Starting single-user notebook with our custom ldap docker image

how-to
#1

Hi,

We are having some problems because our user homes are in a NFS storage and, for them to write there their work, we need to “impersonate” them. On regular machines we are using LDAP (with TLS, PAM and SSSD) to authenticate the users, and so is jupyter-hub.

We are using Kubernetes -> z2jh and a Docker image based on the notebook single-user image with all the necessary files and packages to connect to LDAP.

The idea we originally had was using the variable ‘{username}’ and modify the “start.sh” script, so once we had the real $NB_USER we could set up $NB_UID, $NB_GID and so on. We created a docker container where we could copy the necessary files (I know it would be better to binding them on the host) and we did, but we have to keep running SSSD in the background for the container to be able to connect to LDAP.

[jovyan@jupyter-rcruz ~]$ id rcruz
uid=63200(rcruz) gid=50030(x) groups=50030(x),1405(x),1403(x)

Before having to add supervisord or something similar to run SSSD as a background process, we would like to know if there is a better/easier way to impersonate the user that logged into jupyter hub. For instance, using token id login from hub or something else?

We don’t discard adding to /etc/passwd the user with its username, UID and GID, but we don’t know if we can get that from the login in jupyterhub.

Thanks in advance!

#2

Is the only requirement to write to NFS as the logged in LDAP user? Would it be sufficient to run Jupyter as that UID?

#3

Yes, every single user should be able to write on that NFS with its own UID.

#4

I’ve done this before. It requires this change to the LDAPAuthenticator.

You can then configure JupyterHub to extract the required LDAP attributes (username, UID), and pass them to the singleuser server by setting appropriate environment variables. If you start the singleuser server as root it will switch to that UID, which means it should be able to write to NFS as that user. I’ve written up some brief instructions:

2 Likes
#5

Wow!. This is exactly what we want.

I’ve problems in order to get group id, but I don’t worry about it right now.

Thanks a lot :slight_smile: !!