Skip to content

Commit

Permalink
hhmi: stop allowing all users, allow only existing users
Browse files Browse the repository at this point in the history
  • Loading branch information
@consideRatio
consideRatio committed Sep 30, 2023
1 parent 020d376 commit 174f538
Showing 1 changed file with 31 additions and 4 deletions.
35 changes: 31 additions & 4 deletions config/clusters/hhmi/common.values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,34 @@ basehub:
http://github.com/login/oauth/authorize:
username_derivation:
username_claim: "preferred_username"
# FIXME: allow_all=true is the current behavior, but its not
# intentional based on discussion about how the hub was
# setup.
allow_all: true
OAuthenticator:
# WARNING: Don't use allow_existing_users with config to allow an
# externally managed group of users, such as
# GitHubOAuthenticator.allowed_organizations, as it breaks a
# common expectations for an admin user.
#
# The broken expectation is that removing a user from the
# externally managed group implies that the user won't have
# access any more. In practice the user will still have
# access if it had logged in once before, as it then exists
# in JupyterHub's database of users.
#
allow_existing_users: True
Authenticator:
# WARNING: Removing a user from admin_users or allowed_users doesn't
# revoke admin status or access.
#
# OAuthenticator.allow_existing_users allows any user in the
# JupyterHub database of users able to login. This includes
# any previously logged in user or user previously listed in
# allowed_users or admin_users, as such users are added to
# JupyterHub's database on startup.
#
# To revoke admin status or access for a user when
# allow_existing_users is enabled, first remove the user from
# admin_users or allowed_users, then deploy the change, and
# finally revoke the admin status or delete the user via the
# /hub/admin panel.
#
admin_users:
- colliand

0 comments on commit 174f538

Please sign in to comment.