BinderHub with private GitLab and user scopes

Hi,

This question might sound similar to the one posted in Private Gitlab Access for BinderHub.

What would be the preferred way to reuse the JupyterHub GitLab authenticator to determine whether a user is able to build Binders for a given repo?

I suppose there is always the escape hatch of the extraConfig here:

Which could be used to fetch the auth_state and perform an action (clone or wget) to check whether a user has access to a repo using the git token.

The idea is to be able to prevent users to build and launch a Binder for a repo they don’t have access to in GitLab (no read permission).

Thanks!

1 Like

Not tested yet, but it should be possible to do something similar to what they do in GitLab for their JupyterHub integration to retrieve a token:

And use the token to call the GitLab API.

Unless there is a way to set the git_credentials on the fly using the user credentials from the GitLab auth (see @betatim’s post: Private Gitlab Access for BinderHub)

It looks like the credentials are passed into the builder here:


But then you need to trace that up the chain- I expect it’d require some refactoring to get the user credentials in there.

I’m not sure how much work is involved in passing the user credentials into BinderHub though, if you’ve got an authenticated BinderHub the auth is handled by JupyterHub, so you need to figure out how to pass that auth to Binder.

I suspect your original idea of checking for access in the Spawner may be the easiest even if it’s not the most elegant solution, since as you point out the Spawner has access to auth_state.