Upgrade to z2jh 3.1.0 with oauthenticator 16.1

[consideRatio]

Summary

This PR updates from our use of z2jh 3.0.0-beta.1 (where we manually had upgraded KubeSpawner) to z2jh 3.1.0, and with it we get oauthenticator 16.1.0, up from 15.1.0. With this, we have significant amount of changes to review manually as the authentication configuration is not something we test automatically (its very hard).

Pre-merge review

• Ensure we have all newly added hubs get their configs updated as well, for example HHMI hub #3136
  • Ensured initially
  • Ensured before merge
• Go though all CILogonOAuthenticator config manually
  • Verified to seem OK by Erik
  • Verified to seem OK by at least another engineer (edit: or by Erik again at a later time?)
• Go though all GitHubOAuthenticator config manually
  • Verified by Erik
  • Verified by at least another engineer (edit: or by Erik again at a later time?)
• Deploy to cluster's staging hubs (Saturday 2023-09-30, 15:00 UTC+2)
  • utoronto (cilogon idp https://idpz.utorauth.utoronto.ca/shibboleth)
  • ubc-eoas (cilogon idp https://authentication.ubc.ca)
  • openscapes (github, allow_existing_users)
  • jupyter-meets-the-earth (github, allow_existing_users)
  • gridsst (github, allow_existing_users)
  • cloudbank (a lot of different hubs)
  • carbonplan (cilogon with github idp, allow_existing_users)
  • callysto (cilogon with special authenticator customization)
• Check ourselves the access in staging hubs, or ask for community to check if needed
  • utoronto (cilogon idp https://idpz.utorauth.utoronto.ca/shibboleth)
    I checked with two utoronto accounts
  • ubc-eoas (cilogon idp https://authentication.ubc.ca)
    Asked representatives in Upgrade to z2jh 3.1.0 with oauthenticator 16.1 #3144 (comment)
  • openscapes (github, allow_existing_users)
    I checked with consideratio-demo, first not getting access, then addig that user and getting access, then deleting the user and no longer having access. This was the intented behavior.
  • jupyter-meets-the-earth (github, allow_existing_users)
    I performed a check like for openscapes
  • gridsst (github, allow_existing_users)
    I performed a check like for openscapes
  • cloudbank (a lot of different hubs)
    I checked with community admin via Cloudbank followup to review auth config #3196
  • carbonplan (cilogon with github idp, allow_existing_users)
    I performed a check like for openscapes
  • callysto (cilogon with special authenticator customization)
    I performed a check that a google user from a unknown domain wasn't allowed, and one from an allowed domain was. I also checked that I could authenticate with a microsoft account, but could only check I got denied as I had no allowed microsoft account.

Help on how to review

These are key changes in OAuthenticator 16 to be aware about:

• OAuthenticator.allow_all and CILogonOAuthenticator.allowed_idps[].allow_all is new config that needs to be explicitly set to True if all authenticated users by the authenticator or specific CILogon identity provider are to be authorized. Previously all users could be authorized automatically if no config existed to indicate only some should be authorized access.
• OAuthenticator.allow_existing_users is introduced to explicitly toggle a behavior that previousy was decided based on if Authenticator.allowed_users was declared or not. In v15 when allowed_users was set, any user in JupyterHub's user database (as updatable via /hub/admin panel) was allowed access as well. In v16, this needs to be explicitly configured via the new config option.
• In OAuthenticator v15, there was config like allowed_users that together with GitHubOAuthenticator.allowed_organizations required authenticated users to be part of both the list of allowed_user and alowed_organizations. That led to us never configuring both, only one or the other. In v16 a user can be authorized by being part of either.

Reference links

• Docs on CILogons allowed_idps config
• OAuthenticator's changelog

Related

• Cloudbank followup to review auth config #3196
• https://github.com/2i2c-org/meta/issues/707
• Update jupyterhub-configurator to a newer commit #3197

[consideRatio]

@ckrzysik @lheagy @hmodzelewski could one of you make a quick verification that you have access to https://staging.ubc-eoas.2i2c.cloud by logging in (if needed logout first) and reply if it worked out or not?

[lheagy]

This worked for me!

[jmunroe]

This change is expected to rolled out 2023-10-04. I'm planning on sending the following email to our hub champions for their information:

2i2c will be doing routine maintenance and an upgrade to the authentication code on your JupyterHub deployment. This update will be rolled out on 2023-10-04. While we don't anticipate any action required on your part, please let us know through [email protected] if there are any reported issues with accessing or logging in to your hub from your users. Please see PR #3144 for additional information.

We don't expect any issues but we are using this PR to iterate on how we notify our hub communities of changes that may impact them. Depending on how this goes, I'll make a correspond change in the Team Compass for a procedure to adopt in these cases.

Update: Email sent. See https://2i2c.freshdesk.com/a/tickets/101

[consideRatio]

I rebased and force pushed to ensure this PR is easier to revert if needed, and I caught one config mistake for a cloudbank hub thanks to the second review, as fixed via 25d52b7.

With nasa-ghg and nasa-veda credentials refreshed, this is good to go I think. I'm going for a merge once tests pass.

[github-actions]

🎉🎉🎉🎉

Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/6404219319