Configuration Options

KerberosAuthenticator

class kerberosauthenticator.KerberosAuthenticator(*args: t.Any, **kwargs: t.Any)

Kerberos Authenticator for JupyterHub

admin_users c.KerberosAuthenticator.admin_users = Set()

Set of users that will be granted admin rights on this JupyterHub.

Note

As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.

Caution

Adding users to admin_users can only grant admin rights, removing a username from the admin_users set DOES NOT remove admin rights previously granted.

For an authoritative, restricted set of admins, assign explicit membership of the admin role:

c.JupyterHub.load_roles = [
    {
        "name": "admin",
        "users": ["admin1", "..."],
    }
]

Admin users can take every possible action on behalf of all users, for example:

  • Use the admin panel to see list of users logged in

  • Add / remove users in some authenticators

  • Restart / halt the hub

  • Start / stop users’ single-user servers

  • Can access each individual users’ single-user server

Admin access should be treated the same way root access is.

Defaults to an empty set, in which case no user has admin access.

allow_all c.KerberosAuthenticator.allow_all = Bool(False)

Allow every user who can successfully authenticate to access JupyterHub.

False by default, which means for most Authenticators, _some_ allow-related configuration is required to allow users to log in.

Authenticator subclasses may override the default with e.g.:

from traitlets import default
@default("allow_all")
def _default_allow_all(self):
    # if _any_ auth config (depends on the Authenticator)
    if self.allowed_users or self.allowed_groups or self.allow_existing_users:
        return False
    else:
        return True

Added in version 5.0.

Changed in version 5.0: Prior to 5.0, allow_all wasn’t defined on its own, and was instead implicitly True when no allow config was provided, i.e. allowed_users unspecified or empty on the base Authenticator class.

To preserve pre-5.0 behavior, set allow_all = True if you have no other allow configuration.

allow_existing_users c.KerberosAuthenticator.allow_existing_users = Bool(False)

Allow existing users to login.

Defaults to True if allowed_users is set for historical reasons, and False otherwise.

With this enabled, all users present in the JupyterHub database are allowed to login. This has the effect of any user who has _previously_ been allowed to login via any means will continue to be allowed until the user is deleted via the /hub/admin page or REST API.

Warning

Before enabling this you should review the existing users in the JupyterHub admin panel at /hub/admin. You may find users existing there because they have previously been declared in config such as allowed_users or allowed to sign in.

Warning

When this is enabled and you wish to remove access for one or more users previously allowed, you must make sure that they are removed from the jupyterhub database. This can be tricky to do if you stop allowing an externally managed group of users for example.

With this enabled, JupyterHub admin users can visit /hub/admin or use JupyterHub’s REST API to add and remove users to manage who can login.

Added in version 5.0.

allowed_users c.KerberosAuthenticator.allowed_users = Set()

Set of usernames that are allowed to log in.

Use this to limit which authenticated users may login. Default behavior: only users in this set are allowed.

If empty, does not perform any restriction, in which case any authenticated user is allowed.

Authenticators may extend Authenticator.check_allowed() to combine allowed_users with other configuration to either expand or restrict access.

Changed in version 1.2: Authenticator.whitelist renamed to allowed_users

any_allow_config c.KerberosAuthenticator.any_allow_config = Bool(False)

Is there any allow config?

Used to show a warning if it looks like nobody can access the Hub, which can happen when upgrading to JupyterHub 5, now that allow_all defaults to False.

Deployments can set this explicitly to True to suppress the “No allow config found” warning.

Will be True if any config tagged with .tag(allow_config=True) or starts with allow is truthy.

Added in version 5.0.

auth_refresh_age c.KerberosAuthenticator.auth_refresh_age = Int(300)

The max age (in seconds) of authentication info before forcing a refresh of user auth info.

Authenticators that support it may re-load managed groups, refresh auth tokens, etc., or force a new login if auth info cannot be refreshed.

See refresh_user() for what happens when user auth info is refreshed, which varies by authenticator. If an Authenticator does not implement refresh_user, auth info will never be considered stale.

Set auth_refresh_age = 0 to disable time-based calls to refresh_user. You can still use refresh_pre_spawn or refresh_pre_stop if auth_refresh_age is disabled.

auto_login c.KerberosAuthenticator.auto_login = Bool(False)

Automatically begin the login process

rather than starting with a “Login with…” link at /hub/login

To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().

Added in version 0.8.

auto_login_oauth2_authorize c.KerberosAuthenticator.auto_login_oauth2_authorize = Bool(False)

Automatically begin login process for OAuth2 authorization requests

When another application is using JupyterHub as OAuth2 provider, it sends users to /hub/api/oauth2/authorize. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.

Setting this to true will automatically redirect users to login if they aren’t logged in only on the /hub/api/oauth2/authorize endpoint.

Added in version 1.5.

blocked_users c.KerberosAuthenticator.blocked_users = Set()

Set of usernames that are not allowed to log in.

Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

Changed in version 5.2: Users blocked via blocked_users that may have logged in in the past have all permissions and group membership revoked and all servers stopped at JupyterHub startup. Previously, User permissions (e.g. API tokens) and servers were unaffected and required additional administrator operations to block after a user is added to blocked_users.

Changed in version 1.2: Authenticator.blacklist renamed to blocked_users

delete_invalid_users c.KerberosAuthenticator.delete_invalid_users = Bool(False)

Delete any users from the database that do not pass validation

When JupyterHub starts, .add_user will be called on each user in the database to verify that all users are still valid.

If delete_invalid_users is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.

If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.

enable_auth_state c.KerberosAuthenticator.enable_auth_state = Bool(False)

Enable persisting auth_state (if available).

auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.

Encrypting auth_state requires the cryptography package.

Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.

If encryption is unavailable, auth_state cannot be persisted.

New in JupyterHub 0.8

keytab c.KerberosAuthenticator.keytab = Unicode('HTTP.keytab')

The path to the keytab file

manage_groups c.KerberosAuthenticator.manage_groups = Bool(False)

Let authenticator manage user groups

If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.

All group-assignment APIs are disabled if this is True.

manage_roles c.KerberosAuthenticator.manage_roles = Bool(False)

Let authenticator manage roles

If True, Authenticator.authenticate and/or .refresh_user may return a list of roles in the ‘roles’ field, which will be added to the database.

When enabled, all role management will be handled by the authenticator; in particular, assignment of roles via JupyterHub.load_roles traitlet will not be possible.

Added in version 5.0.

otp_prompt c.KerberosAuthenticator.otp_prompt = Any('OTP:')

The prompt string for the extra OTP (One Time Password) field.

Added in version 5.0.

post_auth_hook c.KerberosAuthenticator.post_auth_hook = Any(None)

An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.

This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the auth_model dict reguardless of changes to it. The hook is called with 3 positional arguments: (authenticator, handler, auth_model).

This may be a coroutine.

Example:

import os
import pwd
def my_hook(authenticator, handler, auth_model):
    user_data = pwd.getpwnam(auth_model['name'])
    spawn_data = {
        'pw_data': user_data
        'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid)
    }

    if auth_model['auth_state'] is None:
        auth_model['auth_state'] = {}
    auth_model['auth_state']['spawn_data'] = spawn_data

    return auth_model

c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn c.KerberosAuthenticator.refresh_pre_spawn = Bool(False)

Force refresh of auth prior to spawn.

This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.

If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.

refresh_pre_stop c.KerberosAuthenticator.refresh_pre_stop = Bool(False)

Force refresh of auth prior to stop.

This forces refresh_user() to be called prior to stopping a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens stored in auth_state may have expired, but are a required part of the Spawner’s shutdown steps.

If refresh_user cannot refresh the user auth data, stop will fail until the user logs in again. If an admin initiates the stop, it will proceed regardless.

Added in version 5.4.

request_otp c.KerberosAuthenticator.request_otp = Bool(False)

Prompt for OTP (One Time Password) in the login form.

Added in version 5.0.

reset_managed_roles_on_startup c.KerberosAuthenticator.reset_managed_roles_on_startup = Bool(False)

Reset managed roles to result of load_managed_roles() on startup.

If True:

  • stale managed roles will be removed,

  • stale assignments to managed roles will be removed.

Any role not present in load_managed_roles() will be considered ‘stale’.

The ‘stale’ status for role assignments is also determined from load_managed_roles() result:

  • user role assignments status will depend on whether the users key is defined or not:

    • if a list is defined under the users key and the user is not listed, then the user role assignment will be considered ‘stale’,

    • if the users key is not provided, the user role assignment will be preserved;

  • service and group role assignments will be considered ‘stale’:

    • if not included in the services and groups list,

    • if the services and groups keys are not provided.

Added in version 5.0.

service_name c.KerberosAuthenticator.service_name = Unicode('HTTP')

The service’s kerberos principal name.

This is almost always “HTTP” (the default)

username_map c.KerberosAuthenticator.username_map = Dict()

Dictionary mapping authenticator usernames to JupyterHub users.

Primarily used to normalize OAuth user names to local users.

username_pattern c.KerberosAuthenticator.username_pattern = Unicode('')

Regular expression pattern that all valid usernames must match.

If a username does not match the pattern specified here, authentication will not be attempted.

If not set, allow any username.

whitelist c.KerberosAuthenticator.whitelist = Set()

Deprecated, use Authenticator.allowed_users

KerberosLocalAuthenticator

class kerberosauthenticator.KerberosLocalAuthenticator(*args: t.Any, **kwargs: t.Any)

Kerberos local authenticator for JupyterHub

Checks for local users, and can attempt to create them if they don’t exist.

add_user_cmd c.KerberosLocalAuthenticator.add_user_cmd = Command()

The command to use for creating users as a list of strings

For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.

For Linux, the default value is:

[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–disabled-password’]

To specify a custom home directory, set this to:

[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]

This will run the command:

adduser -q –gecos “” –home /customhome/river –disabled-password river

when the user ‘river’ is created.

admin_users c.KerberosLocalAuthenticator.admin_users = Set()

Set of users that will be granted admin rights on this JupyterHub.

Note

As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.

Caution

Adding users to admin_users can only grant admin rights, removing a username from the admin_users set DOES NOT remove admin rights previously granted.

For an authoritative, restricted set of admins, assign explicit membership of the admin role:

c.JupyterHub.load_roles = [
    {
        "name": "admin",
        "users": ["admin1", "..."],
    }
]

Admin users can take every possible action on behalf of all users, for example:

  • Use the admin panel to see list of users logged in

  • Add / remove users in some authenticators

  • Restart / halt the hub

  • Start / stop users’ single-user servers

  • Can access each individual users’ single-user server

Admin access should be treated the same way root access is.

Defaults to an empty set, in which case no user has admin access.

allow_all c.KerberosLocalAuthenticator.allow_all = Bool(False)

Allow every user who can successfully authenticate to access JupyterHub.

False by default, which means for most Authenticators, _some_ allow-related configuration is required to allow users to log in.

Authenticator subclasses may override the default with e.g.:

from traitlets import default
@default("allow_all")
def _default_allow_all(self):
    # if _any_ auth config (depends on the Authenticator)
    if self.allowed_users or self.allowed_groups or self.allow_existing_users:
        return False
    else:
        return True

Added in version 5.0.

Changed in version 5.0: Prior to 5.0, allow_all wasn’t defined on its own, and was instead implicitly True when no allow config was provided, i.e. allowed_users unspecified or empty on the base Authenticator class.

To preserve pre-5.0 behavior, set allow_all = True if you have no other allow configuration.

allow_existing_users c.KerberosLocalAuthenticator.allow_existing_users = Bool(False)

Allow existing users to login.

Defaults to True if allowed_users is set for historical reasons, and False otherwise.

With this enabled, all users present in the JupyterHub database are allowed to login. This has the effect of any user who has _previously_ been allowed to login via any means will continue to be allowed until the user is deleted via the /hub/admin page or REST API.

Warning

Before enabling this you should review the existing users in the JupyterHub admin panel at /hub/admin. You may find users existing there because they have previously been declared in config such as allowed_users or allowed to sign in.

Warning

When this is enabled and you wish to remove access for one or more users previously allowed, you must make sure that they are removed from the jupyterhub database. This can be tricky to do if you stop allowing an externally managed group of users for example.

With this enabled, JupyterHub admin users can visit /hub/admin or use JupyterHub’s REST API to add and remove users to manage who can login.

Added in version 5.0.

allowed_groups c.KerberosLocalAuthenticator.allowed_groups = Set()

Allow login from all users in these UNIX groups.

Changed in version 5.0: allowed_groups may be specified together with allowed_users, to grant access by group OR name.

allowed_users c.KerberosLocalAuthenticator.allowed_users = Set()

Set of usernames that are allowed to log in.

Use this to limit which authenticated users may login. Default behavior: only users in this set are allowed.

If empty, does not perform any restriction, in which case any authenticated user is allowed.

Authenticators may extend Authenticator.check_allowed() to combine allowed_users with other configuration to either expand or restrict access.

Changed in version 1.2: Authenticator.whitelist renamed to allowed_users

any_allow_config c.KerberosLocalAuthenticator.any_allow_config = Bool(False)

Is there any allow config?

Used to show a warning if it looks like nobody can access the Hub, which can happen when upgrading to JupyterHub 5, now that allow_all defaults to False.

Deployments can set this explicitly to True to suppress the “No allow config found” warning.

Will be True if any config tagged with .tag(allow_config=True) or starts with allow is truthy.

Added in version 5.0.

auth_refresh_age c.KerberosLocalAuthenticator.auth_refresh_age = Int(300)

The max age (in seconds) of authentication info before forcing a refresh of user auth info.

Authenticators that support it may re-load managed groups, refresh auth tokens, etc., or force a new login if auth info cannot be refreshed.

See refresh_user() for what happens when user auth info is refreshed, which varies by authenticator. If an Authenticator does not implement refresh_user, auth info will never be considered stale.

Set auth_refresh_age = 0 to disable time-based calls to refresh_user. You can still use refresh_pre_spawn or refresh_pre_stop if auth_refresh_age is disabled.

auto_login c.KerberosLocalAuthenticator.auto_login = Bool(False)

Automatically begin the login process

rather than starting with a “Login with…” link at /hub/login

To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().

Added in version 0.8.

auto_login_oauth2_authorize c.KerberosLocalAuthenticator.auto_login_oauth2_authorize = Bool(False)

Automatically begin login process for OAuth2 authorization requests

When another application is using JupyterHub as OAuth2 provider, it sends users to /hub/api/oauth2/authorize. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.

Setting this to true will automatically redirect users to login if they aren’t logged in only on the /hub/api/oauth2/authorize endpoint.

Added in version 1.5.

blocked_users c.KerberosLocalAuthenticator.blocked_users = Set()

Set of usernames that are not allowed to log in.

Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

Changed in version 5.2: Users blocked via blocked_users that may have logged in in the past have all permissions and group membership revoked and all servers stopped at JupyterHub startup. Previously, User permissions (e.g. API tokens) and servers were unaffected and required additional administrator operations to block after a user is added to blocked_users.

Changed in version 1.2: Authenticator.blacklist renamed to blocked_users

create_system_users c.KerberosLocalAuthenticator.create_system_users = Bool(False)

If set to True, will attempt to create local system users if they do not exist already.

Supports Linux and BSD variants only.

delete_invalid_users c.KerberosLocalAuthenticator.delete_invalid_users = Bool(False)

Delete any users from the database that do not pass validation

When JupyterHub starts, .add_user will be called on each user in the database to verify that all users are still valid.

If delete_invalid_users is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.

If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.

enable_auth_state c.KerberosLocalAuthenticator.enable_auth_state = Bool(False)

Enable persisting auth_state (if available).

auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.

Encrypting auth_state requires the cryptography package.

Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.

If encryption is unavailable, auth_state cannot be persisted.

New in JupyterHub 0.8

group_whitelist c.KerberosLocalAuthenticator.group_whitelist = Set()

DEPRECATED: use allowed_groups

keytab c.KerberosLocalAuthenticator.keytab = Unicode('HTTP.keytab')

The path to the keytab file

manage_groups c.KerberosLocalAuthenticator.manage_groups = Bool(False)

Let authenticator manage user groups

If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.

All group-assignment APIs are disabled if this is True.

manage_roles c.KerberosLocalAuthenticator.manage_roles = Bool(False)

Let authenticator manage roles

If True, Authenticator.authenticate and/or .refresh_user may return a list of roles in the ‘roles’ field, which will be added to the database.

When enabled, all role management will be handled by the authenticator; in particular, assignment of roles via JupyterHub.load_roles traitlet will not be possible.

Added in version 5.0.

otp_prompt c.KerberosLocalAuthenticator.otp_prompt = Any('OTP:')

The prompt string for the extra OTP (One Time Password) field.

Added in version 5.0.

post_auth_hook c.KerberosLocalAuthenticator.post_auth_hook = Any(None)

An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.

This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the auth_model dict reguardless of changes to it. The hook is called with 3 positional arguments: (authenticator, handler, auth_model).

This may be a coroutine.

Example:

import os
import pwd
def my_hook(authenticator, handler, auth_model):
    user_data = pwd.getpwnam(auth_model['name'])
    spawn_data = {
        'pw_data': user_data
        'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid)
    }

    if auth_model['auth_state'] is None:
        auth_model['auth_state'] = {}
    auth_model['auth_state']['spawn_data'] = spawn_data

    return auth_model

c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn c.KerberosLocalAuthenticator.refresh_pre_spawn = Bool(False)

Force refresh of auth prior to spawn.

This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.

If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.

refresh_pre_stop c.KerberosLocalAuthenticator.refresh_pre_stop = Bool(False)

Force refresh of auth prior to stop.

This forces refresh_user() to be called prior to stopping a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens stored in auth_state may have expired, but are a required part of the Spawner’s shutdown steps.

If refresh_user cannot refresh the user auth data, stop will fail until the user logs in again. If an admin initiates the stop, it will proceed regardless.

Added in version 5.4.

request_otp c.KerberosLocalAuthenticator.request_otp = Bool(False)

Prompt for OTP (One Time Password) in the login form.

Added in version 5.0.

reset_managed_roles_on_startup c.KerberosLocalAuthenticator.reset_managed_roles_on_startup = Bool(False)

Reset managed roles to result of load_managed_roles() on startup.

If True:

  • stale managed roles will be removed,

  • stale assignments to managed roles will be removed.

Any role not present in load_managed_roles() will be considered ‘stale’.

The ‘stale’ status for role assignments is also determined from load_managed_roles() result:

  • user role assignments status will depend on whether the users key is defined or not:

    • if a list is defined under the users key and the user is not listed, then the user role assignment will be considered ‘stale’,

    • if the users key is not provided, the user role assignment will be preserved;

  • service and group role assignments will be considered ‘stale’:

    • if not included in the services and groups list,

    • if the services and groups keys are not provided.

Added in version 5.0.

service_name c.KerberosLocalAuthenticator.service_name = Unicode('HTTP')

The service’s kerberos principal name.

This is almost always “HTTP” (the default)

uids c.KerberosLocalAuthenticator.uids = Dict()

Dictionary of uids to use at user creation time. This helps ensure that users created from the database get the same uid each time they are created in temporary deployments or containers.

username_map c.KerberosLocalAuthenticator.username_map = Dict()

Dictionary mapping authenticator usernames to JupyterHub users.

Primarily used to normalize OAuth user names to local users.

username_pattern c.KerberosLocalAuthenticator.username_pattern = Unicode('')

Regular expression pattern that all valid usernames must match.

If a username does not match the pattern specified here, authentication will not be attempted.

If not set, allow any username.

whitelist c.KerberosLocalAuthenticator.whitelist = Set()

Deprecated, use Authenticator.allowed_users