bird-house · mishaschwartz · Oct 31, 2023 · May 1, 2023 · Jun 2, 2023 · Jun 2, 2023
@@ -125,6 +125,10 @@
 ------------------------------------------------------------------------------------------------------------------
 
 ## Changes
+- Protect jupyterhub behind twitcher authentication
+
+  - Sets magpie cookies whenever a user logs in or out through jupyterhub so that they are automatically logged in 
+    or out through magpie as well.
 
 - Add public WPS outputs directory to Cowbird and add corresponding volume mount to JupyterHub.
 - Update `cowbird` service from [1.2.0](https://github.com/Ouranosinc/cowbird/tree/1.2.0)

@@ -2,6 +2,7 @@ custom_templates/login.html
 jupyterhub_config.py
 config/proxy/conf.extra-service.d/jupyterhub.conf
 config/canarie-api/canarie_api_monitoring.py
+config/magpie/providers.cfg
 service-config.json
 
 # Old paths. Keep these so that old config files remain uncommittable after updates.

@@ -0,0 +1,5 @@
+version: "3.4"
+services:
+  magpie:
+    volumes:
+    - ./config/jupyterhub/config/magpie/providers.cfg:${MAGPIE_PROVIDERS_CONFIG_PATH}/jupyter.cfg:ro
@@ -0,0 +1,10 @@
+providers:
+  jupyterhub:
+    # below URL is only used to fill in the required location in Magpie
+    # actual auth validation is performed with Twitcher 'verify' endpoint without accessing this proxied URL
+    url: http://proxy:80
+    title: Jupyter
+    public: true
+    c4i: false
+    type: api
+    sync_type: api
@@ -5,7 +5,7 @@
 # are applied and must be added to the list of DELAYED_EVAL.
 
 export JUPYTERHUB_DOCKER=pavics/jupyterhub
-export JUPYTERHUB_VERSION=4.0.2-20230816
+export JUPYTERHUB_VERSION=4.0.2-20231002
 
 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images
 export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601"
@@ -59,6 +59,11 @@ export JUPYTER_IDLE_KERNEL_CULL_INTERVAL=0
 # config/jupyterhub/jupyterhub_config.py.template.
 export JUPYTERHUB_CONFIG_OVERRIDE=""
 
+# URL used to verify that a logged in user has permission to access Jupyterhub
+# To disable this feature, unset this variable. However, disabling this feature is NOT
+# recommended as it may permit unauthorized users from accessing jupyterhub.
+export JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL='http://twitcher:8000/ows/verify/jupyterhub'
+
 export DELAYED_EVAL="
   $DELAYED_EVAL
   JUPYTERHUB_USER_DATA_DIR
@@ -80,6 +85,7 @@ OPTIONAL_VARS="
   \$JUPYTERHUB_CONFIG_OVERRIDE
   \$JUPYTERHUB_DOCKER
   \$JUPYTERHUB_VERSION
+  \$JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL
   \$JUPYTER_IDLE_SERVER_CULL_TIMEOUT
   \$JUPYTER_IDLE_KERNEL_CULL_TIMEOUT
   \$JUPYTER_IDLE_KERNEL_CULL_INTERVAL

@@ -16,6 +16,8 @@ c.JupyterHub.hub_ip = 'jupyterhub'
 
 c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator'
 c.MagpieAuthenticator.magpie_url = "http://magpie:2001"
+c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}"
+c.MagpieAuthenticator.authorization_url = "${JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL}"
 
 c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret'
 c.JupyterHub.db_url = '/persist/jupyterhub.sqlite'

@@ -0,0 +1,5 @@
+version: "3.4"
+services:
+  magpie:
+    volumes:
+      - ./optional-components/all-public-access/config/jupyterhub/permissions.cfg:${MAGPIE_PERMISSIONS_CONFIG_PATH}/all-public-access-jupyterhub-permissions.cfg:ro
@@ -0,0 +1,9 @@
+permissions:
+  - service: jupyterhub
+    permission: read
+    group: anonymous
+    action: create
+  - service: jupyterhub
+    permission: write
+    group: anonymous
+    action: create
@@ -209,6 +209,7 @@ class TestCreateComposeConfList:
         "./config/twitcher/config/proxy/docker-compose-extra.yml",
         "./config/jupyterhub/docker-compose-extra.yml",
         "./config/jupyterhub/config/canarie-api/docker-compose-extra.yml",
+        "./config/jupyterhub/config/magpie/docker-compose-extra.yml",
         "./config/jupyterhub/config/proxy/docker-compose-extra.yml",
     ]