Skip to main content

Jupyter authentication plugin that checks for account existence and VPN roles.

Project description

CRC JupyterHub Authenticator

Codacy Badge Codacy Badge Tests

The crc_jupyter_auth package is a Jupyter authentication plugin for redirecting users based on their account status and VPN role. The utility is based on the jhub_remote_user_authenticator package originally created for more general applications. The CRC version builds on the original utility by providing significantly improved test coverage and a refined set of configuration options.

How It Works

The authentication plugin checks incoming authentication requests and routes users based on the associated header values. The name of the inspected headers and the routing destination are configurable via the standard Jupyter config file.

Installation and Setup

The crc_jupyter_auth package can be installable via the pip package manager.

pip install crc-jupyter-auth

After installing the package, you will need to update the authenticator_class option in your Jupyter configuration file. To enable basic authentication capabilities and request routing, specify the RemoteUserAuthenticator class:

c.JupyterHub.authenticator_class = "crc_jupyter_auth.RemoteUserAuthenticator"

To enable the same functionality plus local account management, use RemoteUserLocalAuthenticator:

c.JupyterHub.authenticator_class = "crc_jupyter_auth.RemoteUserLocalAuthenticator"

The RemoteUserLocalAuthenticator class provides the same authentication functionality as RemoteUserAuthenticator but is derived from Jupyter's builtin LocalAuthenticator class. This provides extra features such as the ability to add local accounts through the admin interface.

Package Configuration

The authenticator works by fetching the authenticated username from the HTTP header Cn. If found, and not blank, the client will be logged in as that user. Otherwise, the user is redirected.

The HTTP header names and failure redirects are configurable via the Jupyter settings file. Setting names and default values are provided in the table below:

Setting Name Default Description
username_header "Cn" HTTP header name to inspect for the authenticated username
vpn_header "isMemberOf" HTTP header name to inspect for the user VPN role(s).
required_vpn_role "" Required VPN role for accessing the service. Ignored if an empty string.
missing_user_redirect "" Redirect URL if the user has no home directory. Defaults to 404 if empty string.
missing_role_redirect "" Redirect URL if the user is missing necessary VPN role. Defaults to 404 if empty string.

To modify a settings value, use the c.Authenticator object in the configuration file. For example:

c.Authenticator.missing_role_redirect = "https://my.redirect.domain"

If your system assigns multiple VPN roles to users and more than a single role is reported by the header vpn_header, the VPN roles should be provided in the header as a semicolon delimited list (e.g., role1;role2).

Architecture and Security Recommendations

This authenticator relies on HTTP headers that can be spoofed by a malicious client. To protect against this, an authenticating proxy should be placed in front of Jupyterhub. The JupyterHub daemon should only be accessible from the proxy and never directly accessible by a client.

The authenticating proxy should remove any HTTP headers from incoming requests and only apply headers to proxied requests that have been properly authenticated.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

crc_jupyter_auth-1.0.3.tar.gz (4.5 kB view details)

Uploaded Source

Built Distribution

crc_jupyter_auth-1.0.3-py3-none-any.whl (5.2 kB view details)

Uploaded Python 3

File details

Details for the file crc_jupyter_auth-1.0.3.tar.gz.

File metadata

  • Download URL: crc_jupyter_auth-1.0.3.tar.gz
  • Upload date:
  • Size: 4.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.11.2

File hashes

Hashes for crc_jupyter_auth-1.0.3.tar.gz
Algorithm Hash digest
SHA256 7d1ac49fc9b4d31f07c716feb4579f571665aa2be3008baed038cd9695519bb6
MD5 9383b79b01a3ae76a099655ec1fdc639
BLAKE2b-256 6cbde9ad6bc3ee31ae72b5f39f666be536be7aab28590ae8fed45a1913cfa4a0

See more details on using hashes here.

File details

Details for the file crc_jupyter_auth-1.0.3-py3-none-any.whl.

File metadata

File hashes

Hashes for crc_jupyter_auth-1.0.3-py3-none-any.whl
Algorithm Hash digest
SHA256 3f76cf0ccfa16a69e3d822fd2f85f0b90d31e521ef4a9dbd797470fa2ec732a0
MD5 d4c743ef94bbb9032945f585653c585c
BLAKE2b-256 1c9e83498ce74b58905b0b1063116354553d144e6c4ce04089814ed183e2f4a6

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page