From 7e3e26c6f1ade7022cf8abb5d50ccd65930044d7 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 14:42:53 +0200 Subject: [PATCH 1/3] Add detail to misc comments --- docs/source/authentication.rst | 6 +++--- helm-chart/binderhub/values.yaml | 8 ++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 09ce1702b..ecabd3b37 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -15,8 +15,8 @@ you need to add the following into ``config.yaml``: jupyterhub: cull: - # don't cull authenticated users - users: False + # don't cull authenticated users (reverts binderhub chart's default) + users: false hub: redirectToServer: false config: @@ -42,7 +42,7 @@ you need to add the following into ``config.yaml``: - "access:services" singleuser: - # to make notebook servers aware of hub + # make notebook servers aware of hub (reverts binderhub chart's default to z2jh chart's default) cmd: jupyterhub-singleuser If the configuration above was entered correctly, once you upgrade your diff --git a/helm-chart/binderhub/values.yaml b/helm-chart/binderhub/values.yaml index 3418c3174..e83120c39 100644 --- a/helm-chart/binderhub/values.yaml +++ b/helm-chart/binderhub/values.yaml @@ -81,8 +81,12 @@ jupyterhub: - binder scopes: - servers - # we don't need admin:users if auth is not enabled! - - "admin:users" + # admin:users is required in order to create a jupyterhub user for an + # anonymous binderhub web-server visitor in non-authenticated + # deployments, and read:users is required for authenticated + # deployments to check the state of a jupyterhub user's running + # servers before trying to launch. + - admin:users extraConfig: 0-binderspawnermixin: | """ From c77089c692395bcbe450cf567915eb1b1ec90cbe Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 14:43:16 +0200 Subject: [PATCH 2/3] Avoid requesting more permissions than needed in docs/test config --- docs/source/authentication.rst | 2 +- .../jupyterhub-chart-config-auth-additions.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index ecabd3b37..dc36d183d 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -39,7 +39,7 @@ you need to add the following into ``config.yaml``: user: scopes: - self - - "access:services" + - "access:services!service=binder" singleuser: # make notebook servers aware of hub (reverts binderhub chart's default to z2jh chart's default) diff --git a/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml b/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml index 54ce9ff67..06445c33f 100644 --- a/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml +++ b/testing/local-binder-k8s-hub/jupyterhub-chart-config-auth-additions.yaml @@ -17,4 +17,4 @@ hub: user: scopes: - self - - "access:services" + - "access:services!service=binder" From 6bc13f934afa767ef089ebd7d5b10b0aa3fb99ed Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 14:45:47 +0200 Subject: [PATCH 3/3] Prefer passthrough config hub.config over hub.redirecToServer --- docs/source/authentication.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index dc36d183d..36a39c59c 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -18,12 +18,12 @@ you need to add the following into ``config.yaml``: # don't cull authenticated users (reverts binderhub chart's default) users: false hub: - redirectToServer: false config: BinderSpawner: auth_enabled: true - # specify the desired authenticator JupyterHub: + redirect_to_server: false + # specify the desired authenticator authenticator_class: # use config of your authenticator here # use the docs at https://zero-to-jupyterhub.readthedocs.io/en/stable/authentication.html