kerberosauthenticator¶
An Authenticator for JupyterHub that authenticates using Kerberos.
Installation¶
kerberosauthenticator
should be installed in the same Python environment as
the JupyterHub server.
Install with Pip:
pip install jupyterhub-kerberosauthenticator
Install from source:
pip install git+https://github.com/jupyterhub/kerberosauthenticator.git
Configuration¶
Kerberos authentication requires a keytab for the HTTP
service principle
for the host running JupyterHub. Keytabs can be created on the command-line as
follows:
$ kadmin -q "addprinc -randkey HTTP/FQDN"
$ kadmin -q "xst -norandkey -k HTTP.keytab HTTP/FQDN"
where FQDN
is the fully qualified domain name of the host running
JupyterHub. This keytab should be readable only by admins and other services
that may need it, and is typically stored with the JupyterHub configuration at
/etc/jupyterhub/HTTP.keytab
:
# Move the keytab to some expected location
$ mv HTTP.keytab /etc/jupyterhub/HTTP.keytab
# Make the keytab readable/writable only by jupyterhub and the admin group
$ chmod 440 /etc/jupyterhub/HTTP.keytab
$ chown jupyterhub:admin /etc/jupyterhub/HTTP.keytab
To enable kerberosauthenticator
, add the following lines to your
jupyterhub_config.py
:
c.JupyterHub.authenticator_class = 'kerberosauthenticator.KerberosAuthenticator'
c.JupyterHub.keytab = '/etc/jupyterhub/HTTP.keytab'
For many systems these parameters will be sufficient. Authenticators support several other options such as whitelists or post-auth hooks. For more information on all configuration options, see Configuration Options.
Enabling Kerberos Authentication in Your Browser¶
For Kerberos authentication to work properly, you usually have to enable support for it in your browser. For more information see this guide from Cloudera.
Additional Resources¶
If you’re interested in kerberosauthenticator
, you may also be interested
in a few other libraries:
ldapauthenticator: A JupyterHub authenticator that uses LDAP.
jhub_remote_user_authenticator: A JupyterHub authenticator that uses the
REMOTE_USER
header, intended to be used with authenticaticating proxies.
A (not complete) list of other authenticators can be found in the JupyterHub Wiki.