hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-19 16:03:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2397 from rkdarst/pam_normalize_username

Browse Source 
pam_normalize_username option: round-trip usernames through PAM to normalize
This commit is contained in:
Min RK
2019-02-15 15:17:28 +01:00
committed by GitHub
parent 8c76f2b30c a6d217d113
commit 52d8f74eb1
2 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/source/reference/authenticators.md
View File

@@ -106,6 +106,16 @@ c.Authenticator.username_map = {
} }
``` ```
When using `PAMAuthenticator`, you can set
`c.PAMAuthenticator.pam_normalize_username = True`, which will
normalize usernames using PAM (basically round-tripping them: username
to uid to username), which is useful in case you use some external
service that allows multiple usernames mapping to the same user (such
as ActiveDirectory, yes, this really happens). When
`pam_normalize_username` is on, usernames are *not* normalized to
lowercase.
#### Validate usernames #### Validate usernames
In most cases, there is a very limited set of acceptable usernames. In most cases, there is a very limited set of acceptable usernames.

21
jupyterhub/auth.py
View File

@@ -707,6 +707,16 @@ class PAMAuthenticator(LocalAuthenticator):
""" """
).tag(config=True) ).tag(config=True)
pam_normalize_username = Bool(False,
help="""
Round-trip the username via PAM lookups to make sure it is unique
PAM can accept multiple usernames that map to the same user,
for example DOMAIN\\username in some cases. To prevent this,
convert username into uid, then back to uid to normalize.
"""
).tag(config=True)
def __init__(self, **kwargs): def __init__(self, **kwargs):
if pamela is None: if pamela is None:
raise _pamela_error from None raise _pamela_error from None
@@ -798,6 +808,17 @@ class PAMAuthenticator(LocalAuthenticator):
self.log.warning("Disabling PAM sessions from now on.") self.log.warning("Disabling PAM sessions from now on.")
self.open_sessions = False self.open_sessions = False
def normalize_username(self, username):
"""Round-trip the username to normalize it with PAM
PAM can accept multiple usernames as the same user, normalize them."""
if self.pam_normalize_username:
import pwd
uid = pwd.getpwnam(username).pw_uid
username = pwd.getpwuid(uid).pw_name
username = self.username_map.get(username, username)
else:
return super().normalize_username(username)
class DummyAuthenticator(Authenticator): class DummyAuthenticator(Authenticator):
"""Dummy Authenticator for testing """Dummy Authenticator for testing