documentation for authentication #707
Conversation
|
I deployed that example repo on our staging. It uses github oauth with "gesiscss", "jupyter", "jupyterhub", "pangeo-data" in org whitelist. If you like, you can check it. I deployed it with config.yaml and jhub_user.yaml, so if your repo doesn't install JupyterHub, your binder won't launch. |
|
@bitnik - thanks for putting this together. We'll certainly use this soon. Can you point me to your staging cluster? I'd like to see how it all works from user perspective. |
|
@jhamman sorry, i totally forgot sharing the url :) https://notebooks-test.gesis.org/services/binder/ |
|
this is a really nice start - @jhamman were you able to give these instructions a shot? Would love to hear about your experiences |
bitnik
force-pushed
the
docs
branch
2 times, most recently
from
89b6a11
to
6828957
Compare
|
@jhamman @choldgraf It would be perfect if someone could try this documentation out by deploying it on Google Cloud and help me to update the documentation. Because we deploy everything on bare metal and we mostly use I am not sure but I think when auth is enabled, binder service type should be changed to |
|
@bitnik - it may be a few weeks before I get to this. Still very much on our radar though. |
|
@consideRatio is helping set up a BinderHub for neurips, but I'm not sure if the plan is to use authentication or not... |
|
If you have a moment to reenable this on https://notebooks-test.gesis.org/services/binder/ that would be great. I will be deploying a BinderHUb with auth on GKE this week so I can be the guinea pig. |
|
@betatim done. and thank you. This week I will also try to find time to update the documentation. |
|
First hurdle: what link should I visit to get a binder to launch? I was assuming that https://notebooks-test.gesis.org/v2/gh/binder-examples/requirements/master would work but that gives a 404 after redirecting me to https://notebooks-test.gesis.org/hub/v2/gh/binder-examples/requirements/master (there is a extra "hub" in the URL now) |
|
The answer is: https://notebooks-test.gesis.org/services/binder/v2/gh/binder-examples/requirements/master is the link that will start a build. |
|
yes, exactly because JupyterHub is under |
|
What is the thinking behind exposing binder from the Currently Binder acts like a service towards JupyterHub in the sense that it has a secret that let's it authenticate itself towards the hub to create users and launch servers for them. It doesn't live at |
|
|
|
@betatim really sorry for misleading you. I will think about this issue tomorrow and update my test deployment. |
|
@betatim i updated the documentation. i also updated my test deployment:
|
bitnik
changed the title
|
Hi, sorry for long break. I was sick for a while and then on holidays. I think I am done with this documentation for now and it would be really nice to get some feedback. I also have a new repo (https://github.com/gesiscss/example-binderhub-deployments) to try out different binderhub deployments such as with authentication or with custom templates. Soon I will continue with persistent storage. @betatim once you mentioned that you want to work on persistent storage too, have you made any progress? It would be really nice if we could share ideas and collaborate. And finally I just deployed BinderHub with authentication enabled on our staging server (https://notebooks-test.gesis.org). |
Co-Authored-By: bitnik <[email protected]>
|
just giving a shot at this...I added in the config that you mentioned but got some unexpected behavior. When I tried to go to the binder URL after adding the auth config (I'm just using a whitelist), the binder URL now points me to a JupyterHub "403 forbidden" Here's my config config:
BinderHub:
use_registry: true
image_prefix: gcr.io/binder-sandbox-194621/binderauth-
hub_url: http://35.222.116.172
auth_enabled: true
jupyterhub:
cull:
# don't cull authenticated users
users: False
hub:
services:
binder:
oauth_redirect_uri: "35.238.243.184/oauth_callback"
oauth_client_id: "binder-oauth-client-test"
extraConfig:
binder: |
from kubespawner import KubeSpawner
class BinderSpawner(KubeSpawner):
def start(self):
if 'image' in self.user_options:
# binder service sets the image spec via user options
self.image_spec = self.user_options['image']
return super().start()
c.JupyterHub.spawner_class = BinderSpawner
singleuser:
# to make notebook servers aware of hub
cmd: jupyterhub-singleuser
auth:
whitelist:
users:
- choldgraf
- user2Here's the URL of the binder: http://35.238.243.184 any idea what could be up? |
|
Note, kubespawners |
|
@choldgraf you are defining a whitelist but not which authenticator you want to use. So JupyterHub still uses And also you should add "http://" to beginning of @consideRatio thanks! I updated it. |
|
Nice catch - I'll make a PR in the Z2JH docs to try and clarify the whitelist thing a bit. Some more UX feedback from me: The configuration you gave works! I successfully set up a dummy authenticator. However, when I go to the vanilla BinderHub URL and type in my credentials, I'm then taken to a JupyterHub "server loading" page:
This then resulted in a live jupyter session after it loaded, but there was no "binder" experience in there. I was expecting to be taken to the BinderHub landing page. Is that your thinking as well? Perhaps I am not understanding something about the user flow through authentication? (e.g. is authenticated BinderHub use only possible via the BinderHub REST API?) Thanks for your help on this! |
|
@choldgraf you are right, i also expected bhub landing page. I just tried to login too, to me it looks like you didnt update Can you also try adding this extra config (this is to prevent server start when user comes to jhub home page): |
|
@bitnik ah hah, that got it! Is the extraConfig something new? I'll suggest it as additions to the PR |
Co-Authored-By: bitnik <[email protected]>
|
@choldgraf thanks a lot for trying it out and for the review! |
|
restarting travis to see if he's happy after a restart...if that's green, then @bitnik are you ready to merge? |
|
Travis is happy, so I'm happy. @bitnik say the word and we can 🚢 it |
|
@choldgraf let's merge it :) |
|
woooo! thanks so much @bitnik 🎉 |
|
Thanks @choldgraf and @bitnik for putting these together. We'll make use of them soon. Cheers! |
|
@jhamman please do open some PRs if you see opportunities for improvements! The binderhub docs could definitely use some love |
I am also working on an example repo: https://github.com/gesiscss/auth-binderhub
ref: #691