Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post setup customizations for Earthscope #3899

Open
yuvipanda opened this issue Apr 3, 2024 · 0 comments
Open

Post setup customizations for Earthscope #3899

yuvipanda opened this issue Apr 3, 2024 · 0 comments

Comments

@yuvipanda
Copy link
Member

yuvipanda commented Apr 3, 2024
edited by consideRatio
Loading

We're trying to move to a hub setup where the initial hub setup is 'standard', and then we have an issue about post setup customizations.

This is the one for Earthscope.

✅ Auth0 Authentication

They'd like to use auth0 for authentication, because that is what the rest of their infrastructure uses.

Status: Done, with Auth0OAuthenticator. #3883 turns that into using the GenericOAuthenticator instead, so we don't have to support Auth0 specifically, but just treat it as an OAuth2 provider.

✅ Passing Auth0 token through to user environment

After authentication, they'd like the auth token + refresh token passed through to the user environment as environment variables. This allows users to talk to various APIs with that authentication token

Status: Done, via

infrastructure/config/clusters/earthscope/common.values.yaml

Line 102 in 120e88d

def populate_token(spawner, auth_state):
. Should eventually be generalized to allow passing arbitrary information for arbitrary hubs from auth_state to the user environment, but not necessarily right now.

✅ Allow users access based on particular scopes they are granted

Not everyone who can login with auth0 should be able to access the hub - it needs to be controlled via a specific scope granted to them. All users with @2i2c.org email addresses are automatically granted this for debugging.

Status: Done, via

infrastructure/config/clusters/earthscope/common.values.yaml

Line 44 in 120e88d

class CustomAuth0OAuthenticator(Auth0OAuthenticator):
. Contributed upstream at jupyterhub/oauthenticator#719 - once merged and deployed, our custom code can be removed.

✅ Restrict access to profiles options based on granted scopes

Not all profile options should be available to everyone - this should be limited based on scopes granted to them.

Status: Committed, specced out in #3900. To be scheduled.

Restrict access to dask-gateway based on granted scopes

Not all users should be able to get access to dask-gateway - this should also be limited based on scopes granted to them.

Status: Committed, to be spec'd and scheduled.

Related requests: #4014

Tag all resources 2i2c creates in their AWS account

They'd like us to set an appropriate AWS tag for all the resources we manage in their AWS account, so it is easier to account for cloud spend. Note this doesn't include any per user tagging or similar - we have indicated to them that this is not something we can support right now.

Status: Committed

Related requests: #4149
@yuvipanda yuvipanda changed the title [EPIC] Post setup customizations for Earthscope Post setup customizations for Earthscope Apr 3, 2024
@yuvipanda yuvipanda mentioned this issue May 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
DEPRECATED Engineering and Product Backlog
Status: Needs Shaping / Refinement
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yuvipanda