Skip to main content

Jupyter authentication plugin that checks for account existence and VPN roles.

Project description

CRC JupyterHub Authenticator

The crc_jupyter_auth package is a Jupyter authentication plugin for redirecting users based on their account status and VPN role. The utility is based on the jhub_remote_user_authenticator package originally created for more general applications. The CRC version builds on the original utility by providing significantly improved test coverage and a refined set of configuration options.

How It Works

The authentication plugin checks incoming authentication requests and routes users based on the associated header values. The name of the inspected headers and the routing destination are configurable via the standard Jupyter config file.

Installation and Setup

The crc_jupyter_auth package can be installable via the pip package manager.

pip install crc-jupyter-auth

After installing the package, you will need to update the authenticator_class option in your Jupyter configuration file. To enable basic authentication capabilities and request routing, specify the RemoteUserAuthenticator class:

c.JupyterHub.authenticator_class = "crc_jupyter_auth.RemoteUserAuthenticator"

To enable the same functionality plus local account management, use RemoteUserLocalAuthenticator:

c.JupyterHub.authenticator_class = "crc_jupyter_auth.RemoteUserLocalAuthenticator"

The RemoteUserLocalAuthenticator class provides the same authentication functionality as RemoteUserAuthenticator but is derived from Jupyter's built-in LocalAuthenticator class. This provides extra features such as the ability to add local accounts through the admin interface.

Package Configuration

The authenticator works by fetching the authenticated username from the HTTP header Cn. If found, and not blank, the client will be logged in as that user. Otherwise, the user is redirected.

The HTTP header names and failure redirects are configurable via the Jupyter settings file. Setting names and default values are provided in the table below:

Setting Name Default Description
username_header "Cn" HTTP header name to inspect for the authenticated username -
vpn_header "isMemberOf" HTTP header name to inspect for the user VPN role(s).
required_vpn_role "" Required VPN role for accessing the service. Ignored if an empty string.
missing_role_redirect "" Redirect URL if the user is missing the required VPN header. Defaults to 404 if empty string.

To modify a settings value, use the c.Authenticator object in the configuration file. For example:

c.Authenticator.missing_role_redirect = "https://my.redirect.domain"

If your system assigns multiple VPN roles to users and more than a single role is reported by the header vpn_header, the VPN roles should be provided in the header as a semicolon-delimited list (e.g., role1;role2).

Architecture and Security Recommendations

This authenticator relies on HTTP headers that can be spoofed by a malicious client. To protect against this, an authenticating proxy should be placed in front of Jupyterhub. The JupyterHub daemon should only be accessible from the proxy and never directly accessible by a client.

The authenticating proxy should remove any HTTP headers from incoming requests and only apply headers to proxied requests that have been properly authenticated.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

crc_jupyter_auth-1.0.6.tar.gz (16.4 kB view details)

Uploaded Source

Built Distribution

crc_jupyter_auth-1.0.6-py3-none-any.whl (17.3 kB view details)

Uploaded Python 3

File details

Details for the file crc_jupyter_auth-1.0.6.tar.gz.

File metadata

  • Download URL: crc_jupyter_auth-1.0.6.tar.gz
  • Upload date:
  • Size: 16.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.6

File hashes

Hashes for crc_jupyter_auth-1.0.6.tar.gz
Algorithm Hash digest
SHA256 fc7ab8b7684198133f0dea7f9adc322f2ed035d3514afc9225bc3bf1f83b92e3
MD5 911f8ddb288e66255f8c07b0045b5079
BLAKE2b-256 57caa1c0fe07340b5c97b3a382e4e69eded46d119e95c671656749f385f12aa1

See more details on using hashes here.

File details

Details for the file crc_jupyter_auth-1.0.6-py3-none-any.whl.

File metadata

File hashes

Hashes for crc_jupyter_auth-1.0.6-py3-none-any.whl
Algorithm Hash digest
SHA256 ed2a87753f04fe9edfb659b5a98fa6267a236aa8a245ba0cc2f224f7ef280978
MD5 500cf698837f52fb3aca3ce2a1bb8d6a
BLAKE2b-256 9574fd1ac7f04e7a61f94a448113fc69f146566adb144748e4e995554bb46a98

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page