASSWORD=geoserverpass # #export JUPYTERHUB_CONFIG_OVERRIDE=" # +# +# The following variables can be used to configure additional authentication settings for jupyterhub +# +# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database. +# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie) +# This may be a semicolon-separated list of encryption keys. If there are multiple keys present, the first key is always +# used to persist any new auth_state. +# To generate a key the following command can be used: `openssl rand -hex 32` +# See for more details: https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authentication-state +#export JUPYTERHUB_CRYPT_KEY= +# +# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie) +# if their authentication information is older that this value (in seconds). This value is only applied if +# JUPYTERHUB_CRYPT_KEY is set. +#export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=300 +# +# # Sample below will allow for sharing notebooks between Jupyter users. # Note all shares are public. # From c9fb762ea73459f699bdea4f3652daa42ccd4cb9 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Mon, 27 Nov 2023 10:15:42 -0500 Subject: [PATCH 2/4] review suggestions --- birdhouse/config/jupyterhub/default.env | 4 ++-- birdhouse/env.local.example | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/birdhouse/config/jupyterhub/default.env b/birdhouse/config/jupyterhub/default.env index f47597d5e..e6d7ee139 100644 --- a/birdhouse/config/jupyterhub/default.env +++ b/birdhouse/config/jupyterhub/default.env @@ -5,7 +5,7 @@ # are applied and must be added to the list of DELAYED_EVAL. export JUPYTERHUB_DOCKER=pavics/jupyterhub -export JUPYTERHUB_VERSION=4.0.2-20231024 +export JUPYTERHUB_VERSION=4.0.2-20231127 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601" @@ -71,7 +71,7 @@ export JUPYTERHUB_CRYPT_KEY= # Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie) # if their authentication information is older that this value (in seconds). This value is only applied if # JUPYTERHUB_CRYPT_KEY is set. -export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=300 +export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=60 export DELAYED_EVAL=" $DELAYED_EVAL diff --git a/birdhouse/env.local.example b/birdhouse/env.local.example index b91f48587..37b9f46f3 100644 --- a/birdhouse/env.local.example +++ b/birdhouse/env.local.example @@ -365,7 +365,7 @@ export GEOSERVER_ADMIN_PASSWORD=geoserverpass # Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie) # if their authentication information is older that this value (in seconds). This value is only applied if # JUPYTERHUB_CRYPT_KEY is set. -#export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=300 +#export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=60 # # # Sample below will allow for sharing notebooks between Jupyter users. From 7b82aff5ca5e2610c951519baffcc6107d98b3d5 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Wed, 29 Nov 2023 11:40:08 -0500 Subject: [PATCH 3/4] add information on how to re-login users --- CHANGES.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index b9e45e58f..e496f14a1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -27,6 +27,16 @@ The minimum duration between checks can be set with the `JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE` variable which is an integer (in seconds). + Note that users who are already logged in to jupyterhub will need to log out and log in for these changes to take + effect. + + To forcibly log out all users currently logged in to jupyterhub you can run the following command to force the + recreation of the cookie secret: + + ```shell + docker exec jupyterhub rm /persist/jupyterhub_cookie_secret && docker restart jupyterhub + ``` + [1.37.1](https://github.com/bird-house/birdhouse-deploy/tree/1.37.1) (2023-11-03) ------------------------------------------------------------------------------------------------------------------ From 7374036331e5ddb6adb172a29b864467d92b30a3 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Thu, 30 Nov 2023 10:28:23 -0500 Subject: [PATCH 4/4] =?UTF-8?q?Bump=20version:=201.39.1=20=E2=86=92=201.39?= =?UTF-8?q?.2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .bumpversion.cfg | 6 +++--- CHANGES.md | 5 +++++ Makefile | 2 +- README.rst | 8 ++++---- RELEASE.txt | 2 +- .../config/canarie-api/docker_configuration.py.template | 8 ++++---- docs/source/conf.py | 4 ++-- 7 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 62590916f..c4f2826e2 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 1.39.1 +current_version = 1.39.2 commit = True tag = False tag_name = {new_version} @@ -30,11 +30,11 @@ search = {current_version} replace = {new_version} [bumpversion:file:RELEASE.txt] -search = {current_version} 2023-11-29T17:03:07Z +search = {current_version} 2023-11-30T15:28:22Z replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ} [bumpversion:part:releaseTime] -values = 2023-11-29T17:03:07Z +values = 2023-11-30T15:28:22Z [bumpversion:file(version):birdhouse/config/canarie-api/docker_configuration.py.template] search = 'version': '{current_version}' diff --git a/CHANGES.md b/CHANGES.md index 99b4f34ec..088fb34d8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -15,6 +15,11 @@ [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest) ------------------------------------------------------------------------------------------------------------------ +[//]: # (list changes here, using '-' for each new entry, remove this when items are added) + +[1.39.2](https://github.com/bird-house/birdhouse-deploy/tree/1.39.2) (2023-11-30) +------------------------------------------------------------------------------------------------------------------ + ## Changes - Jupyterhub: periodically check whether the logged-in user still have permission to access diff --git a/Makefile b/Makefile index b1dd1dd8b..db39db5b3 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # Generic variables override SHELL := bash override APP_NAME := birdhouse-deploy -override APP_VERSION := 1.39.1 +override APP_VERSION := 1.39.2 # utility to remove comments after value of an option variable override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g") diff --git a/README.rst b/README.rst index 8f16e7277..100016eed 100644 --- a/README.rst +++ b/README.rst @@ -14,13 +14,13 @@ for a full-fledged production platform. * - releases - | |latest-version| |commits-since| -.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.39.1.svg +.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.39.2.svg :alt: Commits since latest release - :target: https://github.com/bird-house/birdhouse-deploy/compare/1.39.1...master + :target: https://github.com/bird-house/birdhouse-deploy/compare/1.39.2...master -.. |latest-version| image:: https://img.shields.io/badge/tag-1.39.1-blue.svg?style=flat +.. |latest-version| image:: https://img.shields.io/badge/tag-1.39.2-blue.svg?style=flat :alt: Latest Tag - :target: https://github.com/bird-house/birdhouse-deploy/tree/1.39.1 + :target: https://github.com/bird-house/birdhouse-deploy/tree/1.39.2 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest :alt: ReadTheDocs Build Status (latest version) diff --git a/RELEASE.txt b/RELEASE.txt index a43d48a7a..4a4b2b442 100644 --- a/RELEASE.txt +++ b/RELEASE.txt @@ -1 +1 @@ -1.39.1 2023-11-29T17:03:07Z +1.39.2 2023-11-30T15:28:22Z diff --git a/birdhouse/config/canarie-api/docker_configuration.py.template b/birdhouse/config/canarie-api/docker_configuration.py.template index 3333aef28..220bd9c23 100644 --- a/birdhouse/config/canarie-api/docker_configuration.py.template +++ b/birdhouse/config/canarie-api/docker_configuration.py.template @@ -109,8 +109,8 @@ SERVICES = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '1.39.1', - 'releaseTime': '2023-11-29T17:03:07Z', + 'version': '1.39.2', + 'releaseTime': '2023-11-30T15:28:22Z', 'institution': 'Ouranos', 'researchSubject': 'Climatology', 'supportEmail': '${SUPPORT_EMAIL}', @@ -142,8 +142,8 @@ PLATFORMS = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '1.39.1', - 'releaseTime': '2023-11-29T17:03:07Z', + 'version': '1.39.2', + 'releaseTime': '2023-11-30T15:28:22Z', 'institution': 'Ouranos', 'researchSubject': 'Climatology', 'supportEmail': '${SUPPORT_EMAIL}', diff --git a/docs/source/conf.py b/docs/source/conf.py index ebc78084f..180ce2fa8 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -69,9 +69,9 @@ # built documents. # # The short X.Y version. -version = '1.39.1' +version = '1.39.2' # The full version, including alpha/beta/rc tags. -release = '1.39.1' +release = '1.39.2' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.