I have upgraded z2jh deployment to the latest version (2.0.0) which features jupyterHub 3.0.0. As written in all changelogs and upgrade guides, there have been changes in RBACs https://jupyterhub.readthedocs.io/en/stable/changelog.html#changes-in-rbac . Now, it is necessary to assign roles to the people accessing BinderHub/JupyterHub in order to even access the service. The user gets default user role which permits something. However, in our case, everyone who tries to access binderhub is presented with
403 : Forbidden You do not have permission to access JupyterHub service binder
The authentication used to work without any problems before the upgrade, without any further configuration.
Hub pod logs include
[D 2022-11-15 12:36:24.580 JupyterHub provider:415] Validating client id service-... [D 2022-11-15 12:36:24.585 oauthlib.oauth2.rfc6749.grant_types.authorization_code authorization_code:363] Validating redirection uri https://binderhub.cloud.e-infra.cz/oauth_callback for client service-... [D 2022-11-15 12:36:24.585 oauthlib.oauth2.rfc6749.grant_types.base base:230] Using provided redirect_uri https://binderhub.cloud.e-infra.cz/oauth_callback [D 2022-11-15 12:36:24.588 JupyterHub provider:490] validate_redirect_uri: client_id=service..., redirect_uri=https://binderhub.cloud.e-infra.cz/oauth_callback [D 2022-11-15 12:36:24.590 oauthlib.oauth2.rfc6749.grant_types.base base:171] Validating access to scopes ['read:users:groups!user', 'read:users:name!user', 'access:services!service=binder'] for client 'service-.... [D 2022-11-15 12:36:24.591 JupyterHub provider:614] Allowing request for scope(s) for service-...: access:services!service=binder,read:users:groups!user,read:users:name!user [E 2022-11-15 12:36:24.592 JupyterHub auth:271] User <User(xhejtman 0/1 running)> not allowed to access JupyterHub service binder [W 2022-11-15 12:36:24.592 JupyterHub web:1796] 403 GET /hub/api/oauth2/authorize?client_id=redirect_uri=oauth_callback&response_type=code&state= You do not have permission to access JupyterHub service binder [D 2022-11-15 12:36:24.593 JupyterHub base:1342] No template for 403
We don’t want to block anyone from using binderhub/jupyterhub, everyone should be allowed to use the service without any restrictions. I thought that it would be enough to add role for one group each user has and assign “access:services” scope to that role, e.g.
loadRoles: allow-users: scopes: - "access:services" - "users:activity" group: - "urn:geant:cesnet.cz:res:all#perun.cesnet.cz" <- one group everyone has
but this did not help and later I learned that these groups correspond to internal JH groups. I do not want to create any internal JH groups as it does not make sense - we have hundreds of users who are eligible to use the service based on their membership in this one group propagated from IdP. I found that it is possible to propagate groups from Authenticator (https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authenticator-managed-group-membership but I don’t think this options is doing anything. Our configuration is as following
config: JupyterHub: authenticator_class: generic-oauth BinderSpawner: auth_enabled: false Authenticator: manage_groups: true GenericOAuthenticator: token_url: https://login.... userdata_url: https://login.... client_id: service-... client_secret: ... userdata_params: state: state username_key: preferred_username scope: - "openid" - "profile" - "eduperson_entitlement" login_service: "e-INFRA CZ AAI" allowed_groups: ["urn:geant:cesnet.cz:res:all#perun.cesnet.cz"] claim_groups_key: "eduperson_entitlement"
Later I tadded admin role just for my username for debugging but I am unable to find out how to allow ALL AUTHENTICATED USERS to use binderhub (or ALL AUTHENTICATED USERS WHO HAVE THAT ONE GROUP). Can I use the groups from OAuth anyhow? If yes, how can I enable all users with that one specific group to use the service?
Thanks for help!