We have deployed z2jh and are customizing the chart to add in some extra features.
We would like to implement some authentication potentially JSON web tokens but we believe we will need to have preexisting accounts on the underlying unix system.
Our thoughts are to we need to carry out the following steps on the Hub API prior to passing a JSON web token
- Create a new user using the post create user call
- Patch the user to be an admin user
We were puzzled when we found other Hub API calls that allowed us to create tokens for users
- Create a user token
We found the if we enter this token in a new browser tab an authorization header token XXXXX we could spawn and new single-node pod and login as the user. Is this something we should use in a production environment or should we rely on something to redirect after the JSON web token is authenticated?
This solution works for know predefined users like jovyan or user that are defined in our chart as admin.
However, we encounter errors when we try to create new users that do not have a predefined unix account.
We have set the c.LocalAuthenticator.create_system_users = True but we get
RuntimeError: Failed to create system user testuser2: adduser: Only root may add a user or group to the system.
We have tried to implement sudospawner but given the suggestions in the following link and that we by default we are using kubespawner are we off the track
We have tested manually adding the user by connecting to the container as root and running an adduser -q --gecos ‘""’ --disabled-password testuser3
The hub API call then works
Note in order to make calls to the hub API we need to define a hub -> service -> binder -> apiToken and add as an authorization header.