Restrict profile options based on JupyterHub groups (or GitHub teams)#
Warning
This is currently only functional for GitHub authentication with GitHubOAuthenticator
,
and the earthscope hub is special cased. This will be more generally available once
group management is broadly available
on OAuthenticator.
Communities often want to selectively grant access to resources based on what groups a user belongs to. The most common example being restricted access to GPUs, really large resource allocations or the ability to specify arbitrary images to launch.
We override the profile_list
feature of KubeSpawner to be able to restrict specific profiles or profile options
to only be available to users who belong to specific JupyterHub groups (or in the
case of using GitHub authentication, GitHub teams).
The allowed_groups
configuration#
The key allowed_groups
can be set under:
Any Profile - the first level of options shown in the profile selection screen to the user, selectable via radio buttons.
Any Profile Option Choice - the second level of options shown in the profile selection screen to the user, selectable via dropdown box.
Any Profile Option Unlisted Choice - the optional way for end users to write in an arbitrary value to be used, often for selecting the image to be run, instead of selecting one of the pre-determined values.
It can contain a list of JupyterHub group names. These are determined either via the JupyterHub admin interface or provided externally via the authentication provider (see below for how the group names look like)
If allowed_groups
is not set, that profile, profile option choice or unlisted choice, will be visible and available to everyone who can log in to the hub/
So to restrict a profile, profile option choice or unlisted choice to a specific set
of users, put a allowed_groups
config under whatever you want to restrict, and list
the groups that should be allowed access. Everyone else will not see that option,
and members of that group will.
Now let’s look at some examples.
Example 1: Restrict an entire profile#
Let’s say a community wants to restrict a Matlab profile only to a select few
users, but their python environment be available to everyone. And they are using GitHub as their
authentication provider, with GitHubOAuthenticator
.
We would have a profileList
like this:
- display_name: Python
description: Python datascience environment
default: true
kubespawner_override:
image: python-image:tag
profile_options: &profile_options
requests: &profile_options_resource_allocation
display_name: Resource Allocation
choices:
mem_1_9:
display_name: 1.9 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 1991244775
mem_limit: 1991244775
cpu_guarantee: 0.2328125
cpu_limit: 3.725
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
default: true
mem_3_7:
display_name: 3.7 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 3982489550
mem_limit: 3982489550
cpu_guarantee: 0.465625
cpu_limit: 3.725
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_7_4:
display_name: 7.4 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 7964979101
mem_limit: 7964979101
cpu_guarantee: 0.93125
cpu_limit: 3.725
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
- display_name: Matlab
description: Matlab environment
allowed_groups:
- 2i2c-org:hub-access-for-2i2c-staff
- organization:matlab-access
kubespawner_override:
image: matlab-image:tag
profile_options: *profile_options
The Python
profile does not have an allowed_groups
set, so everyone who can
log in to the hub can use that. The Matlab
profile has an allowed_groups
set,
and allows two groups - one specifically for 2i2c staff members, and another for
those the community has added to a matlab-access
team inside their GitHub org.
Example 2: Restrict a particular profile_option
choice#
Now let’s say the community wants to restrict only users who are members of a
large-compute
team to access the 7.4 GB RAM, upto 3.7 CPUs
and
3.7 GB RAM, upto 3.7 CPUs
profile option.
- display_name: Python
description: Python datascience environment
default: true
kubespawner_override:
image: python-image:tag
profile_options: &profile_options
requests: &profile_options_resource_allocation
display_name: Resource Allocation
choices:
mem_1_9:
display_name: 1.9 GB RAM, upto 3.7 CPUs
kubespawner_override:
mem_guarantee: 1991244775
mem_limit: 1991244775
cpu_guarantee: 0.2328125
cpu_limit: 3.725
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
default: true
mem_3_7:
display_name: 3.7 GB RAM, upto 3.7 CPUs
allowed_groups:
- 2i2c-org:hub-access-for-2i2c-staff
- organization:large-compute
kubespawner_override:
mem_guarantee: 3982489550
mem_limit: 3982489550
cpu_guarantee: 0.465625
cpu_limit: 3.725
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
mem_7_4:
display_name: 7.4 GB RAM, upto 3.7 CPUs
allowed_groups:
- 2i2c-org:hub-access-for-2i2c-staff
- organization:large-compute
kubespawner_override:
mem_guarantee: 7964979101
mem_limit: 7964979101
cpu_guarantee: 0.93125
cpu_limit: 3.725
node_selector:
node.kubernetes.io/instance-type: r5.xlarge
- display_name: Matlab
description: Matlab environment
allowed_groups:
- 2i2c-org:hub-access-for-2i2c-staff
- organization:matlab-access
kubespawner_override:
image: matlab-image:tag
profile_options: *profile_options
Since this adds on from the previous example, it’ll have the following behavior:
Everyone can see and use the Python profile
Only members of the team
matlab-access
(and 2i2c staff) can see theMatlab
profile.Only members of the team
large-compute
can see the two larger dropdown items. Thisprofile_option
is the same for both python and matlab, so this behavior is repeated for both of them.So only people who are members of both
matlab-access
andlarge-compute
can see the larger dropdown options for the Matlab profile.
Enabling externally managed groups for GitHubOAuthenticator
#
For hubs using GitHubOAuthenticator
, groups (for the purposes of this feature alone)
are of the form <github-org-name>:<github-team-name>
.
The following extra config is also required to enable this feature.
jupyterhub:
hub:
config:
Authenticator:
enable_auth_state: true
GitHubOAuthenticator:
populate_teams_in_auth_state: true
Note
GitHubOAuthenticator is currently special cased in our code, until
this PR is merged
and deployed. allowed_groups
will treat GitHub team membership as groups,
but other JupyterHub functionality that depends on groups will not.
Enabling access for 2i2c engineers#
All 2i2c engineers are part of the GitHub team 2i2c-org:hub-access-for-2i2c-staff
, so
every allowed_group
entry should have an explicit mention of that team so 2i2c engineers
can access that option / profile and test it out when needed.
Enabling this feature for other Authenticators#
Currently, the EarthScope hub has this feature enabled via custom overrides. Once this PR is merged and deployed, we can enable this feature for hubs using other Authenticators more generally.