implement admin-access with OAuth

2025-10-12 20:43:02 +00:00 · 2017-03-30 19:15:43 +02:00
parent ff6a68112e
commit 4bb8e47f3b
7 changed files with 18 additions and 25 deletions
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -263,6 +263,8 @@ class UserAdminAccessAPIHandler(APIHandler):
    """
    @admin_only
    def post(self, name):
+        self.log.warning("Admin Access API is deprecated in JupyterHub 0.8."
+            " There is no action needed anymore.")
        current = self.get_current_user()
        self.log.warning("Admin user %s has requested access to %s's server",
            current.name, name,
@@ -274,12 +276,6 @@ class UserAdminAccessAPIHandler(APIHandler):
            raise web.HTTPError(404)
        if not user.running:
            raise web.HTTPError(400, "%s's server is not running" % name)
-        self.set_server_cookie(user)
-        # a service can also ask for a user cookie
-        # this code prevents to raise an error
-        # cause service doesn't have 'other_user_cookies'
-        if getattr(current, 'other_user_cookies', None) is not None:
-            current.other_user_cookies.add(name)


 default_handlers = [
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -252,10 +252,6 @@ class BaseHandler(RequestHandler):
            base_url=url_path_join(self.base_url, 'services')
        ))

-    def set_server_cookie(self, user):
-        """set the login cookie for the single-user server"""
-        self._set_user_cookie(user, user.server)
-
    def set_hub_cookie(self, user):
        """set the login cookie for the Hub"""
        self._set_user_cookie(user, self.hub.server)
@@ -266,9 +262,6 @@ class BaseHandler(RequestHandler):
            self.log.warning(
                "Possibly setting cookie on wrong domain: %s != %s",
                self.request.host, self.domain)
-        # create and set a new cookie token for the single-user server
-        if user.server:
-            self.set_server_cookie(user)

        # set single cookie for services
        if self.db.query(orm.Service).filter(orm.Service.server != None).first():
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -503,6 +503,7 @@ class HubAuthenticated(object):
    hub_services = None # set of allowed services
    hub_users = None # set of allowed users
    hub_groups = None # set of allowed groups
+    allow_admin = False # allow any admin user access
    
    @property
    def allow_all(self):
@@ -553,6 +554,10 @@ class HubAuthenticated(object):
            app_log.debug("Allowing Hub %s %s (all Hub users and services allowed)", kind, name)
            return model

+        if self.allow_admin and model.get('admin', False):
+            app_log.debug("Allowing Hub admin %s", name)
+            return model
+
        if kind == 'service':
            # it's a service, check hub_services
            if self.hub_services and name in self.hub_services:
--- a/jupyterhub/singleuser.py
+++ b/jupyterhub/singleuser.py
@@ -46,6 +46,11 @@ from .utils import url_path_join

 class HubAuthenticatedHandler(HubOAuthenticated):
    """Class we are going to patch-in for authentication with the Hub"""
+
+    @property
+    def allow_admin(self):
+        return self.settings.get('admin_access', os.getenv('JUPYTERHUB_ADMIN_ACCESS') or False)
+
    @property
    def hub_auth(self):
        return self.settings['hub_auth']
--- a/jupyterhub/spawner.py
+++ b/jupyterhub/spawner.py
@@ -50,6 +50,7 @@ class Spawner(LoggingConfigurable):
    user = Any()
    hub = Any()
    authenticator = Any()
+    admin_access = Bool(False)
    api_token = Unicode()
    oauth_client_id = Unicode()
    oauth_client_secret = Unicode()
@@ -428,6 +429,8 @@ class Spawner(LoggingConfigurable):
        env['JUPYTERHUB_API_TOKEN'] = self.api_token
        # deprecated (as of 0.7.2), for old versions of singleuser
        env['JPY_API_TOKEN'] = self.api_token
+        if self.admin_access:
+            env['JUPYTERHUB_ADMIN_ACCESS'] = '1'
        # OAuth settings
        env['JUPYTERHUB_CLIENT_ID'] = self.oauth_client_id
        env['JUPYTERHUB_CLIENT_SECRET'] = self.oauth_client_secret
--- a/jupyterhub/user.py
+++ b/jupyterhub/user.py
@@ -244,6 +244,7 @@ class User(HasTraits):

        # create API and OAuth tokens
        spawner.api_token = api_token
+        spawner.admin_access = self.settings.get('admin_access', False)
        spawner.oauth_client_id = client_id = 'user-%s-%s' % (self.escaped_name, server_name)
        client_store = self.settings['oauth_provider'].client_authenticator.client_store
        try:
--- a/share/jupyter/hub/static/js/admin.js
+++ b/share/jupyter/hub/static/js/admin.js
@@ -77,17 +77,7 @@ require(["jquery", "bootstrap", "moment", "jhapi", "utils"], function ($, bs, mo
        var el = $(this);
        var row = get_row(el);
        var user = row.data('user');
-        var w = window.open();
-        api.admin_access(user, {
-            async: false,
-            success: function () {
-                w.location = utils.url_path_join(prefix, 'user', user);
-            },
-            error: function (xhr, err) {
-                w.close();
-                console.error("Failed to gain access to server", err);
-            }
-        });
+        var w = window.open(utils.url_path_join(prefix, 'user', user));
    });
    
    $(".start-server").click(function () {