Hi everyone.
i have deployed z2jh in eks. i am able to setup efs storage for each user and also shared. I need to set storage that only accessible for membe rof its group. for example user from group a can access group_a folder but not group_b folder
in addition im using GenericOAuthenticator for authentication
any suggestion to achieve this?
singleuser:
storage:
capacity: 2Gi
type: "static"
static:
pvcName: "efs-persist"
subPath: "home/{username}"
storage:
capacity: 2Gi
extraVolumes:
- name: jupyterhub-shared
persistentVolumeClaim:
claimName: efs-persist-ro
extraVolumeMounts:
- name: jupyterhub-shared
mountPath: home/shared/{groupname?}
readOnly: true
manics
December 6, 2024, 5:10pm
2
It’s not possible using the standard Z2JH config.
However KubeSpawner has a modify_pod_hook
parameter so you could write a function to mount the extra volume:
https://jupyterhub-kubespawner.readthedocs.io/en/latest/spawner.html#kubespawner.KubeSpawner.modify_pod_hook
You can put this in the Z2JH hub.extraConfig
section
Thank you @manics for your response! After some trial i am able to use modify_pod_hook as you suggested.
For anyone interested here’s my implementation based on manics input and this post .
hub:
config:
JupyterHub:
authenticator_class: generic-oauth
Authenticator:
enable_auth_state: true
allow_all: true
GenericOAuthenticator:
client_id: jupyterhub
client_secret: SECRET
validate_server_cert: False
oauth_callback_url: http://CALLBACK_URL/hub/oauth_callback
authorize_url: https://KEYCLOAK_URL/realms/data-access-portal/protocol/openid-connect/auth
token_url: https://KEYCLOAK_URL/realms/data-access-portal/protocol/openid-connect/token
userdata_url: https://KEYCLOAK_URL/realms/data-access-portal/protocol/openid-connect/userinfo
login_service: keycloak
username_claim: preferred_username
userdata_params:
state: state
scope:
- openid
extraConfig:
00-first-config: |
def userdata_hook(spawner, auth_state):
spawner.userdata = auth_state['oauth_user']
def modify_pod_hook(spawner, pod):
user = spawner.user.name
group = spawner.userdata.get('CUSTOM', False)
pod.spec.volumes.append({
'name': 'jupyterhub-shared',
'persistentVolumeClaim': {
'claimName': 'efs-persist-ro'
}
})
pod.spec.containers[0].volume_mounts.append({
'name': 'jupyterhub-shared',
'mountPath': f"/home/shared/{group}",
'readOnly': True
})
return pod
c.KubeSpawner.auth_state_hook = userdata_hook
c.KubeSpawner.modify_pod_hook = modify_pod_hook
2 Likes
Hello!
I’ve been there and I wrote this article about how you could configure this!
Hope this helps
1 Like