mirror of
https://github.com/jupyterhub/jupyterhub.git
synced 2025-10-12 04:23:01 +00:00
implement admin-access with OAuth
This commit is contained in:
Min RK
@@ -263,6 +263,8 @@ class UserAdminAccessAPIHandler(APIHandler):
|
|||||||
"""
|
"""
|
||||||
@admin_only
|
@admin_only
|
||||||
def post(self, name):
|
def post(self, name):
|
||||||
|
self.log.warning("Admin Access API is deprecated in JupyterHub 0.8."
|
||||||
|
" There is no action needed anymore.")
|
||||||
current = self.get_current_user()
|
current = self.get_current_user()
|
||||||
self.log.warning("Admin user %s has requested access to %s's server",
|
self.log.warning("Admin user %s has requested access to %s's server",
|
||||||
current.name, name,
|
current.name, name,
|
||||||
@@ -274,12 +276,6 @@ class UserAdminAccessAPIHandler(APIHandler):
|
|||||||
raise web.HTTPError(404)
|
raise web.HTTPError(404)
|
||||||
if not user.running:
|
if not user.running:
|
||||||
raise web.HTTPError(400, "%s's server is not running" % name)
|
raise web.HTTPError(400, "%s's server is not running" % name)
|
||||||
self.set_server_cookie(user)
|
|
||||||
# a service can also ask for a user cookie
|
|
||||||
# this code prevents to raise an error
|
|
||||||
# cause service doesn't have 'other_user_cookies'
|
|
||||||
if getattr(current, 'other_user_cookies', None) is not None:
|
|
||||||
current.other_user_cookies.add(name)
|
|
||||||
|
|
||||||
|
|
||||||
default_handlers = [
|
default_handlers = [
|
||||||
|
|||||||
@@ -252,10 +252,6 @@ class BaseHandler(RequestHandler):
|
|||||||
base_url=url_path_join(self.base_url, 'services')
|
base_url=url_path_join(self.base_url, 'services')
|
||||||
))
|
))
|
||||||
|
|
||||||
def set_server_cookie(self, user):
|
|
||||||
"""set the login cookie for the single-user server"""
|
|
||||||
self._set_user_cookie(user, user.server)
|
|
||||||
|
|
||||||
def set_hub_cookie(self, user):
|
def set_hub_cookie(self, user):
|
||||||
"""set the login cookie for the Hub"""
|
"""set the login cookie for the Hub"""
|
||||||
self._set_user_cookie(user, self.hub.server)
|
self._set_user_cookie(user, self.hub.server)
|
||||||
@@ -266,9 +262,6 @@ class BaseHandler(RequestHandler):
|
|||||||
self.log.warning(
|
self.log.warning(
|
||||||
"Possibly setting cookie on wrong domain: %s != %s",
|
"Possibly setting cookie on wrong domain: %s != %s",
|
||||||
self.request.host, self.domain)
|
self.request.host, self.domain)
|
||||||
# create and set a new cookie token for the single-user server
|
|
||||||
if user.server:
|
|
||||||
self.set_server_cookie(user)
|
|
||||||
|
|
||||||
# set single cookie for services
|
# set single cookie for services
|
||||||
if self.db.query(orm.Service).filter(orm.Service.server != None).first():
|
if self.db.query(orm.Service).filter(orm.Service.server != None).first():
|
||||||
|
|||||||
@@ -503,6 +503,7 @@ class HubAuthenticated(object):
|
|||||||
hub_services = None # set of allowed services
|
hub_services = None # set of allowed services
|
||||||
hub_users = None # set of allowed users
|
hub_users = None # set of allowed users
|
||||||
hub_groups = None # set of allowed groups
|
hub_groups = None # set of allowed groups
|
||||||
|
allow_admin = False # allow any admin user access
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def allow_all(self):
|
def allow_all(self):
|
||||||
@@ -546,13 +547,17 @@ class HubAuthenticated(object):
|
|||||||
Returns:
|
Returns:
|
||||||
user_model (dict): The user model if the user should be allowed, None otherwise.
|
user_model (dict): The user model if the user should be allowed, None otherwise.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
name = model['name']
|
name = model['name']
|
||||||
kind = model.get('kind', 'user')
|
kind = model.get('kind', 'user')
|
||||||
if self.allow_all:
|
if self.allow_all:
|
||||||
app_log.debug("Allowing Hub %s %s (all Hub users and services allowed)", kind, name)
|
app_log.debug("Allowing Hub %s %s (all Hub users and services allowed)", kind, name)
|
||||||
return model
|
return model
|
||||||
|
|
||||||
|
if self.allow_admin and model.get('admin', False):
|
||||||
|
app_log.debug("Allowing Hub admin %s", name)
|
||||||
|
return model
|
||||||
|
|
||||||
if kind == 'service':
|
if kind == 'service':
|
||||||
# it's a service, check hub_services
|
# it's a service, check hub_services
|
||||||
if self.hub_services and name in self.hub_services:
|
if self.hub_services and name in self.hub_services:
|
||||||
|
|||||||
@@ -46,6 +46,11 @@ from .utils import url_path_join
|
|||||||
|
|
||||||
class HubAuthenticatedHandler(HubOAuthenticated):
|
class HubAuthenticatedHandler(HubOAuthenticated):
|
||||||
"""Class we are going to patch-in for authentication with the Hub"""
|
"""Class we are going to patch-in for authentication with the Hub"""
|
||||||
|
|
||||||
|
@property
|
||||||
|
def allow_admin(self):
|
||||||
|
return self.settings.get('admin_access', os.getenv('JUPYTERHUB_ADMIN_ACCESS') or False)
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def hub_auth(self):
|
def hub_auth(self):
|
||||||
return self.settings['hub_auth']
|
return self.settings['hub_auth']
|
||||||
|
|||||||
@@ -50,6 +50,7 @@ class Spawner(LoggingConfigurable):
|
|||||||
user = Any()
|
user = Any()
|
||||||
hub = Any()
|
hub = Any()
|
||||||
authenticator = Any()
|
authenticator = Any()
|
||||||
|
admin_access = Bool(False)
|
||||||
api_token = Unicode()
|
api_token = Unicode()
|
||||||
oauth_client_id = Unicode()
|
oauth_client_id = Unicode()
|
||||||
oauth_client_secret = Unicode()
|
oauth_client_secret = Unicode()
|
||||||
@@ -428,6 +429,8 @@ class Spawner(LoggingConfigurable):
|
|||||||
env['JUPYTERHUB_API_TOKEN'] = self.api_token
|
env['JUPYTERHUB_API_TOKEN'] = self.api_token
|
||||||
# deprecated (as of 0.7.2), for old versions of singleuser
|
# deprecated (as of 0.7.2), for old versions of singleuser
|
||||||
env['JPY_API_TOKEN'] = self.api_token
|
env['JPY_API_TOKEN'] = self.api_token
|
||||||
|
if self.admin_access:
|
||||||
|
env['JUPYTERHUB_ADMIN_ACCESS'] = '1'
|
||||||
# OAuth settings
|
# OAuth settings
|
||||||
env['JUPYTERHUB_CLIENT_ID'] = self.oauth_client_id
|
env['JUPYTERHUB_CLIENT_ID'] = self.oauth_client_id
|
||||||
env['JUPYTERHUB_CLIENT_SECRET'] = self.oauth_client_secret
|
env['JUPYTERHUB_CLIENT_SECRET'] = self.oauth_client_secret
|
||||||
|
|||||||
@@ -244,6 +244,7 @@ class User(HasTraits):
|
|||||||
|
|
||||||
# create API and OAuth tokens
|
# create API and OAuth tokens
|
||||||
spawner.api_token = api_token
|
spawner.api_token = api_token
|
||||||
|
spawner.admin_access = self.settings.get('admin_access', False)
|
||||||
spawner.oauth_client_id = client_id = 'user-%s-%s' % (self.escaped_name, server_name)
|
spawner.oauth_client_id = client_id = 'user-%s-%s' % (self.escaped_name, server_name)
|
||||||
client_store = self.settings['oauth_provider'].client_authenticator.client_store
|
client_store = self.settings['oauth_provider'].client_authenticator.client_store
|
||||||
try:
|
try:
|
||||||
|
|||||||
@@ -77,17 +77,7 @@ require(["jquery", "bootstrap", "moment", "jhapi", "utils"], function ($, bs, mo
|
|||||||
var el = $(this);
|
var el = $(this);
|
||||||
var row = get_row(el);
|
var row = get_row(el);
|
||||||
var user = row.data('user');
|
var user = row.data('user');
|
||||||
var w = window.open();
|
var w = window.open(utils.url_path_join(prefix, 'user', user));
|
||||||
api.admin_access(user, {
|
|
||||||
async: false,
|
|
||||||
success: function () {
|
|
||||||
w.location = utils.url_path_join(prefix, 'user', user);
|
|
||||||
},
|
|
||||||
error: function (xhr, err) {
|
|
||||||
w.close();
|
|
||||||
console.error("Failed to gain access to server", err);
|
|
||||||
}
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
$(".start-server").click(function () {
|
$(".start-server").click(function () {
|
||||||
|
|||||||
Reference in New Issue
Block a user