RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
33a794e35df8caa7aad6e3d7ed2c89c630fddc85
infra/stacks/jupyterhub/config/jupyterhub_config.py
R de Ren 33a794e35d feat(sso): wire Keycloak SSO end-to-end across all apps 
New stack:
- stacks/oauth2-proxy/ — per-app sidecars (mlflow, portainer, rabbitmq)
  that gate vhosts via nginx auth_request against Keycloak's wbd realm.

Native OIDC wired into:
- grafana       (generic_oauth, role-attribute-path → Admin/Editor/Viewer)
- jupyterhub    (oauthenticator.GenericOAuthenticator)
- node-red      (passport-openidconnect; in-memory state store + users()
                 resolver because adminAuth doesn't expose req.session)
- jenkins       (oic-auth plugin via JCasC; matrix-auth for authz; setup
                 wizard suppressed; custom image with plugins.txt)

Infra fixes uncovered while bringing the above online:
- nginx-proxy: bump proxy_buffer_size to 16k so oauth2-proxy callbacks
  don't 502 on the JWT-bearing Set-Cookie header.
- nginx-proxy: add `resolver 127.0.0.11 valid=30s` so service names
  re-resolve after sidecar recreates (was cross-wiring oauth2-proxy
  upstreams after restart).
- jupyterhub: pass --allow-root to the singleuser spawner (hub runs as
  root inside its container; jupyter-server refused root without flag).
- jupyterhub Dockerfile: install jupyterlab + notebook so
  SimpleLocalProcessSpawner has something to launch.
- node-red Dockerfile: install passport-openidconnect into the image
  so settings.js can require() it.
- portainer: pre-seed local admin via --admin-password=<bcrypt-hash>
  so the 5-minute "no admin → lockout" timer can never trigger.
- deploy.sh: restore executable bit (was 644 in repo).

Admin/viewer policy:
- Created realm role `app-admin` in keycloak wbd realm.
- Grafana maps app-admin → Admin (default Viewer).
- Jenkins matrix-auth grants r.de.ren Overall/Administer, authenticated
  users get Overall/Read + Job/Read + View/Read.
- Node-RED: NODERED_ADMIN_USERS env list → permissions "*", others
  ["read"]. (TODO: switch to app-admin realm role.)
- JupyterHub: JUPYTERHUB_ADMIN_USERS env list. (Same TODO.)
- Gitea: r.de.ren pre-created as local admin; OIDC auto-links via email.

Docs:
- README, cloud/README, stacks/oauth2-proxy/README, and per-stack
  READMEs updated to reflect the new state and remove resolved TODOs.
- cloud/.env.example gains all the new OIDC client + cookie-secret keys.
- cloud/README documents the full kcadm realm bootstrap, including the
  hardcoded-audience mapper and post-logout redirect URIs that are
  non-obvious gotchas.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 18:34:37 +00:00

50 lines
2.3 KiB
Python
Raw Blame History

# JupyterHub config.
#
# Auth: GenericOAuthenticator → Keycloak (wbd realm, jupyterhub client)
# Spawner: LocalProcessSpawner ("simple") — single-host runtime.
# TODO: move to DockerSpawner with per-user persistent volumes once we have
# per-user resource policies sorted.
import os
c = get_config() # noqa: F821 — provided by JupyterHub
# --- Authenticator: Keycloak OIDC --------------------------------------------
c.JupyterHub.authenticator_class = "generic-oauth"
c.GenericOAuthenticator.client_id = os.environ["JUPYTERHUB_OAUTH_CLIENT_ID"]
c.GenericOAuthenticator.client_secret = os.environ["JUPYTERHUB_OAUTH_CLIENT_SECRET"]
c.GenericOAuthenticator.oauth_callback_url = "https://hub.wbd-rd.nl/hub/oauth_callback"
_realm = "https://auth.wbd-rd.nl/realms/wbd"
c.GenericOAuthenticator.authorize_url = f"{_realm}/protocol/openid-connect/auth"
c.GenericOAuthenticator.token_url = f"{_realm}/protocol/openid-connect/token"
c.GenericOAuthenticator.userdata_url = f"{_realm}/protocol/openid-connect/userinfo"
c.GenericOAuthenticator.logout_redirect_url = f"{_realm}/protocol/openid-connect/logout"
c.GenericOAuthenticator.scope = ["openid", "email", "profile"]
c.GenericOAuthenticator.username_claim = "preferred_username"
c.GenericOAuthenticator.login_service = "Keycloak"
# Any authenticated Keycloak user in the wbd realm is allowed in.
c.GenericOAuthenticator.allow_all = True
# Admin list — comma-separated emails or usernames from .env.
admin_users = os.environ.get("JUPYTERHUB_ADMIN_USERS", "").strip()
if admin_users:
c.Authenticator.admin_users = {u.strip() for u in admin_users.split(",") if u.strip()}
# --- Spawner -----------------------------------------------------------------
# SimpleLocalProcessSpawner runs notebooks as OS processes inside the hub
# container, which itself runs as root. jupyter-server refuses to run as root
# unless --allow-root is passed; without it the singleuser process exits with
# a CRITICAL log and the hub eventually times out the spawn after 30s.
c.JupyterHub.spawner_class = "simple"
c.Spawner.default_url = "/lab"
c.Spawner.args = ["--allow-root"]
# --- Hub posture -------------------------------------------------------------
c.JupyterHub.bind_url = "http://:8000"
c.JupyterHub.hub_bind_url = "http://0.0.0.0:8081"
c.JupyterHub.cleanup_servers = True
Reference in New Issue View Git Blame Copy Permalink