diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 62590916f..c4f2826e2 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 1.39.1 +current_version = 1.39.2 commit = True tag = False tag_name = {new_version} @@ -30,11 +30,11 @@ search = {current_version} replace = {new_version} [bumpversion:file:RELEASE.txt] -search = {current_version} 2023-11-29T17:03:07Z +search = {current_version} 2023-11-30T15:28:22Z replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ} [bumpversion:part:releaseTime] -values = 2023-11-29T17:03:07Z +values = 2023-11-30T15:28:22Z [bumpversion:file(version):birdhouse/config/canarie-api/docker_configuration.py.template] search = 'version': '{current_version}' diff --git a/CHANGES.md b/CHANGES.md index 6c8eb89be..088fb34d8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -17,6 +17,31 @@ [//]: # (list changes here, using '-' for each new entry, remove this when items are added) +[1.39.2](https://github.com/bird-house/birdhouse-deploy/tree/1.39.2) (2023-11-30) +------------------------------------------------------------------------------------------------------------------ + +## Changes + +- Jupyterhub: periodically check whether the logged-in user still have permission to access + + By setting the `JUPYTERHUB_CRYPT_KEY` environment variable in the `env.local` file, jupyterhub will store user's + authentication information (session cookie) in the database. This allows jupyterhub to periodically check whether the + user still has permission to access jupyterhub (the session cookie is not expired and the permission have not + changed). + + The minimum duration between checks can be set with the `JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE` variable which is an + integer (in seconds). + + Note that users who are already logged in to jupyterhub will need to log out and log in for these changes to take + effect. + + To forcibly log out all users currently logged in to jupyterhub you can run the following command to force the + recreation of the cookie secret: + + ```shell + docker exec jupyterhub rm /persist/jupyterhub_cookie_secret && docker restart jupyterhub + ``` + [1.39.1](https://github.com/bird-house/birdhouse-deploy/tree/1.39.1) (2023-11-29) ------------------------------------------------------------------------------------------------------------------ diff --git a/Makefile b/Makefile index b1dd1dd8b..db39db5b3 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # Generic variables override SHELL := bash override APP_NAME := birdhouse-deploy -override APP_VERSION := 1.39.1 +override APP_VERSION := 1.39.2 # utility to remove comments after value of an option variable override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g") diff --git a/README.rst b/README.rst index 8f16e7277..100016eed 100644 --- a/README.rst +++ b/README.rst @@ -14,13 +14,13 @@ for a full-fledged production platform. * - releases - | |latest-version| |commits-since| -.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.39.1.svg +.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.39.2.svg :alt: Commits since latest release - :target: https://github.com/bird-house/birdhouse-deploy/compare/1.39.1...master + :target: https://github.com/bird-house/birdhouse-deploy/compare/1.39.2...master -.. |latest-version| image:: https://img.shields.io/badge/tag-1.39.1-blue.svg?style=flat +.. |latest-version| image:: https://img.shields.io/badge/tag-1.39.2-blue.svg?style=flat :alt: Latest Tag - :target: https://github.com/bird-house/birdhouse-deploy/tree/1.39.1 + :target: https://github.com/bird-house/birdhouse-deploy/tree/1.39.2 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest :alt: ReadTheDocs Build Status (latest version) diff --git a/RELEASE.txt b/RELEASE.txt index a43d48a7a..4a4b2b442 100644 --- a/RELEASE.txt +++ b/RELEASE.txt @@ -1 +1 @@ -1.39.1 2023-11-29T17:03:07Z +1.39.2 2023-11-30T15:28:22Z diff --git a/birdhouse/config/canarie-api/docker_configuration.py.template b/birdhouse/config/canarie-api/docker_configuration.py.template index 3333aef28..220bd9c23 100644 --- a/birdhouse/config/canarie-api/docker_configuration.py.template +++ b/birdhouse/config/canarie-api/docker_configuration.py.template @@ -109,8 +109,8 @@ SERVICES = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '1.39.1', - 'releaseTime': '2023-11-29T17:03:07Z', + 'version': '1.39.2', + 'releaseTime': '2023-11-30T15:28:22Z', 'institution': 'Ouranos', 'researchSubject': 'Climatology', 'supportEmail': '${SUPPORT_EMAIL}', @@ -142,8 +142,8 @@ PLATFORMS = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '1.39.1', - 'releaseTime': '2023-11-29T17:03:07Z', + 'version': '1.39.2', + 'releaseTime': '2023-11-30T15:28:22Z', 'institution': 'Ouranos', 'researchSubject': 'Climatology', 'supportEmail': '${SUPPORT_EMAIL}', diff --git a/birdhouse/config/jupyterhub/default.env b/birdhouse/config/jupyterhub/default.env index d8ffba773..e6d7ee139 100644 --- a/birdhouse/config/jupyterhub/default.env +++ b/birdhouse/config/jupyterhub/default.env @@ -5,7 +5,7 @@ # are applied and must be added to the list of DELAYED_EVAL. export JUPYTERHUB_DOCKER=pavics/jupyterhub -export JUPYTERHUB_VERSION=4.0.2-20231002 +export JUPYTERHUB_VERSION=4.0.2-20231127 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601" @@ -64,6 +64,15 @@ export JUPYTERHUB_CONFIG_OVERRIDE="" # recommended as it may permit unauthorized users from accessing jupyterhub. export JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL='http://twitcher:8000/ows/verify/jupyterhub' +# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database. +# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie) +export JUPYTERHUB_CRYPT_KEY= + +# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie) +# if their authentication information is older that this value (in seconds). This value is only applied if +# JUPYTERHUB_CRYPT_KEY is set. +export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=60 + export DELAYED_EVAL=" $DELAYED_EVAL JUPYTERHUB_USER_DATA_DIR @@ -86,6 +95,7 @@ OPTIONAL_VARS=" \$JUPYTERHUB_DOCKER \$JUPYTERHUB_VERSION \$JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL + \$JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE \$JUPYTER_IDLE_SERVER_CULL_TIMEOUT \$JUPYTER_IDLE_KERNEL_CULL_TIMEOUT \$JUPYTER_IDLE_KERNEL_CULL_INTERVAL diff --git a/birdhouse/config/jupyterhub/docker-compose-extra.yml b/birdhouse/config/jupyterhub/docker-compose-extra.yml index e2a489590..32dd395ed 100644 --- a/birdhouse/config/jupyterhub/docker-compose-extra.yml +++ b/birdhouse/config/jupyterhub/docker-compose-extra.yml @@ -27,6 +27,7 @@ services: MOUNT_IMAGE_SPECIFIC_NOTEBOOKS: ${MOUNT_IMAGE_SPECIFIC_NOTEBOOKS} USER_WORKSPACE_UID: ${USER_WORKSPACE_UID} USER_WORKSPACE_GID: ${USER_WORKSPACE_GID} + JUPYTERHUB_CRYPT_KEY: ${JUPYTERHUB_CRYPT_KEY} volumes: - ./config/jupyterhub/jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro - ./config/jupyterhub/custom_templates:/custom_templates:ro diff --git a/birdhouse/config/jupyterhub/jupyterhub_config.py.template b/birdhouse/config/jupyterhub/jupyterhub_config.py.template index 7e6476f1f..dab08addb 100644 --- a/birdhouse/config/jupyterhub/jupyterhub_config.py.template +++ b/birdhouse/config/jupyterhub/jupyterhub_config.py.template @@ -19,6 +19,11 @@ c.MagpieAuthenticator.magpie_url = "http://magpie:2001" c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}" c.MagpieAuthenticator.authorization_url = "${JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL}" +if os.getenv("JUPYTERHUB_CRYPT_KEY"): + c.MagpieAuthenticator.enable_auth_state = True + c.MagpieAuthenticator.refresh_pre_spawn = True + c.MagpieAuthenticator.auth_refresh_age = int("${JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE}") + c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret' c.JupyterHub.db_url = '/persist/jupyterhub.sqlite' diff --git a/birdhouse/env.local.example b/birdhouse/env.local.example index 1976bcfbc..402e4dddf 100644 --- a/birdhouse/env.local.example +++ b/birdhouse/env.local.example @@ -351,6 +351,23 @@ export GEOSERVER_ADMIN_PASSWORD=geoserverpass # #export JUPYTERHUB_CONFIG_OVERRIDE=" # +# +# The following variables can be used to configure additional authentication settings for jupyterhub +# +# 32 byte hex-encoded key used to encrypt a user's authentication state in the juptyerhub database. +# If set, jupyterhub will periodically check if the user still has permission to access jupyterhub (according to Magpie) +# This may be a semicolon-separated list of encryption keys. If there are multiple keys present, the first key is always +# used to persist any new auth_state. +# To generate a key the following command can be used: `openssl rand -hex 32` +# See for more details: https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authentication-state +#export JUPYTERHUB_CRYPT_KEY= +# +# Jupyterhub will check if the current logged in user still has permission to access jupyterhub (according to Magpie) +# if their authentication information is older that this value (in seconds). This value is only applied if +# JUPYTERHUB_CRYPT_KEY is set. +#export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=60 +# +# # Sample below will allow for sharing notebooks between Jupyter users. # Note all shares are public. # diff --git a/docs/source/conf.py b/docs/source/conf.py index ebc78084f..180ce2fa8 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -69,9 +69,9 @@ # built documents. # # The short X.Y version. -version = '1.39.1' +version = '1.39.2' # The full version, including alpha/beta/rc tags. -release = '1.39.1' +release = '1.39.2' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.