Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document use of Native authenticator #1398

Open
consideRatio opened this issue Sep 9, 2019 · 8 comments
Open

Document use of Native authenticator #1398

consideRatio opened this issue Sep 9, 2019 · 8 comments
Labels
documentation help wanted

Comments

@consideRatio
Copy link
Member

consideRatio commented Sep 9, 2019
edited
Loading

Document use of Native authenticator

@leportella have made the Native authenticator as described in her blog post about it.

I think this is a very useful authenticator that is far easier to get started with in some scenarios. For example, consider a class instructor that wants to provide access specifically for their students but not all of the university or similar. In my case I wanted to provide access for my school but not all of the 100+ schools at one time during a school event.

Document use of Native authenticator

PR Work to be done

  • Document how to configure the use of the nativeauthenticator
  • Document that it could be a bit complicated to transition to a new authenticator without loosing previous user storage etc.
    • If using this at first means you get a lot of users, they will get storage related to their username, if later you switch to another authenticator you will get a new username so new storage. There is no easy fix to migrate this.
  • Warn about the need for HTTPS
    • Setting this up without HTTPS would expose passwords to be communicated in the air over the internet, using a public WIFI and someone sniffing has the password for example. While you may say "well their work won't be sensitive" or so, it can be the same credential/password used for other services so it is actually a big deal to leak passwords even though it is for a dummy service.
  • Warn about being responsible for a database containing hashed passwords
    • If a list of hashed passwords are exposed, you can figure out what password that led to the hash by brute force if you try to hash enough passwords to find a match. So, this is also a way for passwords to leak, mainly if they are short such as only 8-10 symbols or easy to guess by trying all words in a dictionary etc.
  • Disclaimer that its recommended to use a external identity provider to not be responsible for these matters.
@consideRatio consideRatio mentioned this issue Sep 11, 2019
Closed
@lynchs61
Copy link

In my case I just want to do some work with Jupyter and JupyterHub and I have a kubernetes cluster. So although the number of users will be small (in the immediate future, only me), the k8s setup is the most straight forward except for the fact the LDAP or OAuth isn't reasonable. This would be nice to have and while I've looked through the helm chart and JupyterHub to try and figure it out, at least some simple docs to point me in the right direction would be very useful.

@consideRatio
Copy link
Member Author

Is there anyone having used native authenticator on z2jh? Just trying it out and reporting the situation would be helpful!

@consideRatio consideRatio changed the title PR Discussion - Document use of Native authenticator Document use of Native authenticator Jan 16, 2021
@elcombato
Copy link

Is there anyone having used native authenticator on z2jh? Just trying it out and reporting the situation would be helpful!

NativeAuthenticator is already installed in the hub image:

zero-to-jupyterhub-k8s/images/hub/requirements.txt

Line 67 in eb3dc95

jupyterhub-nativeauthenticator==0.0.7

All I did was to add the following line under extraConfig in the config.yaml:

hub:
  extraConfig: |
    c.JupyterHub.authenticator_class = 'nativeauthenticator.NativeAuthenticator'

With that I can use all the functionality of the NativeAuthenticator.

@consideRatio
Copy link
Member Author

@elcombato thanks for sharing this with us!

@kathoef
Copy link

kathoef commented Aug 6, 2021

This is the NativeAuthenticator configuration I am currently using,

hub:
  config:
    JupyterHub:
      authenticator_class: nativeauthenticator.NativeAuthenticator
      admin_access: false
    Authenticator:
      admin_users:
        - admin1
    NativeAuthenticator:
      enable_signup: true
      minimum_password_length: 10
      check_common_password: true
      ask_email_on_signup: false
      allow_2fa: false

After having played around with the values a bit, I would say that everything works as expected.

Setting this up wasn't very straightforward (for someone who never deployed a JupyterHub before), so I would indeed also love to see a few hints about the NativeAuthenticator in the docs! 😉

@avdhoot0303
Copy link

This worked perfectly for me, Thanks!

@Caiofcas
Copy link

I had to add somethings to extraConfig to make the templates work

 extraConfig:
    00_nativeauthenticator_templates: |
      import os, nativeauthenticator
      c.JupyterHub.template_paths = [f"{os.path.dirname(nativeauthenticator.__file__)}/templates/"]

@TiemenSch
Copy link

Hi there! I'm interested in using the NativeAuthenticator for a small workshops deployment.

Do I need to backup/setup any other volumes on the Hub pod to keep credentials stored across restarts of the hub container? Or does NativeAuthenticator integrate this with the default hub db?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lynchs61 @consideRatio @elcombato @TiemenSch @kathoef @Caiofcas @avdhoot0303