--- /srv/rebuilderd/tmp/rebuilderdgp7beC/inputs/jupyterhub_5.2.1+ds1-4_all.deb +++ /srv/rebuilderd/tmp/rebuilderdgp7beC/out/jupyterhub_5.2.1+ds1-4_all.deb ├── file list │ @@ -1,3 +1,3 @@ │ -rw-r--r-- 0 0 0 4 2025-05-28 09:40:25.000000 debian-binary │ -rw-r--r-- 0 0 0 59496 2025-05-28 09:40:25.000000 control.tar.xz │ --rw-r--r-- 0 0 0 1962752 2025-05-28 09:40:25.000000 data.tar.xz │ +-rw-r--r-- 0 0 0 1962648 2025-05-28 09:40:25.000000 data.tar.xz ├── control.tar.xz │ ├── control.tar │ │ ├── ./md5sums │ │ │ ├── ./md5sums │ │ │ │┄ Files differ ├── data.tar.xz │ ├── data.tar │ │ ├── file list │ │ │ @@ -146,15 +146,15 @@ │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/doc/ │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/doc/jupyterhub/ │ │ │ -rw-r--r-- 0 root (0) root (0) 1679 2025-05-28 09:40:25.000000 ./usr/share/doc/jupyterhub/README.Debian.md │ │ │ -rw-r--r-- 0 root (0) root (0) 3837 2024-10-21 09:35:53.000000 ./usr/share/doc/jupyterhub/README.md.gz │ │ │ -rw-r--r-- 0 root (0) root (0) 1363 2025-05-28 09:40:25.000000 ./usr/share/doc/jupyterhub/changelog.Debian.gz │ │ │ -rw-r--r-- 0 root (0) root (0) 2121 2025-05-28 09:40:25.000000 ./usr/share/doc/jupyterhub/copyright │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/ │ │ │ --rw-r--r-- 0 root (0) root (0) 98384 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/jupyterhub_config.py │ │ │ +-rw-r--r-- 0 root (0) root (0) 98386 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/jupyterhub_config.py │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/static/ │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/static/components/ │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/static/components/@fortawesome/ │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/static/components/@fortawesome/fontawesome-free/ │ │ │ -rw-r--r-- 0 root (0) root (0) 7427 2024-10-21 09:36:01.000000 ./usr/share/jupyterhub/static/components/@fortawesome/fontawesome-free/LICENSE.txt │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2025-05-28 09:40:25.000000 ./usr/share/jupyterhub/static/components/@fortawesome/fontawesome-free/css/ │ │ │ -rw-r--r-- 0 root (0) root (0) 132658 2024-10-21 09:36:00.000000 ./usr/share/jupyterhub/static/components/@fortawesome/fontawesome-free/css/all.css │ │ ├── ./usr/share/jupyterhub/jupyterhub_config.py │ │ │ @@ -997,14 +997,471 @@ │ │ │ # │ │ │ # It should return the new URL to redirect to, or None to preserve current │ │ │ # behavior. │ │ │ # Default: None │ │ │ # c.JupyterHub.user_redirect_hook = None │ │ │ │ │ │ #------------------------------------------------------------------------------ │ │ │ +# Authenticator(LoggingConfigurable) configuration │ │ │ +#------------------------------------------------------------------------------ │ │ │ +## Base class for implementing an authentication provider for JupyterHub │ │ │ + │ │ │ +## Set of users that will be granted admin rights on this JupyterHub. │ │ │ +# │ │ │ +# Note: │ │ │ +# │ │ │ +# As of JupyterHub 2.0, │ │ │ +# full admin rights should not be required, │ │ │ +# and more precise permissions can be managed via roles. │ │ │ +# │ │ │ +# Caution: │ │ │ +# │ │ │ +# Adding users to `admin_users` can only *grant* admin rights, │ │ │ +# removing a username from the admin_users set **DOES NOT** remove admin rights previously granted. │ │ │ +# │ │ │ +# For an authoritative, restricted set of admins, │ │ │ +# assign explicit membership of the `admin` *role*:: │ │ │ +# │ │ │ +# c.JupyterHub.load_roles = [ │ │ │ +# { │ │ │ +# "name": "admin", │ │ │ +# "users": ["admin1", "..."], │ │ │ +# } │ │ │ +# ] │ │ │ +# │ │ │ +# Admin users can take every possible action on behalf of all users, for │ │ │ +# example: │ │ │ +# │ │ │ +# - Use the admin panel to see list of users logged in - Add / remove users in │ │ │ +# some authenticators - Restart / halt the hub - Start / stop users' single-user │ │ │ +# servers - Can access each individual users' single-user server │ │ │ +# │ │ │ +# Admin access should be treated the same way root access is. │ │ │ +# │ │ │ +# Defaults to an empty set, in which case no user has admin access. │ │ │ +# Default: set() │ │ │ +# c.Authenticator.admin_users = set() │ │ │ + │ │ │ +## Allow every user who can successfully authenticate to access JupyterHub. │ │ │ +# │ │ │ +# False by default, which means for most Authenticators, _some_ allow-related │ │ │ +# configuration is required to allow users to log in. │ │ │ +# │ │ │ +# Authenticator subclasses may override the default with e.g.:: │ │ │ +# │ │ │ +# @default("allow_all") │ │ │ +# def _default_allow_all(self): │ │ │ +# # if _any_ auth config (depends on the Authenticator) │ │ │ +# if self.allowed_users or self.allowed_groups or self.allow_existing_users: │ │ │ +# return False │ │ │ +# else: │ │ │ +# return True │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# │ │ │ +# .. versionchanged:: 5.0 │ │ │ +# Prior to 5.0, `allow_all` wasn't defined on its own, │ │ │ +# and was instead implicitly True when no allow config was provided, │ │ │ +# i.e. `allowed_users` unspecified or empty on the base Authenticator class. │ │ │ +# │ │ │ +# To preserve pre-5.0 behavior, │ │ │ +# set `allow_all = True` if you have no other allow configuration. │ │ │ +# Default: False │ │ │ +# c.Authenticator.allow_all = False │ │ │ + │ │ │ +## Allow existing users to login. │ │ │ +# │ │ │ +# Defaults to True if `allowed_users` is set for historical reasons, and False │ │ │ +# otherwise. │ │ │ +# │ │ │ +# With this enabled, all users present in the JupyterHub database are allowed to │ │ │ +# login. This has the effect of any user who has _previously_ been allowed to │ │ │ +# login via any means will continue to be allowed until the user is deleted via │ │ │ +# the /hub/admin page or REST API. │ │ │ +# │ │ │ +# .. warning:: │ │ │ +# │ │ │ +# Before enabling this you should review the existing users in the │ │ │ +# JupyterHub admin panel at `/hub/admin`. You may find users existing │ │ │ +# there because they have previously been declared in config such as │ │ │ +# `allowed_users` or allowed to sign in. │ │ │ +# │ │ │ +# .. warning:: │ │ │ +# │ │ │ +# When this is enabled and you wish to remove access for one or more │ │ │ +# users previously allowed, you must make sure that they │ │ │ +# are removed from the jupyterhub database. This can be tricky to do │ │ │ +# if you stop allowing an externally managed group of users for example. │ │ │ +# │ │ │ +# With this enabled, JupyterHub admin users can visit `/hub/admin` or use │ │ │ +# JupyterHub's REST API to add and remove users to manage who can login. │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# Default: False │ │ │ +# c.Authenticator.allow_existing_users = False │ │ │ + │ │ │ +## Set of usernames that are allowed to log in. │ │ │ +# │ │ │ +# Use this to limit which authenticated users may login. Default behavior: only │ │ │ +# users in this set are allowed. │ │ │ +# │ │ │ +# If empty, does not perform any restriction, in which case any authenticated │ │ │ +# user is allowed. │ │ │ +# │ │ │ +# Authenticators may extend :meth:`.Authenticator.check_allowed` to combine │ │ │ +# `allowed_users` with other configuration to either expand or restrict access. │ │ │ +# │ │ │ +# .. versionchanged:: 1.2 │ │ │ +# `Authenticator.whitelist` renamed to `allowed_users` │ │ │ +# Default: set() │ │ │ +# c.Authenticator.allowed_users = set() │ │ │ + │ │ │ +## Is there any allow config? │ │ │ +# │ │ │ +# Used to show a warning if it looks like nobody can access the Hub, │ │ │ +# which can happen when upgrading to JupyterHub 5, │ │ │ +# now that `allow_all` defaults to False. │ │ │ +# │ │ │ +# Deployments can set this explicitly to True to suppress │ │ │ +# the "No allow config found" warning. │ │ │ +# │ │ │ +# Will be True if any config tagged with `.tag(allow_config=True)` │ │ │ +# or starts with `allow` is truthy. │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# Default: False │ │ │ +# c.Authenticator.any_allow_config = False │ │ │ + │ │ │ +## The max age (in seconds) of authentication info │ │ │ +# before forcing a refresh of user auth info. │ │ │ +# │ │ │ +# Refreshing auth info allows, e.g. requesting/re-validating auth │ │ │ +# tokens. │ │ │ +# │ │ │ +# See :meth:`.refresh_user` for what happens when user auth info is refreshed │ │ │ +# (nothing by default). │ │ │ +# Default: 300 │ │ │ +# c.Authenticator.auth_refresh_age = 300 │ │ │ + │ │ │ +## Automatically begin the login process │ │ │ +# │ │ │ +# rather than starting with a "Login with..." link at `/hub/login` │ │ │ +# │ │ │ +# To work, `.login_url()` must give a URL other than the default `/hub/login`, │ │ │ +# such as an oauth handler or another automatic login handler, │ │ │ +# registered with `.get_handlers()`. │ │ │ +# │ │ │ +# .. versionadded:: 0.8 │ │ │ +# Default: False │ │ │ +# c.Authenticator.auto_login = False │ │ │ + │ │ │ +## Automatically begin login process for OAuth2 authorization requests │ │ │ +# │ │ │ +# When another application is using JupyterHub as OAuth2 provider, it sends │ │ │ +# users to `/hub/api/oauth2/authorize`. If the user isn't logged in already, and │ │ │ +# auto_login is not set, the user will be dumped on the hub's home page, without │ │ │ +# any context on what to do next. │ │ │ +# │ │ │ +# Setting this to true will automatically redirect users to login if they aren't │ │ │ +# logged in *only* on the `/hub/api/oauth2/authorize` endpoint. │ │ │ +# │ │ │ +# .. versionadded:: 1.5 │ │ │ +# Default: False │ │ │ +# c.Authenticator.auto_login_oauth2_authorize = False │ │ │ + │ │ │ +## Set of usernames that are not allowed to log in. │ │ │ +# │ │ │ +# Use this with supported authenticators to restrict which users can not log in. │ │ │ +# This is an additional block list that further restricts users, beyond whatever │ │ │ +# restrictions the authenticator has in place. │ │ │ +# │ │ │ +# If empty, does not perform any additional restriction. │ │ │ +# │ │ │ +# .. versionadded: 0.9 │ │ │ +# │ │ │ +# .. versionchanged:: 5.2 │ │ │ +# Users blocked via `blocked_users` that may have logged in in the past │ │ │ +# have all permissions and group membership revoked │ │ │ +# and all servers stopped at JupyterHub startup. │ │ │ +# Previously, User permissions (e.g. API tokens) │ │ │ +# and servers were unaffected and required additional │ │ │ +# administrator operations to block after a user is added to `blocked_users`. │ │ │ +# │ │ │ +# .. versionchanged:: 1.2 │ │ │ +# `Authenticator.blacklist` renamed to `blocked_users` │ │ │ +# Default: set() │ │ │ +# c.Authenticator.blocked_users = set() │ │ │ + │ │ │ +## Delete any users from the database that do not pass validation │ │ │ +# │ │ │ +# When JupyterHub starts, `.add_user` will be called │ │ │ +# on each user in the database to verify that all users are still valid. │ │ │ +# │ │ │ +# If `delete_invalid_users` is True, │ │ │ +# any users that do not pass validation will be deleted from the database. │ │ │ +# Use this if users might be deleted from an external system, │ │ │ +# such as local user accounts. │ │ │ +# │ │ │ +# If False (default), invalid users remain in the Hub's database │ │ │ +# and a warning will be issued. │ │ │ +# This is the default to avoid data loss due to config changes. │ │ │ +# Default: False │ │ │ +# c.Authenticator.delete_invalid_users = False │ │ │ + │ │ │ +## Enable persisting auth_state (if available). │ │ │ +# │ │ │ +# auth_state will be encrypted and stored in the Hub's database. │ │ │ +# This can include things like authentication tokens, etc. │ │ │ +# to be passed to Spawners as environment variables. │ │ │ +# │ │ │ +# Encrypting auth_state requires the cryptography package. │ │ │ +# │ │ │ +# Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must │ │ │ +# contain one (or more, separated by ;) 32B encryption keys. │ │ │ +# These can be either base64 or hex-encoded. │ │ │ +# │ │ │ +# If encryption is unavailable, auth_state cannot be persisted. │ │ │ +# │ │ │ +# New in JupyterHub 0.8 │ │ │ +# Default: False │ │ │ +# c.Authenticator.enable_auth_state = False │ │ │ + │ │ │ +## Let authenticator manage user groups │ │ │ +# │ │ │ +# If True, Authenticator.authenticate and/or .refresh_user │ │ │ +# may return a list of group names in the 'groups' field, │ │ │ +# which will be assigned to the user. │ │ │ +# │ │ │ +# All group-assignment APIs are disabled if this is True. │ │ │ +# Default: False │ │ │ +# c.Authenticator.manage_groups = False │ │ │ + │ │ │ +## Let authenticator manage roles │ │ │ +# │ │ │ +# If True, Authenticator.authenticate and/or .refresh_user │ │ │ +# may return a list of roles in the 'roles' field, │ │ │ +# which will be added to the database. │ │ │ +# │ │ │ +# When enabled, all role management will be handled by the │ │ │ +# authenticator; in particular, assignment of roles via │ │ │ +# `JupyterHub.load_roles` traitlet will not be possible. │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# Default: False │ │ │ +# c.Authenticator.manage_roles = False │ │ │ + │ │ │ +## The prompt string for the extra OTP (One Time Password) field. │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# Default: 'OTP:' │ │ │ +# c.Authenticator.otp_prompt = 'OTP:' │ │ │ + │ │ │ +## An optional hook function that you can implement to do some bootstrapping work │ │ │ +# during authentication. For example, loading user account details from an │ │ │ +# external system. │ │ │ +# │ │ │ +# This function is called after the user has passed all authentication checks │ │ │ +# and is ready to successfully authenticate. This function must return the │ │ │ +# auth_model dict reguardless of changes to it. The hook is called with 3 │ │ │ +# positional arguments: `(authenticator, handler, auth_model)`. │ │ │ +# │ │ │ +# This may be a coroutine. │ │ │ +# │ │ │ +# .. versionadded: 1.0 │ │ │ +# │ │ │ +# Example:: │ │ │ +# │ │ │ +# import os │ │ │ +# import pwd │ │ │ +# def my_hook(authenticator, handler, auth_model): │ │ │ +# user_data = pwd.getpwnam(auth_model['name']) │ │ │ +# spawn_data = { │ │ │ +# 'pw_data': user_data │ │ │ +# 'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid) │ │ │ +# } │ │ │ +# │ │ │ +# if auth_model['auth_state'] is None: │ │ │ +# auth_model['auth_state'] = {} │ │ │ +# auth_model['auth_state']['spawn_data'] = spawn_data │ │ │ +# │ │ │ +# return auth_model │ │ │ +# │ │ │ +# c.Authenticator.post_auth_hook = my_hook │ │ │ +# Default: None │ │ │ +# c.Authenticator.post_auth_hook = None │ │ │ + │ │ │ +## Force refresh of auth prior to spawn. │ │ │ +# │ │ │ +# This forces :meth:`.refresh_user` to be called prior to launching │ │ │ +# a server, to ensure that auth state is up-to-date. │ │ │ +# │ │ │ +# This can be important when e.g. auth tokens that may have expired │ │ │ +# are passed to the spawner via environment variables from auth_state. │ │ │ +# │ │ │ +# If refresh_user cannot refresh the user auth data, │ │ │ +# launch will fail until the user logs in again. │ │ │ +# Default: False │ │ │ +# c.Authenticator.refresh_pre_spawn = False │ │ │ + │ │ │ +## Prompt for OTP (One Time Password) in the login form. │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# Default: False │ │ │ +# c.Authenticator.request_otp = False │ │ │ + │ │ │ +## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ +# │ │ │ +# If True: │ │ │ +# - stale managed roles will be removed, │ │ │ +# - stale assignments to managed roles will be removed. │ │ │ +# │ │ │ +# Any role not present in `load_managed_roles()` will be considered │ │ │ +# 'stale'. │ │ │ +# │ │ │ +# The 'stale' status for role assignments is also determined from │ │ │ +# `load_managed_roles()` result: │ │ │ +# │ │ │ +# - user role assignments status will depend on whether the `users` key │ │ │ +# is defined or not: │ │ │ +# │ │ │ +# * if a list is defined under the `users` key and the user is not listed, then the user role assignment will be considered 'stale', │ │ │ +# * if the `users` key is not provided, the user role assignment will be preserved; │ │ │ +# - service and group role assignments will be considered 'stale': │ │ │ +# │ │ │ +# * if not included in the `services` and `groups` list, │ │ │ +# * if the `services` and `groups` keys are not provided. │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# Default: False │ │ │ +# c.Authenticator.reset_managed_roles_on_startup = False │ │ │ + │ │ │ +## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ +# │ │ │ +# Primarily used to normalize OAuth user names to local users. │ │ │ +# Default: {} │ │ │ +# c.Authenticator.username_map = {} │ │ │ + │ │ │ +## Regular expression pattern that all valid usernames must match. │ │ │ +# │ │ │ +# If a username does not match the pattern specified here, authentication will │ │ │ +# not be attempted. │ │ │ +# │ │ │ +# If not set, allow any username. │ │ │ +# Default: '' │ │ │ +# c.Authenticator.username_pattern = '' │ │ │ + │ │ │ +## Deprecated, use `Authenticator.allowed_users` │ │ │ +# Default: set() │ │ │ +# c.Authenticator.whitelist = set() │ │ │ + │ │ │ +#------------------------------------------------------------------------------ │ │ │ +# DummyAuthenticator(Authenticator) configuration │ │ │ +#------------------------------------------------------------------------------ │ │ │ +## Dummy Authenticator for testing │ │ │ +# │ │ │ +# By default, any username + password is allowed If a non-empty password is set, │ │ │ +# any username will be allowed if it logs in with that password. │ │ │ +# │ │ │ +# .. versionadded:: 1.0 │ │ │ +# │ │ │ +# .. versionadded:: 5.0 │ │ │ +# `allow_all` defaults to True, │ │ │ +# preserving default behavior. │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.admin_users │ │ │ +# c.DummyAuthenticator.admin_users = set() │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.allow_all │ │ │ +# c.DummyAuthenticator.allow_all = False │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.allow_existing_users │ │ │ +# c.DummyAuthenticator.allow_existing_users = False │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.allowed_users │ │ │ +# c.DummyAuthenticator.allowed_users = set() │ │ │ + │ │ │ +## Is there any allow config? │ │ │ +# See also: Authenticator.any_allow_config │ │ │ +# c.DummyAuthenticator.any_allow_config = False │ │ │ + │ │ │ +## The max age (in seconds) of authentication info │ │ │ +# See also: Authenticator.auth_refresh_age │ │ │ +# c.DummyAuthenticator.auth_refresh_age = 300 │ │ │ + │ │ │ +## Automatically begin the login process │ │ │ +# See also: Authenticator.auto_login │ │ │ +# c.DummyAuthenticator.auto_login = False │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.auto_login_oauth2_authorize │ │ │ +# c.DummyAuthenticator.auto_login_oauth2_authorize = False │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.blocked_users │ │ │ +# c.DummyAuthenticator.blocked_users = set() │ │ │ + │ │ │ +## Delete any users from the database that do not pass validation │ │ │ +# See also: Authenticator.delete_invalid_users │ │ │ +# c.DummyAuthenticator.delete_invalid_users = False │ │ │ + │ │ │ +## Enable persisting auth_state (if available). │ │ │ +# See also: Authenticator.enable_auth_state │ │ │ +# c.DummyAuthenticator.enable_auth_state = False │ │ │ + │ │ │ +## Let authenticator manage user groups │ │ │ +# See also: Authenticator.manage_groups │ │ │ +# c.DummyAuthenticator.manage_groups = False │ │ │ + │ │ │ +## Let authenticator manage roles │ │ │ +# See also: Authenticator.manage_roles │ │ │ +# c.DummyAuthenticator.manage_roles = False │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.otp_prompt │ │ │ +# c.DummyAuthenticator.otp_prompt = 'OTP:' │ │ │ + │ │ │ +## Set a global password for all users wanting to log in. │ │ │ +# │ │ │ +# This allows users with any username to log in with the same static password. │ │ │ +# Default: '' │ │ │ +# c.DummyAuthenticator.password = '' │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.post_auth_hook │ │ │ +# c.DummyAuthenticator.post_auth_hook = None │ │ │ + │ │ │ +## Force refresh of auth prior to spawn. │ │ │ +# See also: Authenticator.refresh_pre_spawn │ │ │ +# c.DummyAuthenticator.refresh_pre_spawn = False │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.request_otp │ │ │ +# c.DummyAuthenticator.request_otp = False │ │ │ + │ │ │ +## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ +# See also: Authenticator.reset_managed_roles_on_startup │ │ │ +# c.DummyAuthenticator.reset_managed_roles_on_startup = False │ │ │ + │ │ │ +## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ +# See also: Authenticator.username_map │ │ │ +# c.DummyAuthenticator.username_map = {} │ │ │ + │ │ │ +## │ │ │ +# See also: Authenticator.username_pattern │ │ │ +# c.DummyAuthenticator.username_pattern = '' │ │ │ + │ │ │ +## Deprecated, use `Authenticator.allowed_users` │ │ │ +# See also: Authenticator.whitelist │ │ │ +# c.DummyAuthenticator.whitelist = set() │ │ │ + │ │ │ +#------------------------------------------------------------------------------ │ │ │ # Spawner(LoggingConfigurable) configuration │ │ │ #------------------------------------------------------------------------------ │ │ │ ## Base class for spawning single-user notebook servers. │ │ │ # │ │ │ # Subclass this, and override the following methods: │ │ │ # │ │ │ # - load_state - get_state - start - stop - poll │ │ │ @@ -1825,367 +2282,14 @@ │ │ │ # c.SimpleLocalProcessSpawner.start_timeout = 60 │ │ │ │ │ │ ## │ │ │ # See also: LocalProcessSpawner.term_timeout │ │ │ # c.SimpleLocalProcessSpawner.term_timeout = 5 │ │ │ │ │ │ #------------------------------------------------------------------------------ │ │ │ -# Authenticator(LoggingConfigurable) configuration │ │ │ -#------------------------------------------------------------------------------ │ │ │ -## Base class for implementing an authentication provider for JupyterHub │ │ │ - │ │ │ -## Set of users that will be granted admin rights on this JupyterHub. │ │ │ -# │ │ │ -# Note: │ │ │ -# │ │ │ -# As of JupyterHub 2.0, │ │ │ -# full admin rights should not be required, │ │ │ -# and more precise permissions can be managed via roles. │ │ │ -# │ │ │ -# Caution: │ │ │ -# │ │ │ -# Adding users to `admin_users` can only *grant* admin rights, │ │ │ -# removing a username from the admin_users set **DOES NOT** remove admin rights previously granted. │ │ │ -# │ │ │ -# For an authoritative, restricted set of admins, │ │ │ -# assign explicit membership of the `admin` *role*:: │ │ │ -# │ │ │ -# c.JupyterHub.load_roles = [ │ │ │ -# { │ │ │ -# "name": "admin", │ │ │ -# "users": ["admin1", "..."], │ │ │ -# } │ │ │ -# ] │ │ │ -# │ │ │ -# Admin users can take every possible action on behalf of all users, for │ │ │ -# example: │ │ │ -# │ │ │ -# - Use the admin panel to see list of users logged in - Add / remove users in │ │ │ -# some authenticators - Restart / halt the hub - Start / stop users' single-user │ │ │ -# servers - Can access each individual users' single-user server │ │ │ -# │ │ │ -# Admin access should be treated the same way root access is. │ │ │ -# │ │ │ -# Defaults to an empty set, in which case no user has admin access. │ │ │ -# Default: set() │ │ │ -# c.Authenticator.admin_users = set() │ │ │ - │ │ │ -## Allow every user who can successfully authenticate to access JupyterHub. │ │ │ -# │ │ │ -# False by default, which means for most Authenticators, _some_ allow-related │ │ │ -# configuration is required to allow users to log in. │ │ │ -# │ │ │ -# Authenticator subclasses may override the default with e.g.:: │ │ │ -# │ │ │ -# @default("allow_all") │ │ │ -# def _default_allow_all(self): │ │ │ -# # if _any_ auth config (depends on the Authenticator) │ │ │ -# if self.allowed_users or self.allowed_groups or self.allow_existing_users: │ │ │ -# return False │ │ │ -# else: │ │ │ -# return True │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# │ │ │ -# .. versionchanged:: 5.0 │ │ │ -# Prior to 5.0, `allow_all` wasn't defined on its own, │ │ │ -# and was instead implicitly True when no allow config was provided, │ │ │ -# i.e. `allowed_users` unspecified or empty on the base Authenticator class. │ │ │ -# │ │ │ -# To preserve pre-5.0 behavior, │ │ │ -# set `allow_all = True` if you have no other allow configuration. │ │ │ -# Default: False │ │ │ -# c.Authenticator.allow_all = False │ │ │ - │ │ │ -## Allow existing users to login. │ │ │ -# │ │ │ -# Defaults to True if `allowed_users` is set for historical reasons, and False │ │ │ -# otherwise. │ │ │ -# │ │ │ -# With this enabled, all users present in the JupyterHub database are allowed to │ │ │ -# login. This has the effect of any user who has _previously_ been allowed to │ │ │ -# login via any means will continue to be allowed until the user is deleted via │ │ │ -# the /hub/admin page or REST API. │ │ │ -# │ │ │ -# .. warning:: │ │ │ -# │ │ │ -# Before enabling this you should review the existing users in the │ │ │ -# JupyterHub admin panel at `/hub/admin`. You may find users existing │ │ │ -# there because they have previously been declared in config such as │ │ │ -# `allowed_users` or allowed to sign in. │ │ │ -# │ │ │ -# .. warning:: │ │ │ -# │ │ │ -# When this is enabled and you wish to remove access for one or more │ │ │ -# users previously allowed, you must make sure that they │ │ │ -# are removed from the jupyterhub database. This can be tricky to do │ │ │ -# if you stop allowing an externally managed group of users for example. │ │ │ -# │ │ │ -# With this enabled, JupyterHub admin users can visit `/hub/admin` or use │ │ │ -# JupyterHub's REST API to add and remove users to manage who can login. │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# Default: False │ │ │ -# c.Authenticator.allow_existing_users = False │ │ │ - │ │ │ -## Set of usernames that are allowed to log in. │ │ │ -# │ │ │ -# Use this to limit which authenticated users may login. Default behavior: only │ │ │ -# users in this set are allowed. │ │ │ -# │ │ │ -# If empty, does not perform any restriction, in which case any authenticated │ │ │ -# user is allowed. │ │ │ -# │ │ │ -# Authenticators may extend :meth:`.Authenticator.check_allowed` to combine │ │ │ -# `allowed_users` with other configuration to either expand or restrict access. │ │ │ -# │ │ │ -# .. versionchanged:: 1.2 │ │ │ -# `Authenticator.whitelist` renamed to `allowed_users` │ │ │ -# Default: set() │ │ │ -# c.Authenticator.allowed_users = set() │ │ │ - │ │ │ -## Is there any allow config? │ │ │ -# │ │ │ -# Used to show a warning if it looks like nobody can access the Hub, │ │ │ -# which can happen when upgrading to JupyterHub 5, │ │ │ -# now that `allow_all` defaults to False. │ │ │ -# │ │ │ -# Deployments can set this explicitly to True to suppress │ │ │ -# the "No allow config found" warning. │ │ │ -# │ │ │ -# Will be True if any config tagged with `.tag(allow_config=True)` │ │ │ -# or starts with `allow` is truthy. │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# Default: False │ │ │ -# c.Authenticator.any_allow_config = False │ │ │ - │ │ │ -## The max age (in seconds) of authentication info │ │ │ -# before forcing a refresh of user auth info. │ │ │ -# │ │ │ -# Refreshing auth info allows, e.g. requesting/re-validating auth │ │ │ -# tokens. │ │ │ -# │ │ │ -# See :meth:`.refresh_user` for what happens when user auth info is refreshed │ │ │ -# (nothing by default). │ │ │ -# Default: 300 │ │ │ -# c.Authenticator.auth_refresh_age = 300 │ │ │ - │ │ │ -## Automatically begin the login process │ │ │ -# │ │ │ -# rather than starting with a "Login with..." link at `/hub/login` │ │ │ -# │ │ │ -# To work, `.login_url()` must give a URL other than the default `/hub/login`, │ │ │ -# such as an oauth handler or another automatic login handler, │ │ │ -# registered with `.get_handlers()`. │ │ │ -# │ │ │ -# .. versionadded:: 0.8 │ │ │ -# Default: False │ │ │ -# c.Authenticator.auto_login = False │ │ │ - │ │ │ -## Automatically begin login process for OAuth2 authorization requests │ │ │ -# │ │ │ -# When another application is using JupyterHub as OAuth2 provider, it sends │ │ │ -# users to `/hub/api/oauth2/authorize`. If the user isn't logged in already, and │ │ │ -# auto_login is not set, the user will be dumped on the hub's home page, without │ │ │ -# any context on what to do next. │ │ │ -# │ │ │ -# Setting this to true will automatically redirect users to login if they aren't │ │ │ -# logged in *only* on the `/hub/api/oauth2/authorize` endpoint. │ │ │ -# │ │ │ -# .. versionadded:: 1.5 │ │ │ -# Default: False │ │ │ -# c.Authenticator.auto_login_oauth2_authorize = False │ │ │ - │ │ │ -## Set of usernames that are not allowed to log in. │ │ │ -# │ │ │ -# Use this with supported authenticators to restrict which users can not log in. │ │ │ -# This is an additional block list that further restricts users, beyond whatever │ │ │ -# restrictions the authenticator has in place. │ │ │ -# │ │ │ -# If empty, does not perform any additional restriction. │ │ │ -# │ │ │ -# .. versionadded: 0.9 │ │ │ -# │ │ │ -# .. versionchanged:: 5.2 │ │ │ -# Users blocked via `blocked_users` that may have logged in in the past │ │ │ -# have all permissions and group membership revoked │ │ │ -# and all servers stopped at JupyterHub startup. │ │ │ -# Previously, User permissions (e.g. API tokens) │ │ │ -# and servers were unaffected and required additional │ │ │ -# administrator operations to block after a user is added to `blocked_users`. │ │ │ -# │ │ │ -# .. versionchanged:: 1.2 │ │ │ -# `Authenticator.blacklist` renamed to `blocked_users` │ │ │ -# Default: set() │ │ │ -# c.Authenticator.blocked_users = set() │ │ │ - │ │ │ -## Delete any users from the database that do not pass validation │ │ │ -# │ │ │ -# When JupyterHub starts, `.add_user` will be called │ │ │ -# on each user in the database to verify that all users are still valid. │ │ │ -# │ │ │ -# If `delete_invalid_users` is True, │ │ │ -# any users that do not pass validation will be deleted from the database. │ │ │ -# Use this if users might be deleted from an external system, │ │ │ -# such as local user accounts. │ │ │ -# │ │ │ -# If False (default), invalid users remain in the Hub's database │ │ │ -# and a warning will be issued. │ │ │ -# This is the default to avoid data loss due to config changes. │ │ │ -# Default: False │ │ │ -# c.Authenticator.delete_invalid_users = False │ │ │ - │ │ │ -## Enable persisting auth_state (if available). │ │ │ -# │ │ │ -# auth_state will be encrypted and stored in the Hub's database. │ │ │ -# This can include things like authentication tokens, etc. │ │ │ -# to be passed to Spawners as environment variables. │ │ │ -# │ │ │ -# Encrypting auth_state requires the cryptography package. │ │ │ -# │ │ │ -# Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must │ │ │ -# contain one (or more, separated by ;) 32B encryption keys. │ │ │ -# These can be either base64 or hex-encoded. │ │ │ -# │ │ │ -# If encryption is unavailable, auth_state cannot be persisted. │ │ │ -# │ │ │ -# New in JupyterHub 0.8 │ │ │ -# Default: False │ │ │ -# c.Authenticator.enable_auth_state = False │ │ │ - │ │ │ -## Let authenticator manage user groups │ │ │ -# │ │ │ -# If True, Authenticator.authenticate and/or .refresh_user │ │ │ -# may return a list of group names in the 'groups' field, │ │ │ -# which will be assigned to the user. │ │ │ -# │ │ │ -# All group-assignment APIs are disabled if this is True. │ │ │ -# Default: False │ │ │ -# c.Authenticator.manage_groups = False │ │ │ - │ │ │ -## Let authenticator manage roles │ │ │ -# │ │ │ -# If True, Authenticator.authenticate and/or .refresh_user │ │ │ -# may return a list of roles in the 'roles' field, │ │ │ -# which will be added to the database. │ │ │ -# │ │ │ -# When enabled, all role management will be handled by the │ │ │ -# authenticator; in particular, assignment of roles via │ │ │ -# `JupyterHub.load_roles` traitlet will not be possible. │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# Default: False │ │ │ -# c.Authenticator.manage_roles = False │ │ │ - │ │ │ -## The prompt string for the extra OTP (One Time Password) field. │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# Default: 'OTP:' │ │ │ -# c.Authenticator.otp_prompt = 'OTP:' │ │ │ - │ │ │ -## An optional hook function that you can implement to do some bootstrapping work │ │ │ -# during authentication. For example, loading user account details from an │ │ │ -# external system. │ │ │ -# │ │ │ -# This function is called after the user has passed all authentication checks │ │ │ -# and is ready to successfully authenticate. This function must return the │ │ │ -# auth_model dict reguardless of changes to it. The hook is called with 3 │ │ │ -# positional arguments: `(authenticator, handler, auth_model)`. │ │ │ -# │ │ │ -# This may be a coroutine. │ │ │ -# │ │ │ -# .. versionadded: 1.0 │ │ │ -# │ │ │ -# Example:: │ │ │ -# │ │ │ -# import os │ │ │ -# import pwd │ │ │ -# def my_hook(authenticator, handler, auth_model): │ │ │ -# user_data = pwd.getpwnam(auth_model['name']) │ │ │ -# spawn_data = { │ │ │ -# 'pw_data': user_data │ │ │ -# 'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid) │ │ │ -# } │ │ │ -# │ │ │ -# if auth_model['auth_state'] is None: │ │ │ -# auth_model['auth_state'] = {} │ │ │ -# auth_model['auth_state']['spawn_data'] = spawn_data │ │ │ -# │ │ │ -# return auth_model │ │ │ -# │ │ │ -# c.Authenticator.post_auth_hook = my_hook │ │ │ -# Default: None │ │ │ -# c.Authenticator.post_auth_hook = None │ │ │ - │ │ │ -## Force refresh of auth prior to spawn. │ │ │ -# │ │ │ -# This forces :meth:`.refresh_user` to be called prior to launching │ │ │ -# a server, to ensure that auth state is up-to-date. │ │ │ -# │ │ │ -# This can be important when e.g. auth tokens that may have expired │ │ │ -# are passed to the spawner via environment variables from auth_state. │ │ │ -# │ │ │ -# If refresh_user cannot refresh the user auth data, │ │ │ -# launch will fail until the user logs in again. │ │ │ -# Default: False │ │ │ -# c.Authenticator.refresh_pre_spawn = False │ │ │ - │ │ │ -## Prompt for OTP (One Time Password) in the login form. │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# Default: False │ │ │ -# c.Authenticator.request_otp = False │ │ │ - │ │ │ -## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ -# │ │ │ -# If True: │ │ │ -# - stale managed roles will be removed, │ │ │ -# - stale assignments to managed roles will be removed. │ │ │ -# │ │ │ -# Any role not present in `load_managed_roles()` will be considered │ │ │ -# 'stale'. │ │ │ -# │ │ │ -# The 'stale' status for role assignments is also determined from │ │ │ -# `load_managed_roles()` result: │ │ │ -# │ │ │ -# - user role assignments status will depend on whether the `users` key │ │ │ -# is defined or not: │ │ │ -# │ │ │ -# * if a list is defined under the `users` key and the user is not listed, then the user role assignment will be considered 'stale', │ │ │ -# * if the `users` key is not provided, the user role assignment will be preserved; │ │ │ -# - service and group role assignments will be considered 'stale': │ │ │ -# │ │ │ -# * if not included in the `services` and `groups` list, │ │ │ -# * if the `services` and `groups` keys are not provided. │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# Default: False │ │ │ -# c.Authenticator.reset_managed_roles_on_startup = False │ │ │ - │ │ │ -## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ -# │ │ │ -# Primarily used to normalize OAuth user names to local users. │ │ │ -# Default: {} │ │ │ -# c.Authenticator.username_map = {} │ │ │ - │ │ │ -## Regular expression pattern that all valid usernames must match. │ │ │ -# │ │ │ -# If a username does not match the pattern specified here, authentication will │ │ │ -# not be attempted. │ │ │ -# │ │ │ -# If not set, allow any username. │ │ │ -# Default: '' │ │ │ -# c.Authenticator.username_pattern = '' │ │ │ - │ │ │ -## Deprecated, use `Authenticator.allowed_users` │ │ │ -# Default: set() │ │ │ -# c.Authenticator.whitelist = set() │ │ │ - │ │ │ -#------------------------------------------------------------------------------ │ │ │ # NullAuthenticator(Authenticator) configuration │ │ │ #------------------------------------------------------------------------------ │ │ │ ## Null Authenticator for JupyterHub │ │ │ # │ │ │ # For cases where authentication should be disabled, e.g. only allowing access │ │ │ # via API tokens. │ │ │ # │ │ │ @@ -2268,28 +2372,14 @@ │ │ │ # c.NullAuthenticator.username_pattern = '' │ │ │ │ │ │ ## Deprecated, use `Authenticator.allowed_users` │ │ │ # See also: Authenticator.whitelist │ │ │ # c.NullAuthenticator.whitelist = set() │ │ │ │ │ │ #------------------------------------------------------------------------------ │ │ │ -# CryptKeeper(SingletonConfigurable) configuration │ │ │ -#------------------------------------------------------------------------------ │ │ │ -## Encapsulate encryption configuration │ │ │ -# │ │ │ -# Use via the encryption_config singleton below. │ │ │ - │ │ │ -# Default: [] │ │ │ -# c.CryptKeeper.keys = [] │ │ │ - │ │ │ -## The number of threads to allocate for encryption │ │ │ -# Default: 6 │ │ │ -# c.CryptKeeper.n_threads = 6 │ │ │ - │ │ │ -#------------------------------------------------------------------------------ │ │ │ # LocalAuthenticator(Authenticator) configuration │ │ │ #------------------------------------------------------------------------------ │ │ │ ## Base class for Authenticators that work with local Linux/UNIX users │ │ │ # │ │ │ # Checks for local users, and can attempt to create them if they exist. │ │ │ │ │ │ ## The command to use for creating users as a list of strings │ │ │ @@ -2699,109 +2789,19 @@ │ │ │ # c.ConfigurableHTTPProxy.pid_file = 'jupyterhub-proxy.pid' │ │ │ │ │ │ ## Should the Hub start the proxy │ │ │ # See also: Proxy.should_start │ │ │ # c.ConfigurableHTTPProxy.should_start = True │ │ │ │ │ │ #------------------------------------------------------------------------------ │ │ │ -# DummyAuthenticator(Authenticator) configuration │ │ │ +# CryptKeeper(SingletonConfigurable) configuration │ │ │ #------------------------------------------------------------------------------ │ │ │ -## Dummy Authenticator for testing │ │ │ -# │ │ │ -# By default, any username + password is allowed If a non-empty password is set, │ │ │ -# any username will be allowed if it logs in with that password. │ │ │ -# │ │ │ -# .. versionadded:: 1.0 │ │ │ -# │ │ │ -# .. versionadded:: 5.0 │ │ │ -# `allow_all` defaults to True, │ │ │ -# preserving default behavior. │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.admin_users │ │ │ -# c.DummyAuthenticator.admin_users = set() │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.allow_all │ │ │ -# c.DummyAuthenticator.allow_all = False │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.allow_existing_users │ │ │ -# c.DummyAuthenticator.allow_existing_users = False │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.allowed_users │ │ │ -# c.DummyAuthenticator.allowed_users = set() │ │ │ - │ │ │ -## Is there any allow config? │ │ │ -# See also: Authenticator.any_allow_config │ │ │ -# c.DummyAuthenticator.any_allow_config = False │ │ │ - │ │ │ -## The max age (in seconds) of authentication info │ │ │ -# See also: Authenticator.auth_refresh_age │ │ │ -# c.DummyAuthenticator.auth_refresh_age = 300 │ │ │ - │ │ │ -## Automatically begin the login process │ │ │ -# See also: Authenticator.auto_login │ │ │ -# c.DummyAuthenticator.auto_login = False │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.auto_login_oauth2_authorize │ │ │ -# c.DummyAuthenticator.auto_login_oauth2_authorize = False │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.blocked_users │ │ │ -# c.DummyAuthenticator.blocked_users = set() │ │ │ - │ │ │ -## Delete any users from the database that do not pass validation │ │ │ -# See also: Authenticator.delete_invalid_users │ │ │ -# c.DummyAuthenticator.delete_invalid_users = False │ │ │ - │ │ │ -## Enable persisting auth_state (if available). │ │ │ -# See also: Authenticator.enable_auth_state │ │ │ -# c.DummyAuthenticator.enable_auth_state = False │ │ │ - │ │ │ -## Let authenticator manage user groups │ │ │ -# See also: Authenticator.manage_groups │ │ │ -# c.DummyAuthenticator.manage_groups = False │ │ │ - │ │ │ -## Let authenticator manage roles │ │ │ -# See also: Authenticator.manage_roles │ │ │ -# c.DummyAuthenticator.manage_roles = False │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.otp_prompt │ │ │ -# c.DummyAuthenticator.otp_prompt = 'OTP:' │ │ │ - │ │ │ -## Set a global password for all users wanting to log in. │ │ │ +## Encapsulate encryption configuration │ │ │ # │ │ │ -# This allows users with any username to log in with the same static password. │ │ │ -# Default: '' │ │ │ -# c.DummyAuthenticator.password = '' │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.post_auth_hook │ │ │ -# c.DummyAuthenticator.post_auth_hook = None │ │ │ - │ │ │ -## Force refresh of auth prior to spawn. │ │ │ -# See also: Authenticator.refresh_pre_spawn │ │ │ -# c.DummyAuthenticator.refresh_pre_spawn = False │ │ │ - │ │ │ -## │ │ │ -# See also: Authenticator.request_otp │ │ │ -# c.DummyAuthenticator.request_otp = False │ │ │ - │ │ │ -## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ -# See also: Authenticator.reset_managed_roles_on_startup │ │ │ -# c.DummyAuthenticator.reset_managed_roles_on_startup = False │ │ │ - │ │ │ -## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ -# See also: Authenticator.username_map │ │ │ -# c.DummyAuthenticator.username_map = {} │ │ │ +# Use via the encryption_config singleton below. │ │ │ │ │ │ -## │ │ │ -# See also: Authenticator.username_pattern │ │ │ -# c.DummyAuthenticator.username_pattern = '' │ │ │ +# Default: [] │ │ │ +# c.CryptKeeper.keys = [] │ │ │ │ │ │ -## Deprecated, use `Authenticator.allowed_users` │ │ │ -# See also: Authenticator.whitelist │ │ │ -# c.DummyAuthenticator.whitelist = set() │ │ │ +## The number of threads to allocate for encryption │ │ │ +# Default: 16 │ │ │ +# c.CryptKeeper.n_threads = 16