From 88bf4f988c1ffea6f28bd664404a6f53cbfb4032 Mon Sep 17 00:00:00 2001 From: mishaschwartz Date: Mon, 1 May 2023 12:32:29 -0400 Subject: [PATCH 01/16] jupyter attempt --- .../jupyterhub_magpie_authenticator.py | 38 ++++++++++++++++++ .../config/magpie/docker-compose-extra.yml | 7 +++- .../config/magpie/providers.cfg.template | 15 +++++++ .../jupyterhub.conf.template | 2 +- .../config/twitcher/docker-compose-extra.yml | 10 +++++ .../jupyterhub/config/twitcher/web_hooks.py | 40 +++++++++++++++++++ .../jupyterhub/docker-compose-extra.yml | 1 + .../jupyterhub/jupyterhub_config.py.template | 3 +- 8 files changed, 112 insertions(+), 4 deletions(-) create mode 100644 birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py create mode 100644 birdhouse/config/jupyterhub/config/magpie/providers.cfg.template create mode 100644 birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml create mode 100644 birdhouse/config/jupyterhub/config/twitcher/web_hooks.py diff --git a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py new file mode 100644 index 000000000..8aa0c875a --- /dev/null +++ b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py @@ -0,0 +1,38 @@ +from jupyterhub.handlers import BaseHandler +from jupyterhub.auth import Authenticator +from tornado import gen, web + +# TODO: add this to +# github.com/Ouranosinc/jupyterhub/blob/master/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py +# and remove this from here once that is updated + + +class MagpieLoginHandler(BaseHandler): + + def get(self): + header_name = self.authenticator.header_name + remote_user = self.request.headers.get(header_name, "") + if remote_user == "": + raise web.HTTPError(401) + + user = self.user_from_username(remote_user) + self.set_login_cookie(user) + next_url = self.get_next_url(user) + self.redirect(next_url) + + +class MagpieAuthenticator(Authenticator): + """ + Accept the authenticated username from the X-REMOTE-USER HTTP header. + """ + header_name = 'X-REMOTE-USER' # header set by twitcher + auto_login = True + + def get_handlers(self, app): + return [ + (r'/login', MagpieLoginHandler), + ] + + @gen.coroutine + def authenticate(self, *args): + raise NotImplementedError() diff --git a/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml b/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml index 1dcb0e24c..927779208 100644 --- a/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml +++ b/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml @@ -1,5 +1,8 @@ version: "3.4" services: + magpie: + volumes: + - ./config/jupyterhub/config/magpie/providers.cfg:${MAGPIE_PROVIDERS_CONFIG_PATH}/jupyter.cfg:ro jupyterhub: - links: - - magpie + volumes: + - ./config/jupyterhub/config/magpie/authenticator:/jupyterhub_magpie_authenticator:ro diff --git a/birdhouse/config/jupyterhub/config/magpie/providers.cfg.template b/birdhouse/config/jupyterhub/config/magpie/providers.cfg.template new file mode 100644 index 000000000..cd7da43d4 --- /dev/null +++ b/birdhouse/config/jupyterhub/config/magpie/providers.cfg.template @@ -0,0 +1,15 @@ +providers: + jupyterhub: + url: http://jupyterhub:8000/jupyter + title: Jupyter + public: true + c4i: false + type: api + sync_type: api + hooks: + - type: request + path: .* + target: /opt/birdhouse/src/magpie/hooks/jupyterhub_hooks.py:add_x_remote_user + - type: response + path: .* + target: /opt/birdhouse/src/magpie/hooks/jupyterhub_hooks.py:pass_through_cookie diff --git a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template index e7553c5d8..07c213a13 100644 --- a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template +++ b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template @@ -1,5 +1,5 @@ location /jupyter/ { - proxy_pass http://${PAVICS_FQDN}:8800/jupyter/; + proxy_pass https://${PAVICS_FQDN_PUBLIC}${TWITCHER_PROTECTED_PATH}/jupyterhub/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $real_scheme; diff --git a/birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml b/birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml new file mode 100644 index 000000000..38885ed6c --- /dev/null +++ b/birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml @@ -0,0 +1,10 @@ +version: "3.4" + +services: + # extend twitcher with MagpieAdapter hooks employed for weaver proxied requests + twitcher: + volumes: + # NOTE: MagpieAdapter hooks are defined within Magpie config, but it is actually Twitcher proxy that runs them + # target mount location depends on main docker-compose 'MAGPIE_PROVIDERS_CONFIG_PATH' environment variable + - ./config/jupyterhub/config/magpie/providers.cfg:/opt/birdhouse/src/magpie/config/jupyterhub_providers.cfg:ro + - ./config/jupyterhub/config/twitcher/web_hooks.py:/opt/birdhouse/src/magpie/hooks/jupyterhub_hooks.py:ro diff --git a/birdhouse/config/jupyterhub/config/twitcher/web_hooks.py b/birdhouse/config/jupyterhub/config/twitcher/web_hooks.py new file mode 100644 index 000000000..4c882856c --- /dev/null +++ b/birdhouse/config/jupyterhub/config/twitcher/web_hooks.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +""" +These hooks will be running within Twitcher, using MagpieAdapter context, applied for Jupyterhub requests. + +The code below can make use of any package that is installed by Magpie/Twitcher. + +.. seealso:: + Documentation about Magpie/Twitcher request/response hooks is available here: + https://pavics-magpie.readthedocs.io/en/latest/configuration.html#service-hooks +""" + +from typing import TYPE_CHECKING +from magpie.utils import get_header, get_logger + +if TYPE_CHECKING: + from pyramid.request import Request, Response + + +LOGGER = get_logger("birdhouse-jupyterhub-hooks") + + +def add_x_remote_user(request): + # type: (Request) -> Request + """ + Apply the ``X-REMOTE-USER`` header for identifying the logged-in user. + """ + if request.user: + user_name = request.user.user_name + LOGGER.debug(f"X-REMOTE-USER header set to {user_name}") + request.headers["X-REMOTE-USER"] = user_name + return request + + +def pass_through_cookie(response): + # type: (Response) -> Response + """ + Pass the cookie set by jupyterhub through twitcher to the browser session. + """ + pass \ No newline at end of file diff --git a/birdhouse/config/jupyterhub/docker-compose-extra.yml b/birdhouse/config/jupyterhub/docker-compose-extra.yml index bc608b0bd..fb12e548a 100644 --- a/birdhouse/config/jupyterhub/docker-compose-extra.yml +++ b/birdhouse/config/jupyterhub/docker-compose-extra.yml @@ -27,6 +27,7 @@ services: JUPYTER_GOOGLE_DRIVE_SETTINGS: ${JUPYTER_GOOGLE_DRIVE_SETTINGS} JUPYTERHUB_README: ${JUPYTERHUB_README} MOUNT_IMAGE_SPECIFIC_NOTEBOOKS: ${MOUNT_IMAGE_SPECIFIC_NOTEBOOKS} + PYTHONPATH: /jupyterhub_magpie_authenticator # TODO: remove this when github.com/Ouranosinc/jupyterhub is updated volumes: - ./config/jupyterhub/jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro - ./config/jupyterhub/custom_templates:/custom_templates:ro diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index 00b163915..e9686474b 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -9,13 +9,14 @@ c = get_config() # noqa # can be called directy without import because injecte c.JupyterHub.bind_url = 'http://:8000/jupyter' +c.JupyterHub.subdomain_host = "${PAVICS_FQDN}" + ## Whether to shutdown single-user servers when the Hub shuts down. c.JupyterHub.cleanup_servers = False c.JupyterHub.hub_ip = 'jupyterhub' c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator' -c.MagpieAuthenticator.magpie_url = "http://magpie:2001" c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret' c.JupyterHub.db_url = '/persist/jupyterhub.sqlite' From 5f63070b38b32c87372aeee8d2c9cc5ffc8a093d Mon Sep 17 00:00:00 2001 From: mishaschwartz Date: Fri, 2 Jun 2023 13:55:05 -0400 Subject: [PATCH 02/16] add permissions to all-public-access --- .../config/jupyterhub/docker-compose-extra.yml | 5 +++++ .../all-public-access/config/jupyterhub/permissions.cfg | 9 +++++++++ 2 files changed, 14 insertions(+) create mode 100644 birdhouse/optional-components/all-public-access/config/jupyterhub/docker-compose-extra.yml create mode 100644 birdhouse/optional-components/all-public-access/config/jupyterhub/permissions.cfg diff --git a/birdhouse/optional-components/all-public-access/config/jupyterhub/docker-compose-extra.yml b/birdhouse/optional-components/all-public-access/config/jupyterhub/docker-compose-extra.yml new file mode 100644 index 000000000..27310eeef --- /dev/null +++ b/birdhouse/optional-components/all-public-access/config/jupyterhub/docker-compose-extra.yml @@ -0,0 +1,5 @@ +version: "3.4" +services: + magpie: + volumes: + - ./optional-components/all-public-access/config/jupyterhub/permissions.cfg:${MAGPIE_PERMISSIONS_CONFIG_PATH}/all-public-access-jupyterhub-permissions.cfg:ro diff --git a/birdhouse/optional-components/all-public-access/config/jupyterhub/permissions.cfg b/birdhouse/optional-components/all-public-access/config/jupyterhub/permissions.cfg new file mode 100644 index 000000000..c40e2ee1d --- /dev/null +++ b/birdhouse/optional-components/all-public-access/config/jupyterhub/permissions.cfg @@ -0,0 +1,9 @@ +permissions: + - service: jupyterhub + permission: read + group: anonymous + action: create + - service: jupyterhub + permission: write + group: anonymous + action: create From 1474cfa5585f626885277cb5e0d551cde4777cb7 Mon Sep 17 00:00:00 2001 From: mishaschwartz Date: Fri, 2 Jun 2023 14:58:59 -0400 Subject: [PATCH 03/16] user twitcher verify path for auth --- .../config/magpie/providers.cfg.template | 11 ++--- .../jupyterhub.conf.template | 20 +++++++++- .../config/twitcher/docker-compose-extra.yml | 10 ----- .../jupyterhub/config/twitcher/web_hooks.py | 40 ------------------- .../jupyterhub/jupyterhub_config.py.template | 2 - 5 files changed, 22 insertions(+), 61 deletions(-) delete mode 100644 birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml delete mode 100644 birdhouse/config/jupyterhub/config/twitcher/web_hooks.py diff --git a/birdhouse/config/jupyterhub/config/magpie/providers.cfg.template b/birdhouse/config/jupyterhub/config/magpie/providers.cfg.template index cd7da43d4..f768d7837 100644 --- a/birdhouse/config/jupyterhub/config/magpie/providers.cfg.template +++ b/birdhouse/config/jupyterhub/config/magpie/providers.cfg.template @@ -1,15 +1,10 @@ providers: jupyterhub: - url: http://jupyterhub:8000/jupyter + # below URL is only used to fill in the required location in Magpie + # actual auth validation is performed with Twitcher 'verify' endpoint without accessing this proxied URL + url: http://proxy:80 title: Jupyter public: true c4i: false type: api sync_type: api - hooks: - - type: request - path: .* - target: /opt/birdhouse/src/magpie/hooks/jupyterhub_hooks.py:add_x_remote_user - - type: response - path: .* - target: /opt/birdhouse/src/magpie/hooks/jupyterhub_hooks.py:pass_through_cookie diff --git a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template index 07c213a13..c8e30fea1 100644 --- a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template +++ b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template @@ -1,5 +1,8 @@ location /jupyter/ { - proxy_pass https://${PAVICS_FQDN_PUBLIC}${TWITCHER_PROTECTED_PATH}/jupyterhub/; + auth_request /secure-jupyter-auth; + auth_request_set $auth_status $upstream_status; + + proxy_pass http://${PAVICS_FQDN}:8800/jupyter/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $real_scheme; @@ -9,3 +12,18 @@ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } + + location = /secure-jupyter-auth { + internal; + # note: using 'TWITCHER_VERIFY_PATH' path to avoid performing the request via 'proxy' endpoint + # This ensures that the data access is validated for the user, but does not trigger its access twice. + # Also, avoids getting an error as 'jupyterhub' private URL in Magpie doesn't resolve to a valid path. + proxy_pass https://${PAVICS_FQDN_PUBLIC}${TWITCHER_VERIFY_PATH}/jupyterhub$request_uri; + proxy_pass_request_body off; + proxy_set_header Host $host; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto $real_scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host:$server_port; + } \ No newline at end of file diff --git a/birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml b/birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml deleted file mode 100644 index 38885ed6c..000000000 --- a/birdhouse/config/jupyterhub/config/twitcher/docker-compose-extra.yml +++ /dev/null @@ -1,10 +0,0 @@ -version: "3.4" - -services: - # extend twitcher with MagpieAdapter hooks employed for weaver proxied requests - twitcher: - volumes: - # NOTE: MagpieAdapter hooks are defined within Magpie config, but it is actually Twitcher proxy that runs them - # target mount location depends on main docker-compose 'MAGPIE_PROVIDERS_CONFIG_PATH' environment variable - - ./config/jupyterhub/config/magpie/providers.cfg:/opt/birdhouse/src/magpie/config/jupyterhub_providers.cfg:ro - - ./config/jupyterhub/config/twitcher/web_hooks.py:/opt/birdhouse/src/magpie/hooks/jupyterhub_hooks.py:ro diff --git a/birdhouse/config/jupyterhub/config/twitcher/web_hooks.py b/birdhouse/config/jupyterhub/config/twitcher/web_hooks.py deleted file mode 100644 index 4c882856c..000000000 --- a/birdhouse/config/jupyterhub/config/twitcher/web_hooks.py +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -""" -These hooks will be running within Twitcher, using MagpieAdapter context, applied for Jupyterhub requests. - -The code below can make use of any package that is installed by Magpie/Twitcher. - -.. seealso:: - Documentation about Magpie/Twitcher request/response hooks is available here: - https://pavics-magpie.readthedocs.io/en/latest/configuration.html#service-hooks -""" - -from typing import TYPE_CHECKING -from magpie.utils import get_header, get_logger - -if TYPE_CHECKING: - from pyramid.request import Request, Response - - -LOGGER = get_logger("birdhouse-jupyterhub-hooks") - - -def add_x_remote_user(request): - # type: (Request) -> Request - """ - Apply the ``X-REMOTE-USER`` header for identifying the logged-in user. - """ - if request.user: - user_name = request.user.user_name - LOGGER.debug(f"X-REMOTE-USER header set to {user_name}") - request.headers["X-REMOTE-USER"] = user_name - return request - - -def pass_through_cookie(response): - # type: (Response) -> Response - """ - Pass the cookie set by jupyterhub through twitcher to the browser session. - """ - pass \ No newline at end of file diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index e9686474b..5aef47811 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -9,8 +9,6 @@ c = get_config() # noqa # can be called directy without import because injecte c.JupyterHub.bind_url = 'http://:8000/jupyter' -c.JupyterHub.subdomain_host = "${PAVICS_FQDN}" - ## Whether to shutdown single-user servers when the Hub shuts down. c.JupyterHub.cleanup_servers = False From 8ef780f285cbca2c493928f105a33c3467ba7b27 Mon Sep 17 00:00:00 2001 From: mishaschwartz Date: Fri, 2 Jun 2023 15:14:01 -0400 Subject: [PATCH 04/16] get current user from magpie --- birdhouse/config/jupyterhub/.gitignore | 1 + .../jupyterhub_magpie_authenticator.py | 17 +++++++++++++---- .../jupyterhub/jupyterhub_config.py.template | 1 + 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/birdhouse/config/jupyterhub/.gitignore b/birdhouse/config/jupyterhub/.gitignore index 439c8b34b..b0c8ebb93 100644 --- a/birdhouse/config/jupyterhub/.gitignore +++ b/birdhouse/config/jupyterhub/.gitignore @@ -2,6 +2,7 @@ custom_templates/login.html jupyterhub_config.py config/proxy/conf.extra-service.d/jupyterhub.conf config/canarie-api/canarie_api_monitoring.py +config/magpie/providers.cfg # Old paths. Keep these so that old config files remain uncommittable after updates. jupyterhub_canarie_api_monitoring.py diff --git a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py index 8aa0c875a..6a90b8480 100644 --- a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py +++ b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py @@ -1,6 +1,8 @@ +from traitlets import Unicode from jupyterhub.handlers import BaseHandler from jupyterhub.auth import Authenticator from tornado import gen, web +import requests # TODO: add this to # github.com/Ouranosinc/jupyterhub/blob/master/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py @@ -10,9 +12,12 @@ class MagpieLoginHandler(BaseHandler): def get(self): - header_name = self.authenticator.header_name - remote_user = self.request.headers.get(header_name, "") - if remote_user == "": + cookies = {key: morsel.coded_value for key, morsel in self.request.cookies.items()} + + response = requests.get(self.authenticator.magpie_url.rstrip("/") + '/users/current', cookies=cookies) + remote_user = response.json().get("user", {}).get("user_name") + + if not remote_user or remote_user in self.authenticator.blocked_users: raise web.HTTPError(401) user = self.user_from_username(remote_user) @@ -25,7 +30,11 @@ class MagpieAuthenticator(Authenticator): """ Accept the authenticated username from the X-REMOTE-USER HTTP header. """ - header_name = 'X-REMOTE-USER' # header set by twitcher + magpie_url = Unicode( + default_value="https://www.example.com/magpie", + config=True, + help="Magpie endpoint to signin to" + ) auto_login = True def get_handlers(self, app): diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index 5aef47811..00b163915 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -15,6 +15,7 @@ c.JupyterHub.cleanup_servers = False c.JupyterHub.hub_ip = 'jupyterhub' c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator' +c.MagpieAuthenticator.magpie_url = "http://magpie:2001" c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret' c.JupyterHub.db_url = '/persist/jupyterhub.sqlite' From 4165c8e86b189687f2a85bea20b57d330e802adc Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Fri, 14 Jul 2023 14:50:41 -0400 Subject: [PATCH 05/16] set magpie cookies when logging in --- CHANGES.md | 6 +- .../jupyterhub_magpie_authenticator.py | 60 +++++++++---------- .../jupyterhub/jupyterhub_config.py.template | 1 + 3 files changed, 36 insertions(+), 31 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 6bb3c7265..0d8065d55 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -15,7 +15,11 @@ [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest) ------------------------------------------------------------------------------------------------------------------ -[//]: # (list changes here, using '-' for each new entry, remove this when items are added) +## Changes +- Protect jupyterhub behind twitcher authentication + + Also sets magpie cookies whenever a user logs in through jupyterhub so that they are automatically logged in through + magpie as well. [1.27.1](https://github.com/bird-house/birdhouse-deploy/tree/1.27.1) (2023-07-10) ------------------------------------------------------------------------------------------------------------------ diff --git a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py index 6a90b8480..cf1468bf2 100644 --- a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py +++ b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py @@ -1,47 +1,47 @@ from traitlets import Unicode -from jupyterhub.handlers import BaseHandler from jupyterhub.auth import Authenticator -from tornado import gen, web +from tornado import gen import requests # TODO: add this to # github.com/Ouranosinc/jupyterhub/blob/master/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py # and remove this from here once that is updated - -class MagpieLoginHandler(BaseHandler): - - def get(self): - cookies = {key: morsel.coded_value for key, morsel in self.request.cookies.items()} - - response = requests.get(self.authenticator.magpie_url.rstrip("/") + '/users/current', cookies=cookies) - remote_user = response.json().get("user", {}).get("user_name") - - if not remote_user or remote_user in self.authenticator.blocked_users: - raise web.HTTPError(401) - - user = self.user_from_username(remote_user) - self.set_login_cookie(user) - next_url = self.get_next_url(user) - self.redirect(next_url) - - class MagpieAuthenticator(Authenticator): + """Authenticate to JupyterHub using Magpie. + + To use this authenticator, set the following parameters in the `jupyterhub_config.py` file: + - c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator' + - c.MagpieAuthenticator.magpie_url = "https://www.example.com/magpie" """ - Accept the authenticated username from the X-REMOTE-USER HTTP header. - """ + default_provider = "ziggurat" magpie_url = Unicode( default_value="https://www.example.com/magpie", config=True, help="Magpie endpoint to signin to" ) - auto_login = True - - def get_handlers(self, app): - return [ - (r'/login', MagpieLoginHandler), - ] + public_fqdn = Unicode( + config=True, + help="Public fully qualified domain name. Used to set the magpie login cookie." + ) @gen.coroutine - def authenticate(self, *args): - raise NotImplementedError() + def authenticate(self, handler, data): + signin_url = self.magpie_url.rstrip('/') + '/signin' + + post_data = { + "user_name": data["username"], + "password": data["password"], + "provider_name": self.default_provider, + } + response = requests.post(signin_url, data=post_data) + + if response.ok: + for cookie in response.cookies: + handler.set_cookie(name=cookie.name, + value=cookie.value, + domain=self.public_fqdn, + expires=cookie.expires, + path=cookie.path, + secure=cookie.secure) + return data['username'] diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index 4eb0ec5e3..c0fad2ca3 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -16,6 +16,7 @@ c.JupyterHub.hub_ip = 'jupyterhub' c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator' c.MagpieAuthenticator.magpie_url = "http://magpie:2001" +c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}" c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret' c.JupyterHub.db_url = '/persist/jupyterhub.sqlite' From 292004a189a494106bf12f08e67f5151aeaa6df7 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Mon, 24 Jul 2023 14:00:21 -0400 Subject: [PATCH 06/16] logout from magpie on jupyterhub logout --- .../jupyterhub_magpie_authenticator.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py index cf1468bf2..5fb0931a2 100644 --- a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py +++ b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py @@ -1,12 +1,20 @@ from traitlets import Unicode from jupyterhub.auth import Authenticator -from tornado import gen +from jupyterhub.handlers.login import LogoutHandler import requests + # TODO: add this to # github.com/Ouranosinc/jupyterhub/blob/master/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py # and remove this from here once that is updated +class MagpieLogoutHandler(BaseHandler): + async def handle_logout(self): + cookies = {key: morsel.coded_value for key, morsel in self.request.cookies.items()} + signout_url = self.authenticator.magpie_url.rstrip("/") + "/signout" + requests.get(signout_url, cookies=cookies) + + class MagpieAuthenticator(Authenticator): """Authenticate to JupyterHub using Magpie. @@ -25,8 +33,12 @@ class MagpieAuthenticator(Authenticator): help="Public fully qualified domain name. Used to set the magpie login cookie." ) - @gen.coroutine - def authenticate(self, handler, data): + def get_handlers(self, app): + return [ + ('/logout', MagpieLogoutHandler) + ] + + async def authenticate(self, handler, data): signin_url = self.magpie_url.rstrip('/') + '/signin' post_data = { From 0453561db8924d292d8390f779980d5953f1e30d Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Tue, 25 Jul 2023 11:01:28 -0400 Subject: [PATCH 07/16] fix logout from magpie --- .../authenticator/jupyterhub_magpie_authenticator.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py index 5fb0931a2..9dbb9a1cf 100644 --- a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py +++ b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py @@ -8,11 +8,16 @@ # github.com/Ouranosinc/jupyterhub/blob/master/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py # and remove this from here once that is updated -class MagpieLogoutHandler(BaseHandler): +class MagpieLogoutHandler(LogoutHandler): + """ + Logout Handler that also logs the user out of magpie when logging out of jupyterhub. + """ async def handle_logout(self): cookies = {key: morsel.coded_value for key, morsel in self.request.cookies.items()} signout_url = self.authenticator.magpie_url.rstrip("/") + "/signout" - requests.get(signout_url, cookies=cookies) + response = requests.get(signout_url, cookies=cookies, headers={"Host": self.authenticator.public_fqdn}) + if response.ok and 'Set-Cookie' in response.headers: + self.set_header("Set-Cookie", response.headers["Set-Cookie"]) class MagpieAuthenticator(Authenticator): From 216f273ed20ec0298b9f3436e73b38e3565faf1a Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Mon, 31 Jul 2023 09:17:23 -0400 Subject: [PATCH 08/16] use updated pavics/jupyterhub image --- .../jupyterhub_magpie_authenticator.py | 64 ------------------- .../config/magpie/docker-compose-extra.yml | 3 - .../jupyterhub.conf.template | 2 +- birdhouse/config/jupyterhub/default.env | 2 +- .../jupyterhub/docker-compose-extra.yml | 1 - 5 files changed, 2 insertions(+), 70 deletions(-) delete mode 100644 birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py diff --git a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py b/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py deleted file mode 100644 index 9dbb9a1cf..000000000 --- a/birdhouse/config/jupyterhub/config/magpie/authenticator/jupyterhub_magpie_authenticator.py +++ /dev/null @@ -1,64 +0,0 @@ -from traitlets import Unicode -from jupyterhub.auth import Authenticator -from jupyterhub.handlers.login import LogoutHandler -import requests - - -# TODO: add this to -# github.com/Ouranosinc/jupyterhub/blob/master/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py -# and remove this from here once that is updated - -class MagpieLogoutHandler(LogoutHandler): - """ - Logout Handler that also logs the user out of magpie when logging out of jupyterhub. - """ - async def handle_logout(self): - cookies = {key: morsel.coded_value for key, morsel in self.request.cookies.items()} - signout_url = self.authenticator.magpie_url.rstrip("/") + "/signout" - response = requests.get(signout_url, cookies=cookies, headers={"Host": self.authenticator.public_fqdn}) - if response.ok and 'Set-Cookie' in response.headers: - self.set_header("Set-Cookie", response.headers["Set-Cookie"]) - - -class MagpieAuthenticator(Authenticator): - """Authenticate to JupyterHub using Magpie. - - To use this authenticator, set the following parameters in the `jupyterhub_config.py` file: - - c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator' - - c.MagpieAuthenticator.magpie_url = "https://www.example.com/magpie" - """ - default_provider = "ziggurat" - magpie_url = Unicode( - default_value="https://www.example.com/magpie", - config=True, - help="Magpie endpoint to signin to" - ) - public_fqdn = Unicode( - config=True, - help="Public fully qualified domain name. Used to set the magpie login cookie." - ) - - def get_handlers(self, app): - return [ - ('/logout', MagpieLogoutHandler) - ] - - async def authenticate(self, handler, data): - signin_url = self.magpie_url.rstrip('/') + '/signin' - - post_data = { - "user_name": data["username"], - "password": data["password"], - "provider_name": self.default_provider, - } - response = requests.post(signin_url, data=post_data) - - if response.ok: - for cookie in response.cookies: - handler.set_cookie(name=cookie.name, - value=cookie.value, - domain=self.public_fqdn, - expires=cookie.expires, - path=cookie.path, - secure=cookie.secure) - return data['username'] diff --git a/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml b/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml index 927779208..a4ed9524c 100644 --- a/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml +++ b/birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml @@ -3,6 +3,3 @@ services: magpie: volumes: - ./config/jupyterhub/config/magpie/providers.cfg:${MAGPIE_PROVIDERS_CONFIG_PATH}/jupyter.cfg:ro - jupyterhub: - volumes: - - ./config/jupyterhub/config/magpie/authenticator:/jupyterhub_magpie_authenticator:ro diff --git a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template index c8e30fea1..2c0b8a414 100644 --- a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template +++ b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template @@ -26,4 +26,4 @@ proxy_set_header X-Forwarded-Proto $real_scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:$server_port; - } \ No newline at end of file + } diff --git a/birdhouse/config/jupyterhub/default.env b/birdhouse/config/jupyterhub/default.env index 6bf21f3cb..aea8bdd8a 100644 --- a/birdhouse/config/jupyterhub/default.env +++ b/birdhouse/config/jupyterhub/default.env @@ -5,7 +5,7 @@ # are applied and must be added to the list of DELAYED_EVAL. export JUPYTERHUB_DOCKER=pavics/jupyterhub -export JUPYTERHUB_VERSION=1.4.0-20210506 +export JUPYTERHUB_VERSION=4.0.1-20230731 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601" diff --git a/birdhouse/config/jupyterhub/docker-compose-extra.yml b/birdhouse/config/jupyterhub/docker-compose-extra.yml index 3466999a9..538bfb896 100644 --- a/birdhouse/config/jupyterhub/docker-compose-extra.yml +++ b/birdhouse/config/jupyterhub/docker-compose-extra.yml @@ -27,7 +27,6 @@ services: JUPYTER_GOOGLE_DRIVE_SETTINGS: ${JUPYTER_GOOGLE_DRIVE_SETTINGS} JUPYTERHUB_README: ${JUPYTERHUB_README} MOUNT_IMAGE_SPECIFIC_NOTEBOOKS: ${MOUNT_IMAGE_SPECIFIC_NOTEBOOKS} - PYTHONPATH: /jupyterhub_magpie_authenticator # TODO: remove this when github.com/Ouranosinc/jupyterhub is updated USER_WORKSPACE_UID: ${USER_WORKSPACE_UID} USER_WORKSPACE_GID: ${USER_WORKSPACE_GID} volumes: From 9136c82384f86e94ae0f2e409903e2e9876ab669 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Mon, 31 Jul 2023 10:24:03 -0400 Subject: [PATCH 09/16] update CHANGES.md to include logout info --- CHANGES.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 0d8065d55..6d7cbc81c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -18,8 +18,8 @@ ## Changes - Protect jupyterhub behind twitcher authentication - Also sets magpie cookies whenever a user logs in through jupyterhub so that they are automatically logged in through - magpie as well. + - Sets magpie cookies whenever a user logs in or out through jupyterhub so that they are automatically logged in + or out through magpie as well. [1.27.1](https://github.com/bird-house/birdhouse-deploy/tree/1.27.1) (2023-07-10) ------------------------------------------------------------------------------------------------------------------ From 4240a27e737f5f2430fb84ce5528c11655c39533 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Wed, 16 Aug 2023 16:09:50 -0400 Subject: [PATCH 10/16] update tests --- tests/test_read_configs_include.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/test_read_configs_include.py b/tests/test_read_configs_include.py index fcc01c78b..9d96090c7 100644 --- a/tests/test_read_configs_include.py +++ b/tests/test_read_configs_include.py @@ -214,6 +214,7 @@ class TestCreateComposeConfList: "./config/twitcher/config/proxy/docker-compose-extra.yml", "./config/jupyterhub/docker-compose-extra.yml", "./config/jupyterhub/config/canarie-api/docker-compose-extra.yml", + "./config/jupyterhub/config/magpie/docker-compose-extra.yml", "./config/jupyterhub/config/proxy/docker-compose-extra.yml", ] From e1e144372655f5c7e83b5c745177f50d8e780a59 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Tue, 26 Sep 2023 11:54:19 -0400 Subject: [PATCH 11/16] authorize access to jupyterhub at login time only --- .../jupyterhub.conf.template | 18 ------------------ .../jupyterhub/jupyterhub_config.py.template | 1 + 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template index d87495612..7da931a62 100644 --- a/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template +++ b/birdhouse/config/jupyterhub/config/proxy/conf.extra-service.d/jupyterhub.conf.template @@ -1,7 +1,4 @@ location /jupyter/ { - auth_request /secure-jupyter-auth; - auth_request_set $auth_status $upstream_status; - proxy_pass http://jupyterhub:8000/jupyter/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; @@ -12,18 +9,3 @@ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } - - location = /secure-jupyter-auth { - internal; - # note: using 'TWITCHER_VERIFY_PATH' path to avoid performing the request via 'proxy' endpoint - # This ensures that the data access is validated for the user, but does not trigger its access twice. - # Also, avoids getting an error as 'jupyterhub' private URL in Magpie doesn't resolve to a valid path. - proxy_pass https://${PAVICS_FQDN_PUBLIC}${TWITCHER_VERIFY_PATH}/jupyterhub$request_uri; - proxy_pass_request_body off; - proxy_set_header Host $host; - proxy_set_header Content-Length ""; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto $real_scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host:$server_port; - } diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index 01a34d502..bc3a2e67d 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -17,6 +17,7 @@ c.JupyterHub.hub_ip = 'jupyterhub' c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator' c.MagpieAuthenticator.magpie_url = "http://magpie:2001" c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}" +c.MagpieAuthenticator.authorization_url = "http://twitcher:8000/ows/verify/jupyterhub" c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret' c.JupyterHub.db_url = '/persist/jupyterhub.sqlite' From e964b8ccfad24dc51b5653c84ddb53d47464c04a Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Mon, 2 Oct 2023 14:42:30 -0400 Subject: [PATCH 12/16] update pavics/jupyterhub version to add new authorization feature --- birdhouse/config/jupyterhub/default.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/birdhouse/config/jupyterhub/default.env b/birdhouse/config/jupyterhub/default.env index c949cff84..78bda398b 100644 --- a/birdhouse/config/jupyterhub/default.env +++ b/birdhouse/config/jupyterhub/default.env @@ -5,7 +5,7 @@ # are applied and must be added to the list of DELAYED_EVAL. export JUPYTERHUB_DOCKER=pavics/jupyterhub -export JUPYTERHUB_VERSION=4.0.2-20230816 +export JUPYTERHUB_VERSION=4.0.2-20231002 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601" From 1e6b98b7882e38bd606dc5770d32ebc4c86aabfb Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Mon, 30 Oct 2023 09:35:25 -0400 Subject: [PATCH 13/16] add toggle for authorization setting --- birdhouse/config/jupyterhub/default.env | 6 ++++++ birdhouse/config/jupyterhub/jupyterhub_config.py.template | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/birdhouse/config/jupyterhub/default.env b/birdhouse/config/jupyterhub/default.env index 78bda398b..d17f5d510 100644 --- a/birdhouse/config/jupyterhub/default.env +++ b/birdhouse/config/jupyterhub/default.env @@ -47,6 +47,11 @@ export JUPYTERHUB_README="" # config/jupyterhub/jupyterhub_config.py.template. export JUPYTERHUB_CONFIG_OVERRIDE="" +# URL used to verify that a logged in user has permission to access Jupyterhub +# To disable this feature, unset this variable. However, disabling this feature is NOT +# recommended as it may permit unauthorized users from accessing jupyterhub. +export JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL='http://twitcher:8000/ows/verify/jupyterhub' + export DELAYED_EVAL=" $DELAYED_EVAL JUPYTERHUB_USER_DATA_DIR @@ -68,6 +73,7 @@ OPTIONAL_VARS=" \$JUPYTERHUB_CONFIG_OVERRIDE \$JUPYTERHUB_DOCKER \$JUPYTERHUB_VERSION + \$JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL " # add any component that this component requires to run diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index bc3a2e67d..5d3fc5462 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -17,7 +17,7 @@ c.JupyterHub.hub_ip = 'jupyterhub' c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator' c.MagpieAuthenticator.magpie_url = "http://magpie:2001" c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}" -c.MagpieAuthenticator.authorization_url = "http://twitcher:8000/ows/verify/jupyterhub" +c.MagpieAuthenticator.authorization_url = "${JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL}" c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret' c.JupyterHub.db_url = '/persist/jupyterhub.sqlite' From dcedf803abdb78ab7a1bd25f4d5bf4e661186087 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Tue, 31 Oct 2023 13:20:38 -0400 Subject: [PATCH 14/16] =?UTF-8?q?Bump=20version:=201.35.2=20=E2=86=92=201.?= =?UTF-8?q?36.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .bumpversion.cfg | 6 +++--- CHANGES.md | 5 +++++ Makefile | 2 +- README.rst | 8 ++++---- RELEASE.txt | 2 +- .../config/canarie-api/docker_configuration.py.template | 8 ++++---- docs/source/conf.py | 4 ++-- 7 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 6a891f405..836041ab5 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 1.35.2 +current_version = 1.36.0 commit = True tag = False tag_name = {new_version} @@ -30,11 +30,11 @@ search = {current_version} replace = {new_version} [bumpversion:file:RELEASE.txt] -search = {current_version} 2023-10-24T21:05:12Z +search = {current_version} 2023-10-31T17:20:38Z replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ} [bumpversion:part:releaseTime] -values = 2023-10-24T21:05:12Z +values = 2023-10-31T17:20:38Z [bumpversion:file(version):birdhouse/config/canarie-api/docker_configuration.py.template] search = 'version': '{current_version}' diff --git a/CHANGES.md b/CHANGES.md index 6273be4ea..6600fbe72 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -17,6 +17,11 @@ [//]: # (list changes here, using '-' for each new entry, remove this when items are added) +[1.36.0](https://github.com/bird-house/birdhouse-deploy/tree/1.36.0) (2023-10-31) +------------------------------------------------------------------------------------------------------------------ + +[//]: # (list changes here, using '-' for each new entry, remove this when items are added) + [1.35.2](https://github.com/bird-house/birdhouse-deploy/tree/1.35.2) (2023-10-24) ------------------------------------------------------------------------------------------------------------------ diff --git a/Makefile b/Makefile index 3a0c8b088..825f8f137 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # Generic variables override SHELL := bash override APP_NAME := birdhouse-deploy -override APP_VERSION := 1.35.2 +override APP_VERSION := 1.36.0 # utility to remove comments after value of an option variable override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g") diff --git a/README.rst b/README.rst index 11c624c43..ba7b8295f 100644 --- a/README.rst +++ b/README.rst @@ -14,13 +14,13 @@ for a full-fledged production platform. * - releases - | |latest-version| |commits-since| -.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.35.2.svg +.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.36.0.svg :alt: Commits since latest release - :target: https://github.com/bird-house/birdhouse-deploy/compare/1.35.2...master + :target: https://github.com/bird-house/birdhouse-deploy/compare/1.36.0...master -.. |latest-version| image:: https://img.shields.io/badge/tag-1.35.2-blue.svg?style=flat +.. |latest-version| image:: https://img.shields.io/badge/tag-1.36.0-blue.svg?style=flat :alt: Latest Tag - :target: https://github.com/bird-house/birdhouse-deploy/tree/1.35.2 + :target: https://github.com/bird-house/birdhouse-deploy/tree/1.36.0 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest :alt: ReadTheDocs Build Status (latest version) diff --git a/RELEASE.txt b/RELEASE.txt index ffc626699..a926b272e 100644 --- a/RELEASE.txt +++ b/RELEASE.txt @@ -1 +1 @@ -1.35.2 2023-10-24T21:05:12Z +1.36.0 2023-10-31T17:20:38Z diff --git a/birdhouse/config/canarie-api/docker_configuration.py.template b/birdhouse/config/canarie-api/docker_configuration.py.template index 9c206d08e..f69177adc 100644 --- a/birdhouse/config/canarie-api/docker_configuration.py.template +++ b/birdhouse/config/canarie-api/docker_configuration.py.template @@ -109,8 +109,8 @@ SERVICES = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '1.35.2', - 'releaseTime': '2023-10-24T21:05:12Z', + 'version': '1.36.0', + 'releaseTime': '2023-10-31T17:20:38Z', 'institution': 'Ouranos', 'researchSubject': 'Climatology', 'supportEmail': '${SUPPORT_EMAIL}', @@ -142,8 +142,8 @@ PLATFORMS = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '1.35.2', - 'releaseTime': '2023-10-24T21:05:12Z', + 'version': '1.36.0', + 'releaseTime': '2023-10-31T17:20:38Z', 'institution': 'Ouranos', 'researchSubject': 'Climatology', 'supportEmail': '${SUPPORT_EMAIL}', diff --git a/docs/source/conf.py b/docs/source/conf.py index 2fb240538..bf10169ba 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -69,9 +69,9 @@ # built documents. # # The short X.Y version. -version = '1.35.2' +version = '1.36.0' # The full version, including alpha/beta/rc tags. -release = '1.35.2' +release = '1.36.0' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. From 532ee8bb454af8f4dfa7e81f882bfe58402afc3b Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Tue, 31 Oct 2023 14:58:05 -0400 Subject: [PATCH 15/16] update changes.md --- CHANGES.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 6600fbe72..fa4d2b30e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -20,6 +20,14 @@ [1.36.0](https://github.com/bird-house/birdhouse-deploy/tree/1.36.0) (2023-10-31) ------------------------------------------------------------------------------------------------------------------ +## Changes + +- Protect jupyterhub behind twitcher authentication + + - Sets magpie cookies whenever a user logs in or out through jupyterhub so that they are automatically logged in + or out through magpie as well. + - Ensures that the user has permission to access jupyterhub according to magpie when logging in. + [//]: # (list changes here, using '-' for each new entry, remove this when items are added) [1.35.2](https://github.com/bird-house/birdhouse-deploy/tree/1.35.2) (2023-10-24) @@ -130,11 +138,6 @@ ------------------------------------------------------------------------------------------------------------------ ## Changes -- Protect jupyterhub behind twitcher authentication - - - Sets magpie cookies whenever a user logs in or out through jupyterhub so that they are automatically logged in - or out through magpie as well. - - Add public WPS outputs directory to Cowbird and add corresponding volume mount to JupyterHub. - Update `cowbird` service from [1.2.0](https://github.com/Ouranosinc/cowbird/tree/1.2.0) to [2.1.0](https://github.com/Ouranosinc/cowbird/tree/2.1.0). From 35defe34e4de9b6e55b062767f0147b2378e8a48 Mon Sep 17 00:00:00 2001 From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com> Date: Tue, 31 Oct 2023 14:59:11 -0400 Subject: [PATCH 16/16] update changes.md --- CHANGES.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index fa4d2b30e..dc6faa384 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,8 +28,6 @@ or out through magpie as well. - Ensures that the user has permission to access jupyterhub according to magpie when logging in. -[//]: # (list changes here, using '-' for each new entry, remove this when items are added) - [1.35.2](https://github.com/bird-house/birdhouse-deploy/tree/1.35.2) (2023-10-24) ------------------------------------------------------------------------------------------------------------------