add Authenticator.whitelist

default behavior is to allow any user to attempt login
2025-10-19 16:03:00 +00:00 · 2014-09-13 13:45:05 -07:00
parent 0b677f8d51
commit 5d701b7fd1
2 changed files with 40 additions and 6 deletions
--- a/jupyterhub/auth.py
+++ b/jupyterhub/auth.py
@@ -7,7 +7,7 @@ from tornado import gen
 import simplepam

 from IPython.config import LoggingConfigurable
-from IPython.utils.traitlets import Unicode
+from IPython.utils.traitlets import Unicode, Set

 class Authenticator(LoggingConfigurable):
    """A class for authentication.
@@ -15,6 +15,14 @@ class Authenticator(LoggingConfigurable):
    The API is one method, `authenticate`, a tornado gen.coroutine.
    """
    
+    whitelist = Set(config=True,
+        help="""Username whitelist.
+        
+        Use this to restrict which users can login.
+        If empty, allow any user to attempt login.
+        """
+    )
+    
    @gen.coroutine
    def authenticate(self, handler, data):
        """Authenticate a user with login form data.
@@ -39,8 +47,10 @@ class PAMAuthenticator(Authenticator):
        Return None otherwise.
        """
        username = data['username']
+        if self.whitelist and username not in self.whitelist:
+            return
        # simplepam wants bytes, not unicode
-        # see 
+        # see simplepam#3
        busername = username.encode(self.encoding)
        bpassword = data['password'].encode(self.encoding)
        if simplepam.authenticate(busername, bpassword, service=self.service):