KubeSpawner and LDAPauthentication run under users LDAP UID

JupyterHub Zero to JupyterHub on Kubernetes
3

Sure thing:

Here’s our Z2JH config:

hub:
  config:
    Authenticator:
      enable_auth_state: true
    CryptKeeper:
      keys:
        - SECRET
    LDAPAuthenticator:
      bind_dn_template:
      - HIDDEN
      server_address: HOSTNAME
      auth_state_attributes: [uidNumber,gidNumber,uid]
      user_search_base: HIDDEN
  db:
    pvc:
      storageClassName: storage-k8s
  extraConfig:
    configClass: |
      c.JupyterHub.authenticator_class = LDAPAuthenticatorExtend
    extendedLDAP: |
      from tornado import gen
      from ldapauthenticator import LDAPAuthenticator
      class LDAPAuthenticatorExtend(LDAPAuthenticator):
        @gen.coroutine
        def pre_spawn_start(self, user, spawner):
          self.log.debug('running preSpawn hook')
          auth_state = yield spawner.user.get_auth_state()
          self.log.debug('pre_spawn_start auth_state:%s' % auth_state)
          spawner.environment["NB_UID"] = str(auth_state["uidNumber"][0])
          spawner.environment["NB_GID"] = str(auth_state["gidNumber"][0])
          spawner.environment["NB_USER"] = str(auth_state["uid"][0])
          c.KubeSpawner.uid = str(auth_state["uidNumber"][0])
        
    logging: |
      c.JupyterHub.log_level = 'DEBUG'
      c.KubeSpawner.debug = True
      c.LocalProcessSpawner.debug = True
ingress:
  annotations:
    acme.cert-manager.io/http01-edit-in-place: "true"
    cert-manager.io/cluster-issuer: letsencrypt-http01-staging
    kubernetes.io/ingress.class: jupyterhub-ingress
  enabled: true
  hosts:
  - HOSTNAME
  tls:
  - hosts:
    - HOSTNAME
    secretName: SECRETNAME
proxy:
  secretToken: SECRET
  service:
    type: ClusterIP
singleuser:
  defaultUrl: /lab
  uid: 0
  extraEnv:
    GRANT_SUDO: "yes"
    NOTEBOOK_ARGS: "--allow-root"
  storage:
    extraVolumeMounts:
    - mountPath: /home/{username}
      name: nfs-home-{username}-volume
    - mountPath: /data
      name: data-mount-volume
    extraVolumes:
    - name: nfs-home-{username}-volume
      nfs:
        path: /path/to/home
        server: HOSTNAME
    - name: data-mount-volume
      hostPath:
        path: /mnt/data
    type: none
  profilelist:
    - display_name: "Default environment"
      description: "2 CPUs/4GB Memory"
      kubespawner_override:
        cpu_guarantee: 2
        mem_guarantee: 4

Z2JH Version: jupyterhub-0.11.1

No other specific customizations.

I suppose to note, if I don’t set the UID to 0 for the singleuser server, it starts and the NB_UID and NB_GID will be set in the environment, but the container won’t be running under that UID. Setting the singleuser UID to 0 and the pod doesn’t start.

Thanks!