Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add service account with allow-app-sharing-role permissions #2917

Draft
wants to merge 41 commits into
base: main
Choose a base branch
from
Draft
Changes from 1 commit
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
6bc13de
add jhub apps service account with admin permissions
Adam-D-Lewis Jan 20, 2025
a2e1620
Merge branch 'main' into jhub_apps_user
Adam-D-Lewis Jan 21, 2025
234baa2
reduce permissions
Adam-D-Lewis Jan 21, 2025
d609271
cleanup
Adam-D-Lewis Jan 21, 2025
01d1d5d
consolidate calls
Adam-D-Lewis Jan 21, 2025
1bfe644
revert to non service account user for jhub apps startup apps
Adam-D-Lewis Jan 21, 2025
a4943bb
cleanup
Adam-D-Lewis Jan 21, 2025
5f9834a
hacky, but works
Adam-D-Lewis Jan 27, 2025
7e6204a
add role to service account + cleanup
Adam-D-Lewis Jan 27, 2025
2a3e49b
try to set service account auth state, but I don't think it's working
Adam-D-Lewis Jan 28, 2025
110b0ee
fix bug and set auth state for service account
Adam-D-Lewis Jan 28, 2025
a0f4efe
cleanup
Adam-D-Lewis Jan 28, 2025
f180f07
cleanup
Adam-D-Lewis Jan 28, 2025
6406e82
cleanup
Adam-D-Lewis Jan 28, 2025
325a601
make service account name a variable
Adam-D-Lewis Jan 28, 2025
64d3e0b
rename id to uuid for clarity
Adam-D-Lewis Jan 28, 2025
cb775e0
remove unneeded code
Adam-D-Lewis Jan 28, 2025
59078cc
fix
Adam-D-Lewis Jan 28, 2025
f799f3e
cleanup
Adam-D-Lewis Jan 28, 2025
21d0880
clarify docstring
Adam-D-Lewis Jan 28, 2025
0be3851
clarify docstring
Adam-D-Lewis Jan 28, 2025
fedf7ae
Merge branch 'main' into jhub_apps_user
Adam-D-Lewis Jan 28, 2025
2fb4fa8
fix buffer full deadlock
Adam-D-Lewis Jan 29, 2025
8cb0e63
ensure binary raw string
Adam-D-Lewis Jan 29, 2025
556661f
strip all ansi formatting sequences
Adam-D-Lewis Jan 29, 2025
7e5c2b0
Revert "strip all ansi formatting sequences"
Adam-D-Lewis Jan 29, 2025
37bd636
Revert "ensure binary raw string"
Adam-D-Lewis Jan 29, 2025
b6e75de
Revert "fix buffer full deadlock"
Adam-D-Lewis Jan 29, 2025
1fce666
fix fstring
Adam-D-Lewis Feb 3, 2025
865c8d6
add comment with jupyter/oauth code we are mimicking
Adam-D-Lewis Feb 3, 2025
fad0155
add keycloak service account name format comment
Adam-D-Lewis Feb 3, 2025
8569ee8
merge with main
Adam-D-Lewis Feb 10, 2025
80456c5
test that jupyterhub service account gets needed roles
Adam-D-Lewis Feb 10, 2025
627c4aa
add a startup app to ci deployment
Adam-D-Lewis Feb 10, 2025
6de7c1d
assert startup server is created
Adam-D-Lewis Feb 10, 2025
48eae29
fix test_startup_apps_created test
Adam-D-Lewis Feb 10, 2025
fbaec09
remove breakpoint
Adam-D-Lewis Feb 10, 2025
708f753
refactor keycloak command cli
Adam-D-Lewis Feb 10, 2025
e7da0aa
make test-user an admin
Adam-D-Lewis Feb 10, 2025
de43a81
fix test ids
Adam-D-Lewis Feb 10, 2025
9810fdb
update tests since test-user is now an admin
Adam-D-Lewis Feb 10, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
cleanup
Adam-D-Lewis committed Jan 28, 2025
commit 6406e82de1e3a536823169d1f2a0e55cb34e5177
Original file line number Diff line number Diff line change
@@ -23,7 +23,7 @@ async def get_username_hook(spawner):

async def pre_spawn_hook(spawner):
# if we are starting a service account pod, set/update auth_state
if spawner.user.name == "service-account-jupyterhub":
if spawner.user.name == spawner.authenticator.JHUB_SERVICE_ACCOUNT_NAME:
await spawner.authenticator.set_service_account_auth_state(spawner.user)
await get_username_hook(spawner)

Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ class KeyCloakOAuthenticator(GenericOAuthenticator):
feature added in JupyterHub 5.0 (https://github.com/jupyterhub/jupyterhub/pull/4748).
"""

JHUB_SERVICE_ACCOUNT_NAME = "service-account-jupyterhub"

claim_roles_key = Union(
[Unicode(os.environ.get("OAUTH2_ROLES_KEY", "groups")), Callable()],
config=True,
@@ -31,10 +33,15 @@ class KeyCloakOAuthenticator(GenericOAuthenticator):

reset_managed_roles_on_startup = Bool(True)

async def set_service_account_auth_state(self, user):
service_account_auth_state = await self.authenticate_service_account()
await user.save_auth_state(service_account_auth_state)
logging.info(f'Auth state set for service account "{user.name}"')
async def set_jhub_service_account_auth_state(self, user):
auth_model = await self.authenticate_service_account()
if user.name != self.JHUB_SERVICE_ACCOUNT_NAME:
raise ValueError(
'User name "{user.name}" does not match service account name "{self.JHUB_SERVICE_ACCOUNT_NAME}"'
Adam-D-Lewis marked this conversation as resolved.
Show resolved Hide resolved
)

await user.save_auth_state(auth_model["auth_state"])
logging.info(f'Auth state set for service account: "{user.name}"')

async def authenticate_service_account(self):
token_info = await self._get_token_info()
@@ -55,7 +62,7 @@ async def authenticate_service_account(self):

auth_model = await self.update_auth_model(auth_model)

return auth_model["auth_state"]
return auth_model

async def update_auth_model(self, auth_model):
"""Updates and returns the auth_model dict.
Loading