diff --git a/jupyterhub/apihandlers/users.py b/jupyterhub/apihandlers/users.py index e35be1f5..e3eba194 100644 --- a/jupyterhub/apihandlers/users.py +++ b/jupyterhub/apihandlers/users.py @@ -263,6 +263,8 @@ class UserAdminAccessAPIHandler(APIHandler): """ @admin_only def post(self, name): + self.log.warning("Admin Access API is deprecated in JupyterHub 0.8." + " There is no action needed anymore.") current = self.get_current_user() self.log.warning("Admin user %s has requested access to %s's server", current.name, name, @@ -274,12 +276,6 @@ class UserAdminAccessAPIHandler(APIHandler): raise web.HTTPError(404) if not user.running: raise web.HTTPError(400, "%s's server is not running" % name) - self.set_server_cookie(user) - # a service can also ask for a user cookie - # this code prevents to raise an error - # cause service doesn't have 'other_user_cookies' - if getattr(current, 'other_user_cookies', None) is not None: - current.other_user_cookies.add(name) default_handlers = [ diff --git a/jupyterhub/handlers/base.py b/jupyterhub/handlers/base.py index a01ce398..18755363 100644 --- a/jupyterhub/handlers/base.py +++ b/jupyterhub/handlers/base.py @@ -252,10 +252,6 @@ class BaseHandler(RequestHandler): base_url=url_path_join(self.base_url, 'services') )) - def set_server_cookie(self, user): - """set the login cookie for the single-user server""" - self._set_user_cookie(user, user.server) - def set_hub_cookie(self, user): """set the login cookie for the Hub""" self._set_user_cookie(user, self.hub.server) @@ -266,9 +262,6 @@ class BaseHandler(RequestHandler): self.log.warning( "Possibly setting cookie on wrong domain: %s != %s", self.request.host, self.domain) - # create and set a new cookie token for the single-user server - if user.server: - self.set_server_cookie(user) # set single cookie for services if self.db.query(orm.Service).filter(orm.Service.server != None).first(): diff --git a/jupyterhub/services/auth.py b/jupyterhub/services/auth.py index 9eed189f..09bd4486 100644 --- a/jupyterhub/services/auth.py +++ b/jupyterhub/services/auth.py @@ -503,6 +503,7 @@ class HubAuthenticated(object): hub_services = None # set of allowed services hub_users = None # set of allowed users hub_groups = None # set of allowed groups + allow_admin = False # allow any admin user access @property def allow_all(self): @@ -546,13 +547,17 @@ class HubAuthenticated(object): Returns: user_model (dict): The user model if the user should be allowed, None otherwise. """ - + name = model['name'] kind = model.get('kind', 'user') if self.allow_all: app_log.debug("Allowing Hub %s %s (all Hub users and services allowed)", kind, name) return model + if self.allow_admin and model.get('admin', False): + app_log.debug("Allowing Hub admin %s", name) + return model + if kind == 'service': # it's a service, check hub_services if self.hub_services and name in self.hub_services: diff --git a/jupyterhub/singleuser.py b/jupyterhub/singleuser.py index fb0ed9be..ba9ecd0a 100755 --- a/jupyterhub/singleuser.py +++ b/jupyterhub/singleuser.py @@ -46,6 +46,11 @@ from .utils import url_path_join class HubAuthenticatedHandler(HubOAuthenticated): """Class we are going to patch-in for authentication with the Hub""" + + @property + def allow_admin(self): + return self.settings.get('admin_access', os.getenv('JUPYTERHUB_ADMIN_ACCESS') or False) + @property def hub_auth(self): return self.settings['hub_auth'] diff --git a/jupyterhub/spawner.py b/jupyterhub/spawner.py index aa64d715..d25af802 100644 --- a/jupyterhub/spawner.py +++ b/jupyterhub/spawner.py @@ -50,6 +50,7 @@ class Spawner(LoggingConfigurable): user = Any() hub = Any() authenticator = Any() + admin_access = Bool(False) api_token = Unicode() oauth_client_id = Unicode() oauth_client_secret = Unicode() @@ -428,6 +429,8 @@ class Spawner(LoggingConfigurable): env['JUPYTERHUB_API_TOKEN'] = self.api_token # deprecated (as of 0.7.2), for old versions of singleuser env['JPY_API_TOKEN'] = self.api_token + if self.admin_access: + env['JUPYTERHUB_ADMIN_ACCESS'] = '1' # OAuth settings env['JUPYTERHUB_CLIENT_ID'] = self.oauth_client_id env['JUPYTERHUB_CLIENT_SECRET'] = self.oauth_client_secret diff --git a/jupyterhub/user.py b/jupyterhub/user.py index 1c882fbc..5308e304 100644 --- a/jupyterhub/user.py +++ b/jupyterhub/user.py @@ -244,6 +244,7 @@ class User(HasTraits): # create API and OAuth tokens spawner.api_token = api_token + spawner.admin_access = self.settings.get('admin_access', False) spawner.oauth_client_id = client_id = 'user-%s-%s' % (self.escaped_name, server_name) client_store = self.settings['oauth_provider'].client_authenticator.client_store try: diff --git a/share/jupyter/hub/static/js/admin.js b/share/jupyter/hub/static/js/admin.js index 5b244c1f..0278060a 100644 --- a/share/jupyter/hub/static/js/admin.js +++ b/share/jupyter/hub/static/js/admin.js @@ -77,17 +77,7 @@ require(["jquery", "bootstrap", "moment", "jhapi", "utils"], function ($, bs, mo var el = $(this); var row = get_row(el); var user = row.data('user'); - var w = window.open(); - api.admin_access(user, { - async: false, - success: function () { - w.location = utils.url_path_join(prefix, 'user', user); - }, - error: function (xhr, err) { - w.close(); - console.error("Failed to gain access to server", err); - } - }); + var w = window.open(utils.url_path_join(prefix, 'user', user)); }); $(".start-server").click(function () {