Private Gitlab Access for BinderHub

We run our own GitLab installation, and are able to use its public repos as BinderHub sources with no problem. However, we are unable to get BinderHub to pull from any private repo there. I tried to configure BinderHub to do this by looking at the code here: https://github.com/jupyterhub/binderhub/blob/8357c90106be6f30d3d427bc6c9257e7657e48ba/binderhub/repoproviders.py#L163-L264

And thought it might be possible by seeing this:

hostname = Unicode('gitlab.com', config=True,
    help="""The host of the GitLab instance
    For personal GitLab servers.
    """
    )

Does or will BinderHub support pulling from private GitLab repos not hosted at gitlab.com?

Thanks,

–Chris

1 Like

First off: we need to improve the documentation for doing this.

There are (potentially) two parts to the story: access to the GitLab API and access to the repo contents. BinderHub itself needs access to the API and then needs to be able to pass some form of credentials on to repo2docker which clones to repository. These might or might not be the same credentials.

The credentials passed on to repo2docker come via:

which then get passed as an environment variable to the pod in which repo2docker runs which then consumes them.

How does it consume them? Via a small shell script that git will use if it needs credentials which is best documented in this commit message. The idea is that git allows you to install a “credential helper” which we do in the docker image that BinderHub uses to run repo2docker in.

Did I mention we need better docs around this? :joy:


An example of how the credentials env variables is formatted is https://github.com/jupyterhub/binderhub/blob/2e5086a087ab3d41972d0d2359a08a4a632a35f9/binderhub/repoproviders.py#L329-L340

Thanks, Tim. yes, I neglected to mention that I can see via the gitlab logs that the API connection is successful; it’s only at the cloning via repo2docker that I see the authentication failure. In any case, this does look very encouraging, and I’ll give it a try right now. Thanks again for your help! --Chris

1 Like

I made my post a “wiki post” so you should be able to edit it (I think, still figuring out the mechanics of discourse). If you feel like modifying, extending, or correcting bits as you go through the process that would be great. It could then serve as a starting point for adding it to our docs. Or you could make a PR to do that from scratch :slight_smile:

@betatim Where can I find the wiki post?

1 Like

@katylava - @betatim was referring to this post: Private Gitlab Access for BinderHub, which is actually within this discourse topic. I have recently started understanding the terminology myself :smiley:

2 Likes

@consideRatio is exactly right. Sorry if the terminology was confusing. I edited the post where I refer to “the wiki post” to link to the actual post and to a “what is a wiki post” article from the discourse documentation.

1 Like

Hey @betatim
We would like to map the user logged in to binderhub / jupyterhub to a gitlab user (self hosted gitlab) and access his / her private projects on this gitlab instance from binderhub.
If I understand the code of GitLabRepoProvider correctly, only static secrets are supported as of now.
My idea would be

  • create a custom hub authenticator which gets a oauth2 token from gitlab
  • Extend / derive from GitLabRepoProvider, so it uses that token to auth against the gitlap API

Question: how could I pass such a oauth2 token from hub to binder?

This PR would enable that feature Allow dynamic repository credentials for authenticated Binderhub instances. by rprimet · Pull Request #1169 · jupyterhub/binderhub · GitHub Unfortunately we’ve stalled a bit with it as I believe the author would like some feedback on best practices, but as ever in open source, it’s time :grin:

1 Like