We want to use Google OAuth and whitelist email addresses at the same time. The documentation makes it sound possible, but we haven’t gotten it to work.
It seems that any user can log in via an email address from our organization, whether they are on the whitelist or not.
This is what our
config.yaml looks like:
c.Spawner.cmd = ['jupyter-labhub']
I’m not sure if this information would help, but our cluster is set up so that nginx forwards traffic from public IP addresses to the
EXTERNAL-IP's of the services on the cluster. So traffic to JupyterHub’s publicly accessible IP is forwarded to the
EXTERNAL-IP of the LoadBalancer of JupyterHub,
Turns out that whitelisting with Google OAuth was working, with the caveat that any user who previous logged in before and is not whitelisted could still log in.
This is something that should probably be mentioned in the docs.
Just an option if you still have any problems. We looked at the same solution as a quick fix before an automated check on a Big Query table and we found the same problem, whitelist was stored in jupyterhub.sqlite database and any removal from there needed a restart of JupyterHub.
We came up with the following for a pre_spawn_hook which checks the whitelist every time a spawn request is needed, so its real time checking of the whitelist;
# Create custom whitelist
# Spawner process to check users have access against a whitelist of people
# authenticated starts as false, always
authenticated = False
# Open the whitelist file which we can store in GCS
with open('/opt/jupyterhub/OAuth/whitelist') as f:
# Loop through line by line
for line in f:
if not line in ['\n', '\r\n']:
# Split the line if we have more than one column, default delimiter is space
line_indiv = line.split()
# Pull the whitelist name we want to check against, always first column
white_name = line_indiv
# If whitelist name matches the spawner username, we authenticate
if white_name == spawner.user.name:
authenticated = True
# If we cant authenticate, open a file that doesn't exist to cause spawner to fail
if authenticated == False:
# attach the hook function to the spawner
c.Spawner.pre_spawn_hook = checkUserAccess
Hopefully it might help, but basics are, put the username (or email address) in