Skip to content

Commit

Permalink
change auth class to generic oauth
Browse files Browse the repository at this point in the history
  • Loading branch information
@garciagenrique
garciagenrique committed Apr 25, 2024
1 parent 09d8bf9 commit 8a1dd4d
Showing 1 changed file with 64 additions and 49 deletions.
113 changes: 64 additions & 49 deletions infrastructure/cluster/flux/jhub-dev/jhub-dev-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,13 @@ spec:
- kind: Secret
name: jhub-dev-iam-secrets
valuesKey: client_id
targetPath: hub.config.RucioAuthenticator.client_id
#targetPath: hub.config.RucioAuthenticator.client_id
targetPath: hub.config.GenericOAuthenticator.client_id
- kind: Secret
name: jhub-dev-iam-secrets
valuesKey: client_secret
targetPath: hub.config.RucioAuthenticator.client_secret
#targetPath: hub.config.RucioAuthenticator.client_secret
targetPath: hub.config.GenericOAuthenticator.client_secret
- kind: Secret
name: jhub-dev-db
valuesKey: dbfullstring
Expand All @@ -51,68 +53,81 @@ spec:
db:
type: postgres # secret dbconnect string set in main-helm.tf
config:
RucioAuthenticator:
# client_id: "" # set through secret
# client_secret: "" # set through secret
JupyterHub:
authenticator_class: "generic-oauth"
GenericOAuthenticator:
#client_id: "" # set through secret
#client_secret: "" # set through secret
authorize_url: https://iam-escape.cloud.cnaf.infn.it/authorize
token_url: https://iam-escape.cloud.cnaf.infn.it/token
userdata_url: https://iam-escape.cloud.cnaf.infn.it/userinfo
username_key: preferred_username
#username_key: preferred_username
scope:
- openid
- profile
- email
# RucioAuthenticator:
# # client_id: "" # set through secret
# # client_secret: "" # set through secret
# authorize_url: https://iam-escape.cloud.cnaf.infn.it/authorize
# token_url: https://iam-escape.cloud.cnaf.infn.it/token
# userdata_url: https://iam-escape.cloud.cnaf.infn.it/userinfo
# username_key: preferred_username
# scope:
# - openid
# - profile
# - email

extraConfig:
token-exchange: |
import pprint
import os
import warnings
import requests
from oauthenticator.generic import GenericOAuthenticator
# extraConfig:
# token-exchange: |
# import pprint
# import os
# import warnings
# import requests
# from oauthenticator.generic import GenericOAuthenticator

# custom authenticator to enable auth_state and get access token to set as env var for rucio extension
class RucioAuthenticator(GenericOAuthenticator):
def __init__(self, **kwargs):
super().__init__(**kwargs)
self.enable_auth_state = True
# # custom authenticator to enable auth_state and get access token to set as env var for rucio extension
# class RucioAuthenticator(GenericOAuthenticator):
# def __init__(self, **kwargs):
# super().__init__(**kwargs)
# self.enable_auth_state = True

def exchange_token(self, token):
params = {
'client_id': self.client_id,
'client_secret': self.client_secret,
'grant_type': 'urn:ietf:params:oauth:grant-type:token-exchange',
'subject_token': token,
'scope': 'openid profile',
'audience': 'rucio'
}
response = requests.post(self.token_url, data=params)
rucio_token = response.json()['access_token']
return rucio_token
# def exchange_token(self, token):
# params = {
# 'client_id': self.client_id,
# 'client_secret': self.client_secret,
# 'grant_type': 'urn:ietf:params:oauth:grant-type:token-exchange',
# 'subject_token': token,
# 'scope': 'openid profile',
# 'audience': 'rucio'
# }
# response = requests.post(self.token_url, data=params)
# rucio_token = response.json()['access_token']
# return rucio_token

async def pre_spawn_start(self, user, spawner):
auth_state = await user.get_auth_state()
pprint.pprint(auth_state)
if not auth_state:
# user has no auth state
return
# async def pre_spawn_start(self, user, spawner):
# auth_state = await user.get_auth_state()
# pprint.pprint(auth_state)
# if not auth_state:
# # user has no auth state
# return

# define token environment variable from auth_state
spawner.environment['RUCIO_ACCESS_TOKEN'] = self.exchange_token(auth_state['access_token'])
spawner.environment['EOS_ACCESS_TOKEN'] = auth_state['access_token']
# # define token environment variable from auth_state
# spawner.environment['RUCIO_ACCESS_TOKEN'] = self.exchange_token(auth_state['access_token'])
# spawner.environment['EOS_ACCESS_TOKEN'] = auth_state['access_token']

# set the above authenticator as the default
c.JupyterHub.authenticator_class = RucioAuthenticator
# # set the above authenticator as the default
# c.JupyterHub.authenticator_class = RucioAuthenticator

# enable authentication state
c.GenericOAuthenticator.enable_auth_state = True
# # enable authentication state
# c.GenericOAuthenticator.enable_auth_state = True

if 'JUPYTERHUB_CRYPT_KEY' not in os.environ:
warnings.warn(
"Need JUPYTERHUB_CRYPT_KEY env for persistent auth_state.\n"
" export JUPYTERHUB_CRYPT_KEY=$(openssl rand -hex 32)"
)
c.CryptKeeper.keys = [os.urandom(32)]
# if 'JUPYTERHUB_CRYPT_KEY' not in os.environ:
# warnings.warn(
# "Need JUPYTERHUB_CRYPT_KEY env for persistent auth_state.\n"
# " export JUPYTERHUB_CRYPT_KEY=$(openssl rand -hex 32)"
# )
# c.CryptKeeper.keys = [os.urandom(32)]

singleuser:
defaultUrl: "/lab"
Expand Down

0 comments on commit 8a1dd4d

Please sign in to comment.