periodically check whether a jupyterhub user still has permission to …

…access it
bird-house · Nov 9, 2023 · c83513b · c83513b
1 parent 92087be
commit c83513b
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -15,7 +15,17 @@
 [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
 ------------------------------------------------------------------------------------------------------------------
 
-[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
+## Changes
+
+- Jupyterhub: periodically check whether the logged-in user still have permission to access
+
+  By setting the `JUPYTERHUB_CRYPT_KEY` environment variable in the `env.local` file, jupyterhub will store user's
+  authentication information (session cookie) in the database. This allows jupyterhub to periodically check whether the
+  user still has permission to access jupyterhub (the session cookie is not expired and the permission have not 
+  changed).
+
+  The minimum duration between checks can be set with the `JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE` variable which is an 
+  integer (in seconds).
 
 [1.37.1](https://github.com/bird-house/birdhouse-deploy/tree/1.37.1) (2023-11-03)
 ------------------------------------------------------------------------------------------------------------------

diff --git a/birdhouse/config/jupyterhub/default.env b/birdhouse/config/jupyterhub/default.env
@@ -5,7 +5,7 @@
 # are applied and must be added to the list of DELAYED_EVAL.
 
 export JUPYTERHUB_DOCKER=pavics/jupyterhub
-export JUPYTERHUB_VERSION=4.0.2-20231002
+export JUPYTERHUB_VERSION=4.0.2-20231024
 
 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images
 export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601"
@@ -64,6 +64,15 @@ export JUPYTERHUB_CONFIG_OVERRIDE=""
 # recommended as it may permit unauthorized users from accessing jupyterhub.
 export JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL='http://twitcher:8000/ows/verify/jupyterhub'
 
+# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database.
+# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie)
+export JUPYTERHUB_CRYPT_KEY=
+
+# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie)
+# if their authentication information is older that this value (in seconds). This value is only applied if
+# JUPYTERHUB_CRYPT_KEY is set.
+export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=300
+
 export DELAYED_EVAL="
   $DELAYED_EVAL
   JUPYTERHUB_USER_DATA_DIR
@@ -86,6 +95,7 @@ OPTIONAL_VARS="
   \$JUPYTERHUB_DOCKER
   \$JUPYTERHUB_VERSION
   \$JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL
+  \$JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE
   \$JUPYTER_IDLE_SERVER_CULL_TIMEOUT
   \$JUPYTER_IDLE_KERNEL_CULL_TIMEOUT
   \$JUPYTER_IDLE_KERNEL_CULL_INTERVAL

diff --git a/birdhouse/config/jupyterhub/docker-compose-extra.yml b/birdhouse/config/jupyterhub/docker-compose-extra.yml
@@ -27,6 +27,7 @@ services:
       MOUNT_IMAGE_SPECIFIC_NOTEBOOKS: ${MOUNT_IMAGE_SPECIFIC_NOTEBOOKS}
       USER_WORKSPACE_UID: ${USER_WORKSPACE_UID}
       USER_WORKSPACE_GID: ${USER_WORKSPACE_GID}
+      JUPYTERHUB_CRYPT_KEY: ${JUPYTERHUB_CRYPT_KEY}
     volumes:
       - ./config/jupyterhub/jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro
       - ./config/jupyterhub/custom_templates:/custom_templates:ro

diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template
@@ -19,6 +19,11 @@ c.MagpieAuthenticator.magpie_url = "http://magpie:2001"
 c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}"
 c.MagpieAuthenticator.authorization_url = "${JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL}"
 
+if os.getenv("JUPYTERHUB_CRYPT_KEY"):
+    c.MagpieAuthenticator.enable_auth_state = True
+    c.MagpieAuthenticator.refresh_pre_spawn = True
+    c.MagpieAuthenticator.auth_refresh_age = int("${JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE}")
+
 c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret'
 c.JupyterHub.db_url = '/persist/jupyterhub.sqlite'
 

diff --git a/birdhouse/env.local.example b/birdhouse/env.local.example
@@ -351,6 +351,23 @@ export GEOSERVER_ADMIN_PASSWORD=geoserverpass
 #
 #export JUPYTERHUB_CONFIG_OVERRIDE="
 #
+#
+# The following variables can be used to configure additional authentication settings for jupyterhub
+#
+# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database.
+# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie)
+# This may be a semicolon-separated list of encryption keys. If there are multiple keys present, the first key is always
+# used to persist any new auth_state.
+# To generate a key the following command can be used: `openssl rand -hex 32`
+# See for more details: https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authentication-state
+#export JUPYTERHUB_CRYPT_KEY=
+#
+# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie)
+# if their authentication information is older that this value (in seconds). This value is only applied if
+# JUPYTERHUB_CRYPT_KEY is set.
+#export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=300
+#
+#
 # Sample below will allow for sharing notebooks between Jupyter users.
 # Note all shares are public.
 #