Shared Password Authentication#

This documentation covers setting up a hub to have a shared password for login using the Dummy Authenticator for a hub.

For this section, it may be useful to set the following environment variables in your terminal.

export CLUSTER_NAME=cluster_name
export HUB_NAME=hub_name

Use a specific branch of the homepage repository#

The Dummy Authenticator requires presenting the user with a username and password input field, rather than the typical “log in” button. This means we cannot use the default homepage template since this will not provide these input fields. Instead we use a specialised branch of the homepage repo which allows us to have the username and password input fields, along with providing specific info about and for each community: username-and-password-homepage.

In the ${HUB_NAME}.values.yaml file, include the following config.

jupyterhub:
  custom:
    homepage:
      gitRepoBranch: "username-and-password-homepage"
      templateVars: [...]  # These values are as normal

Using a global password#

We only support using a global password with this method of authentication. A global password is simple to distribute to a large group of people for a specific event, such as a workshop, while still locking the hub down from the public which can protect it from cryptomining abuse.

Enable the Dummy Authenticator in the ${HUB_NAME}.values.yaml file with the following config.

jupyterhub:
  hub:
    config:
      JupyterHub:
        authenticator_class: dummy

Then, in a ${HUB_NAME}.secret.values.yaml file, include the password.

jupyterhub:
  hub:
    config:
      DummyAuthenticator:
        password: <password>

You can then encrypt the password using the below sops command.

sops --output config/clusters/${CLUSTER_NAME}/enc-${HUB_NAME}.secret.values.yaml -e config/clusters/${CLUSTER_NAME}/${HUB_NAME}.secret.values.yaml

Ensure both these files are listed in the related cluster.yaml file.

[...]
hubs:
  - name: ...
    display_name: ...
    domain: ...
    helm_chart: ...
    helm_chart_values_files:
      - ${HUB_NAME}.values.yaml
      - enc-${HUB_NAME}.secret.values.yaml

How the community should request changing the password#

If the community wishes to change the global password, they should do so by submitting a ticket the support team.

Disabling admin users#

Since using the Dummy Authenticator will allow any username with the correct password to login, this opens scope for a user to login with an admin username and gain admin rights. Hence, we disable all admins on the hub to prevent this. We do this by not providing anything to jupyterhub.hub.config.Authenticator.admin_users.

However if the hub is sharing config with another, e.g. via a common.values.yaml file, you may need to explicitly disable admin users with the following config in the ${HUB_NAME}.values.yaml file.

jupyterhub:
  hub:
    config:
      Authenticator:
        admin_users: []

Disabling the configurator#

For the same reason as above, we also need to disable the configurator as this is an admin-only feature.

jupyterhub:
  custom:
    jupyterhubConfigurator:
      enabled: false