implement admin-access with OAuth

jupyterhub/apihandlers/users.py

@@ -263,6 +263,8 @@ class UserAdminAccessAPIHandler(APIHandler):
     """
     @admin_only
     def post(self, name):
+        self.log.warning("Admin Access API is deprecated in JupyterHub 0.8."
+            " There is no action needed anymore.")
         current = self.get_current_user()
         self.log.warning("Admin user %s has requested access to %s's server",
             current.name, name,
@@ -274,12 +276,6 @@ class UserAdminAccessAPIHandler(APIHandler):
             raise web.HTTPError(404)
         if not user.running:
             raise web.HTTPError(400, "%s's server is not running" % name)
-        self.set_server_cookie(user)
-        # a service can also ask for a user cookie
-        # this code prevents to raise an error
-        # cause service doesn't have 'other_user_cookies'
-        if getattr(current, 'other_user_cookies', None) is not None:
-            current.other_user_cookies.add(name)
 
 
 default_handlers = [

jupyterhub/handlers/base.py

@@ -252,10 +252,6 @@ class BaseHandler(RequestHandler):
             base_url=url_path_join(self.base_url, 'services')
         ))
 
-    def set_server_cookie(self, user):
-        """set the login cookie for the single-user server"""
-        self._set_user_cookie(user, user.server)
-
     def set_hub_cookie(self, user):
         """set the login cookie for the Hub"""
         self._set_user_cookie(user, self.hub.server)
@@ -266,9 +262,6 @@ class BaseHandler(RequestHandler):
             self.log.warning(
                 "Possibly setting cookie on wrong domain: %s != %s",
                 self.request.host, self.domain)
-        # create and set a new cookie token for the single-user server
-        if user.server:
-            self.set_server_cookie(user)
 
         # set single cookie for services
         if self.db.query(orm.Service).filter(orm.Service.server != None).first():

jupyterhub/services/auth.py

@@ -503,6 +503,7 @@ class HubAuthenticated(object):
     hub_services = None # set of allowed services
     hub_users = None # set of allowed users
     hub_groups = None # set of allowed groups
+    allow_admin = False # allow any admin user access
     
     @property
     def allow_all(self):
@@ -546,13 +547,17 @@ class HubAuthenticated(object):
         Returns:
             user_model (dict): The user model if the user should be allowed, None otherwise.
         """
-        
+
         name = model['name']
         kind = model.get('kind', 'user')
         if self.allow_all:
             app_log.debug("Allowing Hub %s %s (all Hub users and services allowed)", kind, name)
             return model
 
+        if self.allow_admin and model.get('admin', False):
+            app_log.debug("Allowing Hub admin %s", name)
+            return model
+
         if kind == 'service':
             # it's a service, check hub_services
             if self.hub_services and name in self.hub_services:

jupyterhub/singleuser.py

@@ -46,6 +46,11 @@ from .utils import url_path_join
 
 class HubAuthenticatedHandler(HubOAuthenticated):
     """Class we are going to patch-in for authentication with the Hub"""
+
+    @property
+    def allow_admin(self):
+        return self.settings.get('admin_access', os.getenv('JUPYTERHUB_ADMIN_ACCESS') or False)
+
     @property
     def hub_auth(self):
         return self.settings['hub_auth']

jupyterhub/spawner.py

@@ -50,6 +50,7 @@ class Spawner(LoggingConfigurable):
     user = Any()
     hub = Any()
     authenticator = Any()
+    admin_access = Bool(False)
     api_token = Unicode()
     oauth_client_id = Unicode()
     oauth_client_secret = Unicode()
@@ -428,6 +429,8 @@ class Spawner(LoggingConfigurable):
         env['JUPYTERHUB_API_TOKEN'] = self.api_token
         # deprecated (as of 0.7.2), for old versions of singleuser
         env['JPY_API_TOKEN'] = self.api_token
+        if self.admin_access:
+            env['JUPYTERHUB_ADMIN_ACCESS'] = '1'
         # OAuth settings
         env['JUPYTERHUB_CLIENT_ID'] = self.oauth_client_id
         env['JUPYTERHUB_CLIENT_SECRET'] = self.oauth_client_secret

jupyterhub/user.py

@@ -244,6 +244,7 @@ class User(HasTraits):
 
         # create API and OAuth tokens
         spawner.api_token = api_token
+        spawner.admin_access = self.settings.get('admin_access', False)
         spawner.oauth_client_id = client_id = 'user-%s-%s' % (self.escaped_name, server_name)
         client_store = self.settings['oauth_provider'].client_authenticator.client_store
         try:

share/jupyter/hub/static/js/admin.js

@@ -77,17 +77,7 @@ require(["jquery", "bootstrap", "moment", "jhapi", "utils"], function ($, bs, mo
         var el = $(this);
         var row = get_row(el);
         var user = row.data('user');
-        var w = window.open();
-        api.admin_access(user, {
-            async: false,
-            success: function () {
-                w.location = utils.url_path_join(prefix, 'user', user);
-            },
-            error: function (xhr, err) {
-                w.close();
-                console.error("Failed to gain access to server", err);
-            }
-        });
+        var w = window.open(utils.url_path_join(prefix, 'user', user));
     });
     
     $(".start-server").click(function () {