jupyterhub.auth
¶Base Authenticator class and the default PAM Authenticator
jupyterhub.auth.
Authenticator
(**kwargs)¶Base class for implementing an authentication provider for JupyterHub
config c.Authenticator.admin_users = Set()
Set of users that will have admin rights on this JupyterHub.
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
config c.Authenticator.auto_login = Bool(False)
Automatically begin the login process
rather than starting with a “Login with…” link at /hub/login
To work, .login_url()
must give a URL other than the default /hub/login
,
such as an oauth handler or another automatic login handler,
registered with .get_handlers()
.
New in version 0.8.
config c.Authenticator.username_map = Dict()
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
config c.Authenticator.username_pattern = Unicode('')
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
config c.Authenticator.whitelist = Set()
Whitelist of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional whitelist that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
add_user
(user)¶Hook called when a user is added to JupyterHub
This method may be a coroutine.
By default, this just adds the user to the whitelist.
Subclasses may do more extensive things, such as adding actual unix users, but they should call super to ensure the whitelist is updated.
Note that this should be idempotent, since it is called whenever the hub restarts for all users.
Parameters: | user (User) – The User wrapper object |
---|
config c.Authenticator.admin_users = Set()
Set of users that will have admin rights on this JupyterHub.
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
authenticate
(handler, data)¶Authenticate a user with login form data
This must be a tornado gen.coroutine. It must return the username on successful authentication, and return None on failed authentication.
Checking the whitelist is handled separately by the caller.
Changed in version 0.8: Allow authenticate
to return a dict containing auth_state.
Parameters: |
|
---|---|
Returns: |
|
Return type: |
config c.Authenticator.auto_login = Bool(False)
Automatically begin the login process
rather than starting with a “Login with…” link at /hub/login
To work, .login_url()
must give a URL other than the default /hub/login
,
such as an oauth handler or another automatic login handler,
registered with .get_handlers()
.
New in version 0.8.
check_whitelist
(username)¶Check if a username is allowed to authenticate based on whitelist configuration
Return True if username is allowed, False otherwise. No whitelist means any username is allowed.
Names are normalized before being checked against the whitelist.
delete_user
(user)¶Hook called when a user is deleted
Removes the user from the whitelist. Subclasses should call super to ensure the whitelist is updated.
Parameters: | user (User) – The User wrapper object |
---|
get_authenticated_user
(handler, data)¶Authenticate the user who is attempting to log in
Returns user dict if successful, None otherwise.
This calls authenticate
, which should be overridden in subclasses,
normalizes the username if any normalization should be done,
and then validates the name in the whitelist.
This is the outer API for authenticating a user. Subclasses should not override this method.
authenticate
turns formdata into a usernamenormalize_username
normalizes the usernamecheck_whitelist
checks against the user whitelistChanged in version 0.8: return dict instead of username
get_handlers
(app)¶Return any custom handlers the authenticator needs to register
Used in conjugation with login_url
and logout_url
.
Parameters: | app (JupyterHub Application) – the application object, in case it needs to be accessed for info. |
---|---|
Returns: | list of ('/url', Handler) tuples passed to tornado.
The Hub prefix is added to any URLs. |
Return type: | handlers (list) |
login_url
(base_url)¶Override this when registering a custom login handler
Generally used by authenticators that do not use simple form-based authentication.
The subclass overriding this is responsible for making sure there is a handler
available to handle the URL returned from this method, using the get_handlers
method.
Parameters: | base_url (str) – the base URL of the Hub (e.g. /hub/) |
---|---|
Returns: | The login URL, e.g. ‘/hub/login’ |
Return type: | str |
logout_url
(base_url)¶Override when registering a custom logout handler
The subclass overriding this is responsible for making sure there is a handler
available to handle the URL returned from this method, using the get_handlers
method.
Parameters: | base_url (str) – the base URL of the Hub (e.g. /hub/) |
---|---|
Returns: | The logout URL, e.g. ‘/hub/logout’ |
Return type: | str |
normalize_username
(username)¶Normalize the given username and return it
Override in subclasses if usernames need different normalization rules.
The default attempts to lowercase the username and apply username_map
if it is
set.
post_spawn_stop
(user, spawner)¶Hook called after stopping a user container
Can be used to do auth-related cleanup, e.g. closing PAM sessions.
pre_spawn_start
(user, spawner)¶Hook called before spawning a user’s server
Can be used to do auth-related startup, e.g. opening PAM sessions.
config c.Authenticator.username_map = Dict()
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
config c.Authenticator.username_pattern = Unicode('')
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
validate_username
(username)¶Validate a normalized username
Return True if username is valid, False otherwise.
config c.Authenticator.whitelist = Set()
Whitelist of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional whitelist that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
jupyterhub.auth.
LocalAuthenticator
(**kwargs)¶Base class for Authenticators that work with local Linux/UNIX users
Checks for local users, and can attempt to create them if they exist.
config c.LocalAuthenticator.add_user_cmd = Command()
The command to use for creating users as a list of strings
For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.
For Linux, the default value is:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–disabled-password’]
To specify a custom home directory, set this to:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]
This will run the command:
adduser -q –gecos “” –home /customhome/river –disabled-password river
when the user ‘river’ is created.
config c.LocalAuthenticator.admin_users = Set()
Set of users that will have admin rights on this JupyterHub.
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
config c.LocalAuthenticator.auto_login = Bool(False)
Automatically begin the login process
rather than starting with a “Login with…” link at /hub/login
To work, .login_url()
must give a URL other than the default /hub/login
,
such as an oauth handler or another automatic login handler,
registered with .get_handlers()
.
New in version 0.8.
config c.LocalAuthenticator.create_system_users = Bool(False)
If set to True, will attempt to create local system users if they do not exist already.
Supports Linux and BSD variants only.
config c.LocalAuthenticator.group_whitelist = Set()
Whitelist all users from this UNIX group.
This makes the username whitelist ineffective.
config c.LocalAuthenticator.username_map = Dict()
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
config c.LocalAuthenticator.username_pattern = Unicode('')
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
config c.LocalAuthenticator.whitelist = Set()
Whitelist of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional whitelist that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
add_system_user
(user)¶Create a new local UNIX user on the system.
Tested to work on FreeBSD and Linux, at least.
add_user
(user)¶Hook called whenever a new user is added
If self.create_system_users, the user will attempt to be created if it doesn’t exist.
config c.LocalAuthenticator.add_user_cmd = Command()
The command to use for creating users as a list of strings
For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.
For Linux, the default value is:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–disabled-password’]
To specify a custom home directory, set this to:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]
This will run the command:
adduser -q –gecos “” –home /customhome/river –disabled-password river
when the user ‘river’ is created.
check_group_whitelist
(username)¶If group_whitelist is configured, check if authenticating user is part of group.
config c.LocalAuthenticator.create_system_users = Bool(False)
If set to True, will attempt to create local system users if they do not exist already.
Supports Linux and BSD variants only.
config c.LocalAuthenticator.group_whitelist = Set()
Whitelist all users from this UNIX group.
This makes the username whitelist ineffective.
system_user_exists
(user)¶Check if the user exists on the system
jupyterhub.auth.
PAMAuthenticator
(**kwargs)¶Authenticate local UNIX users with PAM
config c.PAMAuthenticator.add_user_cmd = Command()
The command to use for creating users as a list of strings
For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.
For Linux, the default value is:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–disabled-password’]
To specify a custom home directory, set this to:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]
This will run the command:
adduser -q –gecos “” –home /customhome/river –disabled-password river
when the user ‘river’ is created.
config c.PAMAuthenticator.admin_users = Set()
Set of users that will have admin rights on this JupyterHub.
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
config c.PAMAuthenticator.auto_login = Bool(False)
Automatically begin the login process
rather than starting with a “Login with…” link at /hub/login
To work, .login_url()
must give a URL other than the default /hub/login
,
such as an oauth handler or another automatic login handler,
registered with .get_handlers()
.
New in version 0.8.
config c.PAMAuthenticator.create_system_users = Bool(False)
If set to True, will attempt to create local system users if they do not exist already.
Supports Linux and BSD variants only.
config c.PAMAuthenticator.encoding = Unicode('utf8')
The text encoding to use when communicating with PAM
config c.PAMAuthenticator.group_whitelist = Set()
Whitelist all users from this UNIX group.
This makes the username whitelist ineffective.
config c.PAMAuthenticator.open_sessions = Bool(True)
Whether to open a new PAM session when spawners are started.
This may trigger things like mounting shared filsystems, loading credentials, etc. depending on system configuration, but it does not always work.
If any errors are encountered when opening/closing PAM sessions, this is automatically set to False.
config c.PAMAuthenticator.service = Unicode('login')
The name of the PAM service to use for authentication
config c.PAMAuthenticator.username_map = Dict()
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
config c.PAMAuthenticator.username_pattern = Unicode('')
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
config c.PAMAuthenticator.whitelist = Set()
Whitelist of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional whitelist that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.