How to Configure Lab Extension Allowlist in Sudospawner Environment

irfmeister · November 15, 2022, 9:51am

Hi,

We are running jupyterhub in a shared setup. We use single sign on with kerberos, and sudospawner to spawn user instances.

I am trying to limit our users’ ability to install arbitrary user extensions. I am able to turn off extension-manager completely but I want a more elegant solution. The extension allowlist as discussed here seems reasonable: Extensions — JupyterLab 3.2.8 documentation.

However I am not savvy enough in Jupyterlab to figure out where to put the configuration parameters.

I tried:

1- Added c.LabServerApp.allowed_extensions_uris='/Path/To/Allowlist/allowlist.json' to jupyterhub_config.py.
2- Added '--LabServerApp.allowed_extensions_uris=/Path/To/Allowlist/allowlist.json' to c.Spawner.args in jupyterhub_config.py.

Here is my allowlist.json contents:

{
  "allowed_extensions": [
    {
      "name": "@jupyterlab/*",
      "type": "jupyterlab",
      "reason": "All @jupyterlab org extensions are allowed, of course…",
      "creation_date": "2020-03-11T03:28:56.782Z",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"@jupyter-widgets/*",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07"
    },
    {
      "name":"@123npm/qgrid",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07"
    },
    {
      "name":"jupyter-matplotlib",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07"
    }
  ]
}

Didn’t work

Would love to learn how to do it right.

irfmeister · November 17, 2022, 9:58am

So by experimenting, we figured you couldn’t just pass local file paths for the URI.

I just need to know how to put the --LabServerApp.allowed_extensions_uris into a config file to make it available to all users without messing with their home folders.

irfmeister · November 22, 2022, 12:30pm

I finally figured out how to do it.

0- Create a file called allowlist.json with the following content:

{
  "allowed_extensions": [
    {
      "name": "@jupyterlab/*",
      "type": "jupyterlab",
      "reason": "All @jupyterlab org extensions are allowed, of course…",
      "creation_date": "2020-03-11T03:28:56.782Z",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"@jupyter-widgets/*",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"@123npm/qgrid",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"jupyter-matplotlib",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"jupyterlab_pygments",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"jupyterlab-plotly",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"@j123npm/qgrid2",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    },
    {
      "name":"@pyviz/jupyterlab_pyviz",
      "type":"jupyterlab",
      "reason": "It is part of our offering",
      "creation_date":"2022-11-07",
      "last_update_date":  "2020-03-11T03:28:56.782Z"
    }
  ]
}

1- Configure apache to serve allowlist.json on http for local host.

2- create jupyter_lab_config.py in /etc/jupyter/ folder. Here is the line you need to add:

c.LabServerApp.allowed_extensions_uris='http://127.0.0.1/allowlist.json'

3- Add the following configuration into jupyterhub_config.py:

c.Spawner.args = ['--config=/etc/jupyter/jupyter_lab_config.py']

Topic		Replies	Views
JupyterLab Extension Manager on JupyterHub for individual users General jupyterlab , jupyterhub	13	9315	November 28, 2020
How to install a JupyterLab extension for all JupyterHub users? JupyterHub jupyterlab , jupyterhub , how-to , help-wanted	2	1436	June 7, 2023
Allow JupyterHub users to install their own JupyterLab extensions JupyterHub jupyterlab , jupyterhub , how-to	5	875	February 5, 2024
Disabling installs in Extension Manager in a shared JupyterHub JupyterLab	1	1231	December 1, 2020
Disable User Installed JupyterHub Extensions Zero to JupyterHub on Kubernetes jupyterhub , how-to , help-wanted	1	38	September 18, 2024

How to Configure Lab Extension Allowlist in Sudospawner Environment

Related Topics