-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[All] Adding overrides to user_is_authorized method #571
[All] Adding overrides to user_is_authorized method #571
Conversation
Thanks for submitting your first pull request! You are awesome! 🤗 |
31da801
to
724c86d
Compare
for more information, see https://pre-commit.ci
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for opening this PR @npapapietro!
Can you please help me understand it better, in order to be able to review it?
expose some override functionality to the user_is_authorized method that will allow downstream consumers (most notably the Kubespawner) of the authenticator make further decisions on a smaller subset of group/role type properties
Can you please describe in more detail how this override functionality added to user_is_authorized
would be used in a profile_list
context?
My goal is to create a path for allowing auth logic in KubeSpawner.profile_list.
I believe @consideRatio created a blog post in https://discourse.jupyter.org/t/tailoring-spawn-options-and-server-configuration-to-certain-users/8449 describing how can the auth_state
can be used to influence the profile_list
. And this is where auth_state
is built before being returned by a successful authenticate
call.
Absolutely, In side the Kubespawner._render_options_form method, one can check/filter the rendered profile list by the base class property For example c.KubeSpawner.profile_list = [
{
'display_name': 'Training Env',
'slug': 'training-python',
'default': True,
# for example
'authenticator_override': {
'allowed_groups': ['group1', 'group2'], # generic
'allowed_organizations': ['org1', 'org2'], # github
},
'kubespawner_override': {
'image': 'datascience/bigGPU:latest',
'cpu_limit': 48,
'mem_limit': '96G',
'extra_resource_guarantees': {"nvidia.com/gpu": "2"},
}
] From here, one can use the z2jh values to define profile lists depending on Auth without needing to inline python code inside |
Thanks a lot for the additional context @npapapietro! Verify understandingFrom what I understand, the overrides passed to the Possible resolution of the current implementationIf so, from an Possible alternate solutionFrom what I understand what's needed is a generic function for group/role restriction check that's specific to each Maybe a possible solution to this is to have a generic
Then, the What do you think @npapapietro ? Kubespawner extended contextI took a peek to jupyterhub/kubespawner#700 to make sure I got the context right. It is my underestanding that this is a complicated topic with additional information about it available at jupyterhub/kubespawner#589. So, I will defer merging changes to |
I currently understand this PR's intent to be to adjust the authorization check (now I'd like to steer towards the alternative approach of relying on Authenticator class agnostic information like:
I'll go for a preliminary close on this PR for now since it hasn't received a response since March, it can easily be re-opened though! |
Motivation
The overall goal of this PR is to expose some override functionality to the
user_is_authorized
method that will allow downstream consumers (most notably the Kubespawner) of the authenticator make further decisions on a smaller subset of group/role type properties. My goal is to create a path for allowing auth logic inKubeSpawner.profile_list
.Changes
In each implementation where the concept of
allowed
user groups/projects/roles exist, there is a simple override kwarg option passed.Each override option has been documented in the respective docstring as well as testing added to cover the new changes. Some of the implementations have no concept of allowed groups currently implemented and the contributing guidelines favor moving towards
GenericOAuthenticator
, so they were ignored (cilogin for example).Risks
This method is called by the
authenticate
method.Mitigations
Testing was created and no changes were made inside the
authenticate
method.PS:
I also had to bump
isort
bugfix version to fix the pre-commit scripts. Alsoflake8==6.0.0
hook breaks forpython==3.7
.