Shared storage between specific group in z2jh

Hi everyone.

i have deployed z2jh in eks. i am able to setup efs storage for each user and also shared. I need to set storage that only accessible for membe rof its group. for example user from group a can access group_a folder but not group_b folder
in addition im using GenericOAuthenticator for authentication

any suggestion to achieve this?

singleuser:
  storage:
    capacity: 2Gi
    type: "static"
    static:
      pvcName: "efs-persist"
      subPath: "home/{username}"
  storage:
    capacity: 2Gi
    extraVolumes:
      - name: jupyterhub-shared
        persistentVolumeClaim:
          claimName: efs-persist-ro
    extraVolumeMounts:
      - name: jupyterhub-shared
        mountPath: home/shared/{groupname?}
        readOnly: true

It’s not possible using the standard Z2JH config.
However KubeSpawner has a modify_pod_hook parameter so you could write a function to mount the extra volume:
https://jupyterhub-kubespawner.readthedocs.io/en/latest/spawner.html#kubespawner.KubeSpawner.modify_pod_hook

You can put this in the Z2JH hub.extraConfig section

Thank you @manics for your response! After some trial i am able to use modify_pod_hook as you suggested.

For anyone interested here’s my implementation based on manics input and this post.

hub:
  config:
    JupyterHub:
      authenticator_class: generic-oauth
    Authenticator:
      enable_auth_state: true
      allow_all: true
    GenericOAuthenticator:
      client_id: jupyterhub
      client_secret: SECRET
      validate_server_cert: False
      oauth_callback_url: http://CALLBACK_URL/hub/oauth_callback
      authorize_url: https://KEYCLOAK_URL/realms/data-access-portal/protocol/openid-connect/auth
      token_url: https://KEYCLOAK_URL/realms/data-access-portal/protocol/openid-connect/token
      userdata_url: https://KEYCLOAK_URL/realms/data-access-portal/protocol/openid-connect/userinfo
      login_service: keycloak
      username_claim: preferred_username
      userdata_params:
        state: state
    scope:
      - openid
  extraConfig:
    00-first-config: |
      def userdata_hook(spawner, auth_state):
          spawner.userdata = auth_state['oauth_user']

      def modify_pod_hook(spawner, pod):
        user = spawner.user.name
        group = spawner.userdata.get('CUSTOM', False)
        pod.spec.volumes.append({
            'name': 'jupyterhub-shared',
            'persistentVolumeClaim': {
                'claimName': 'efs-persist-ro'
            }
        })
        pod.spec.containers[0].volume_mounts.append({
            'name': 'jupyterhub-shared',
            'mountPath': f"/home/shared/{group}",
            'readOnly': True
        })
        return pod
      
      c.KubeSpawner.auth_state_hook = userdata_hook
      c.KubeSpawner.modify_pod_hook = modify_pod_hook
2 Likes

I added Add Spawner.group_overrides to allow overriding spawner config based on user group membership by yuvipanda · Pull Request #4822 · jupyterhub/jupyterhub · GitHub (and helped with Allow all list based config to be assigned dictionaries by sunu · Pull Request #845 · jupyterhub/kubespawner · GitHub) to make this easier! So you can have additional extra_volume_mounts based on group membership.

1 Like

Hello!

I’ve been there and I wrote this article about how you could configure this!

Hope this helps :smile:

1 Like