Jupyterhub: periodically check whether the logged-in user still have …

…permission to access (#402)

## Overview

By setting the `JUPYTERHUB_CRYPT_KEY` environment variable in the
`env.local` file, jupyterhub will store user's authentication
information (session cookie) in the database. This allows jupyterhub to
periodically check whether the user still has permission to access
jupyterhub (the session cookie is not expired and the permission have
not changed).

The minimum duration between checks can be set with the
`JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE` variable which is an integer (in
seconds).

Note that users who are already logged in to jupyterhub will need to log
out and log in for these changes to take effect.

To forcibly log out all users currently logged in to jupyterhub you can
run the following command to force the recreation of the cookie secret:

  ```shell
docker exec jupyterhub rm /persist/jupyterhub_cookie_secret && docker
restart jupyterhub
  ```

First discussed here:
#358 (comment)

## Changes

**Non-breaking changes**
- Adds two new environment variables to configure additional jupyterhub
authentication
- New jupyterhub version pavics/jupyterhub:4.0.2-20231024

**Breaking changes**

## Related Issue / Discussion

Related to #334

- [x] Note that this PR requires
Ouranosinc/jupyterhub#23 to be merged in first
and the jupyterhub version updated to match.

## Additional Information

<!--
The test suite can be run using a different DACCS config with
``birdhouse_daccs_configs_branch: branch_name`` in the PR description.
To globally skip the test suite regardless of the commit message use
``birdhouse_skip_ci: true`` in the PR description.
-->

birdhouse_daccs_configs_branch: master
birdhouse_skip_ci: false

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.39.1
+current_version = 1.39.2
 commit = True
 tag = False
 tag_name = {new_version}
@@ -30,11 +30,11 @@ search = {current_version}
 replace = {new_version}
 
 [bumpversion:file:RELEASE.txt]
-search = {current_version} 2023-11-29T17:03:07Z
+search = {current_version} 2023-11-30T15:28:22Z
 replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ}
 
 [bumpversion:part:releaseTime]
-values = 2023-11-29T17:03:07Z
+values = 2023-11-30T15:28:22Z
 
 [bumpversion:file(version):birdhouse/config/canarie-api/docker_configuration.py.template]
 search = 'version': '{current_version}'

CHANGES.md

@@ -17,6 +17,31 @@
 
 [//]: # (list changes here, using '-' for each new entry, remove this when items are added)
 
+[1.39.2](https://github.com/bird-house/birdhouse-deploy/tree/1.39.2) (2023-11-30)
+------------------------------------------------------------------------------------------------------------------
+
+## Changes
+
+- Jupyterhub: periodically check whether the logged-in user still have permission to access
+
+ By setting the `JUPYTERHUB_CRYPT_KEY` environment variable in the `env.local` file, jupyterhub will store user's
+ authentication information (session cookie) in the database. This allows jupyterhub to periodically check whether the
+ user still has permission to access jupyterhub (the session cookie is not expired and the permission have not 
+ changed).
+
+ The minimum duration between checks can be set with the `JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE` variable which is an 
+ integer (in seconds).
+
+ Note that users who are already logged in to jupyterhub will need to log out and log in for these changes to take
+ effect.
+
+ To forcibly log out all users currently logged in to jupyterhub you can run the following command to force the
+ recreation of the cookie secret:
+
+ ```shell
+ docker exec jupyterhub rm /persist/jupyterhub_cookie_secret && docker restart jupyterhub
+ ```
+
 [1.39.1](https://github.com/bird-house/birdhouse-deploy/tree/1.39.1) (2023-11-29)
 ------------------------------------------------------------------------------------------------------------------
 

Makefile

@@ -1,7 +1,7 @@
 # Generic variables
 override SHELL := bash
 override APP_NAME := birdhouse-deploy
-override APP_VERSION := 1.39.1
+override APP_VERSION := 1.39.2
 
 # utility to remove comments after value of an option variable
 override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g")

README.rst

@@ -14,13 +14,13 @@ for a full-fledged production platform.
  * - releases
  - | |latest-version| |commits-since|
 
-.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.39.1.svg
+.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.39.2.svg
  :alt: Commits since latest release
- :target: https://github.com/bird-house/birdhouse-deploy/compare/1.39.1...master
+ :target: https://github.com/bird-house/birdhouse-deploy/compare/1.39.2...master
 
-.. |latest-version| image:: https://img.shields.io/badge/tag-1.39.1-blue.svg?style=flat
+.. |latest-version| image:: https://img.shields.io/badge/tag-1.39.2-blue.svg?style=flat
  :alt: Latest Tag
- :target: https://github.com/bird-house/birdhouse-deploy/tree/1.39.1
+ :target: https://github.com/bird-house/birdhouse-deploy/tree/1.39.2
 
 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest
  :alt: ReadTheDocs Build Status (latest version)

RELEASE.txt

@@ -1 +1 @@
-1.39.1 2023-11-29T17:03:07Z
+1.39.2 2023-11-30T15:28:22Z

birdhouse/config/canarie-api/docker_configuration.py.template

@@ -109,8 +109,8 @@ SERVICES = {
  # NOTE:
  # Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
  # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
- 'version': '1.39.1',
- 'releaseTime': '2023-11-29T17:03:07Z',
+ 'version': '1.39.2',
+ 'releaseTime': '2023-11-30T15:28:22Z',
  'institution': 'Ouranos',
  'researchSubject': 'Climatology',
  'supportEmail': '${SUPPORT_EMAIL}',
@@ -142,8 +142,8 @@ PLATFORMS = {
  # NOTE:
  # Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
  # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
- 'version': '1.39.1',
- 'releaseTime': '2023-11-29T17:03:07Z',
+ 'version': '1.39.2',
+ 'releaseTime': '2023-11-30T15:28:22Z',
  'institution': 'Ouranos',
  'researchSubject': 'Climatology',
  'supportEmail': '${SUPPORT_EMAIL}',

birdhouse/config/jupyterhub/default.env

@@ -5,7 +5,7 @@
 # are applied and must be added to the list of DELAYED_EVAL.
 
 export JUPYTERHUB_DOCKER=pavics/jupyterhub
-export JUPYTERHUB_VERSION=4.0.2-20231002
+export JUPYTERHUB_VERSION=4.0.2-20231127
 
 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images
 export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601"
@@ -64,6 +64,15 @@ export JUPYTERHUB_CONFIG_OVERRIDE=""
 # recommended as it may permit unauthorized users from accessing jupyterhub.
 export JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL='http://twitcher:8000/ows/verify/jupyterhub'
 
+# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database.
+# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie)
+export JUPYTERHUB_CRYPT_KEY=
+
+# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie)
+# if their authentication information is older that this value (in seconds). This value is only applied if
+# JUPYTERHUB_CRYPT_KEY is set.
+export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=60
+
 export DELAYED_EVAL="
  $DELAYED_EVAL
  JUPYTERHUB_USER_DATA_DIR
@@ -86,6 +95,7 @@ OPTIONAL_VARS="
  \$JUPYTERHUB_DOCKER
  \$JUPYTERHUB_VERSION
  \$JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL
+ \$JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE
  \$JUPYTER_IDLE_SERVER_CULL_TIMEOUT
  \$JUPYTER_IDLE_KERNEL_CULL_TIMEOUT
  \$JUPYTER_IDLE_KERNEL_CULL_INTERVAL

birdhouse/config/jupyterhub/docker-compose-extra.yml

@@ -27,6 +27,7 @@ services:
  MOUNT_IMAGE_SPECIFIC_NOTEBOOKS: ${MOUNT_IMAGE_SPECIFIC_NOTEBOOKS}
  USER_WORKSPACE_UID: ${USER_WORKSPACE_UID}
  USER_WORKSPACE_GID: ${USER_WORKSPACE_GID}
+ JUPYTERHUB_CRYPT_KEY: ${JUPYTERHUB_CRYPT_KEY}
  volumes:
  - ./config/jupyterhub/jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro
  - ./config/jupyterhub/custom_templates:/custom_templates:ro

birdhouse/config/jupyterhub/jupyterhub_config.py.template

@@ -19,6 +19,11 @@ c.MagpieAuthenticator.magpie_url = "http://magpie:2001"
 c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}"
 c.MagpieAuthenticator.authorization_url = "${JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL}"
 
+if os.getenv("JUPYTERHUB_CRYPT_KEY"):
+ c.MagpieAuthenticator.enable_auth_state = True
+ c.MagpieAuthenticator.refresh_pre_spawn = True
+ c.MagpieAuthenticator.auth_refresh_age = int("${JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE}")
+
 c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret'
 c.JupyterHub.db_url = '/persist/jupyterhub.sqlite'
 

birdhouse/env.local.example

@@ -351,6 +351,23 @@ export GEOSERVER_ADMIN_PASSWORD=geoserverpass
 #
 #export JUPYTERHUB_CONFIG_OVERRIDE="
 #
+#
+# The following variables can be used to configure additional authentication settings for jupyterhub
+#
+# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database.
+# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie)
+# This may be a semicolon-separated list of encryption keys. If there are multiple keys present, the first key is always
+# used to persist any new auth_state.
+# To generate a key the following command can be used: `openssl rand -hex 32`
+# See for more details: https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authentication-state
+#export JUPYTERHUB_CRYPT_KEY=
+#
+# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie)
+# if their authentication information is older that this value (in seconds). This value is only applied if
+# JUPYTERHUB_CRYPT_KEY is set.
+#export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=60
+#
+#
 # Sample below will allow for sharing notebooks between Jupyter users.
 # Note all shares are public.
 #

docs/source/conf.py

@@ -69,9 +69,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '1.39.1'
+version = '1.39.2'
 # The full version, including alpha/beta/rc tags.
-release = '1.39.1'
+release = '1.39.2'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.