zero-to-jupyterhub-k8s
zero-to-jupyterhub-k8s copied to clipboard
jupyterhub
Document use of Native authenticator
Document use of Native authenticator
@leportella have made the Native authenticator as described in her blog post about it.
I think this is a very useful authenticator that is far easier to get started with in some scenarios. For example, consider a class instructor that wants to provide access specifically for their students but not all of the university or similar. In my case I wanted to provide access for my school but not all of the 100+ schools at one time during a school event.
Document use of Native authenticator
PR Work to be done
- Document how to configure the use of the nativeauthenticator
- Document that it could be a bit complicated to transition to a new authenticator without loosing previous user storage etc.
- If using this at first means you get a lot of users, they will get storage related to their username, if later you switch to another authenticator you will get a new username so new storage. There is no easy fix to migrate this.
- Warn about the need for HTTPS
- Setting this up without HTTPS would expose passwords to be communicated in the air over the internet, using a public WIFI and someone sniffing has the password for example. While you may say "well their work won't be sensitive" or so, it can be the same credential/password used for other services so it is actually a big deal to leak passwords even though it is for a dummy service.
- Warn about being responsible for a database containing hashed passwords
- If a list of hashed passwords are exposed, you can figure out what password that led to the hash by brute force if you try to hash enough passwords to find a match. So, this is also a way for passwords to leak, mainly if they are short such as only 8-10 symbols or easy to guess by trying all words in a dictionary etc.
- Disclaimer that its recommended to use a external identity provider to not be responsible for these matters.
In my case I just want to do some work with Jupyter and JupyterHub and I have a kubernetes cluster. So although the number of users will be small (in the immediate future, only me), the k8s setup is the most straight forward except for the fact the LDAP or OAuth isn't reasonable. This would be nice to have and while I've looked through the helm chart and JupyterHub to try and figure it out, at least some simple docs to point me in the right direction would be very useful.
Is there anyone having used native authenticator on z2jh? Just trying it out and reporting the situation would be helpful!
Is there anyone having used native authenticator on z2jh? Just trying it out and reporting the situation would be helpful!
NativeAuthenticator is already installed in the hub image: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/eb3dc95d1d2b251ca99e8a3e47dbc6169cf0f319/images/hub/requirements.txt#L67
All I did was to add the following line under extraConfig in the config.yaml:
hub:
extraConfig: |
c.JupyterHub.authenticator_class = 'nativeauthenticator.NativeAuthenticator'
With that I can use all the functionality of the NativeAuthenticator.
This is the NativeAuthenticator configuration I am currently using,
hub:
config:
JupyterHub:
authenticator_class: nativeauthenticator.NativeAuthenticator
admin_access: false
Authenticator:
admin_users:
- admin1
NativeAuthenticator:
enable_signup: true
minimum_password_length: 10
check_common_password: true
ask_email_on_signup: false
allow_2fa: false
After having played around with the values a bit, I would say that everything works as expected.
Setting this up wasn't very straightforward (for someone who never deployed a JupyterHub before), so I would indeed also love to see a few hints about the NativeAuthenticator in the docs! :wink:
I had to add somethings to extraConfig to make the templates work
extraConfig:
00_nativeauthenticator_templates: |
import os, nativeauthenticator
c.JupyterHub.template_paths = [f"{os.path.dirname(nativeauthenticator.__file__)}/templates/"]
Hi there! I'm interested in using the NativeAuthenticator for a small workshops deployment.
Do I need to backup/setup any other volumes on the Hub pod to keep credentials stored across restarts of the hub container? Or does NativeAuthenticator integrate this with the default hub db?
