Cannot manage groups via API when using AzureAuthenticator

blinak · January 27, 2025, 12:07pm

I have deployed jupyterhub using the helmchart version 4.0.0. I am using azure as Authenticator and the config looks like this:

authenticator: |
                    import os
                    from oauthenticator.azuread import AzureAdOAuthenticator
    
                    c.AzureAdOAuthenticator.oauth_callback_url = "https://jupyterhub-test-dev/hub/oauth_callback"
                    c.AzureAdOAuthenticator.username_claim = "unique_name"
                    c.AzureAdOAuthenticator.enable_auth_state = True
                    c.AzureAdOAuthenticator.manage_groups = True
                    c.AzureAdOAuthenticator.auth_state_groups_key = "user.groups"
                    c.AzureAdOAuthenticator.allowed_groups = ["jupyterhub-test-admin", "jupyterhub-test-user"]
                    c.AzureAdOAuthenticator.admin_groups = ["jupyterhub-test-admin" ]
                    c.AzureAdOAuthenticator.scope =  ["GroupMember.Read.All", "User.Read", "User.Read.All", "email", "openid" ]

                    class subAzureAuthenticator(AzureAdOAuthenticator):
                    
                      def normalize_username(self, username):
 
                        username = username.lower().split('@')[0]
                        clean_username = username.replace('.', '')
                        clean_username =clean_username.replace('_', '')
                    
                        return clean_username
                    
                      
                    c.JupyterHub.authenticator_class = subAzureAuthenticator

The group sync works as expected. After I login, I can see the the groups created in the admin panel. However, as admin, I cannot delete or edit these groups.

logs from hub:

Checking access to /hub/api/groups/jupyterhub-test-admin via scope delete:groups!group=jupyterhub-test-admin
[W 2025-01-27 12:04:45.399 JupyterHub web:1873] 400 DELETE /hub/api/groups/jupyterhub-test-admin?_xsrf=token (95.90.206.235): Group management via API is disabled
[W 2025-01-27 12:04:45.399 JupyterHub log:192] 400 DELETE /hub/api/groups/jupyterhub-test-admin?_xsrf=[secret]

Is that the expected behaviour? I thought that having admin permission includes this role : ‘admin:groups!group=jupyterhub-test-admin’ and ‘admin:users!group=jupyterhub-test-admin’

I need to be able to delete the groups because sometimes we delete the user groups in azure app registration, but this is not synced in jupyterhub user management database. Even though the groups is delete in azure, it still remains in jupyterhub.

manics · January 27, 2025, 4:13pm

Currently the API for managing groups is disabled when manage_groups = True:

github.com/jupyterhub/jupyterhub

jupyterhub/apihandlers/groups.py

cddeeb9da


      
          def check_authenticator_managed_groups(self):
              """Raise error on group-management APIs if Authenticator is managing groups"""
              if self.authenticator.manage_groups:
                  raise web.HTTPError(400, "Group management via API is disabled")

Are the groups still present when you restart JupyterHub?

blinak · January 29, 2025, 12:21pm

yes, the group that is removed from azure app registration, is still appearing in group list.

blinak · February 3, 2025, 10:31am

Is there any flag that can be set to refresh the groups to match with the ones specified in the app registration in azure?

minrk · February 6, 2025, 9:54am

Unfortunately, there is currently no way to delete groups when the Authenticator is managing them. We set this up for roles to have the ability to re-initialize roles on startup, but haven’t done that for groups.

We’ll have to think about what that config should look like, but I think the simplest fix is to actually change the “Group management via API is disabled” condition to only apply to group membership, and still permit group creation and deletion via the API.

We could also reconsider blocking group-management via the API altogether. Admins will have to realize that any changes they make via the API will be overridden when users login again, but this would allow manual reconciliation like the deletion here without any unnecessary frustration. But it’s not inherently wrong to allow group management via the API. It just may lead to surprise that admin changes may get lost since the Authenticator has priority. But if the admin changes are manually reconciling with upstream as is the case here, then everything will be as the admin expects. I’m currently leaning toward this choice.

minrk · February 13, 2025, 12:08pm

allow group management API when managed_groups is True by minrk · Pull Request #5004 · jupyterhub/jupyterhub · GitHub removes the manage_groups check, allowing admins full access to group membership. There’s a caveat that managed groups means that any changes you make manually could be clobbered by an authentication event, but that doesn’t mean you shouldn’t be allowed to ever make them (especially those that can’t be done by authentication events, such as group deletion).

likku123 · March 3, 2025, 3:48am

@blinak

Is it possible to share the Azure side of AD things by masking the sensitive information.

I am pretty much stuck here c.AzureAdOAuthenticator.auth_state_groups_key = “user.groups”

Where in logs it says user.groups does not exists.

I would like to know how you have achieved it.

Thanks in advance.

Topic		Replies	Views
How do Groups in JH work with the AzureAdOAuthenticator? JupyterHub help-wanted	1	289	June 12, 2024
Azure groups in sync with Jupyterhub groups Zero to JupyterHub on Kubernetes help-wanted	15	147	March 4, 2025
Admin Scopes Not Given to Users With Admin Role Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	4	594	October 2, 2023
How to extract azure groups_id after login with AzureAdOAuthenticator? JupyterHub jupyterhub , how-to , help-wanted	2	52	January 20, 2025
Access JupyterHub REST API from Config Zero to JupyterHub on Kubernetes	7	30	March 7, 2025

Cannot manage groups via API when using AzureAuthenticator

Related topics