--- /srv/reproducible-results/rbuild-debian/r-b-build.5xyrf6YO/b1/jupyterhub_5.2.1+ds1-4_arm64.changes +++ /srv/reproducible-results/rbuild-debian/r-b-build.5xyrf6YO/b2/jupyterhub_5.2.1+ds1-4_arm64.changes ├── Files │ @@ -1,2 +1,2 @@ │ │ - e80dc2261ee3d00ee32138852b2711cb 2022500 python optional jupyterhub_5.2.1+ds1-4_all.deb │ + fcc689bfe0499bd139f150a4794e2128 2022552 python optional jupyterhub_5.2.1+ds1-4_all.deb ├── jupyterhub_5.2.1+ds1-4_all.deb │ ├── file list │ │ @@ -1,3 +1,3 @@ │ │ -rw-r--r-- 0 0 0 4 2025-05-28 09:40:25.000000 debian-binary │ │ -rw-r--r-- 0 0 0 59496 2025-05-28 09:40:25.000000 control.tar.xz │ │ --rw-r--r-- 0 0 0 1962812 2025-05-28 09:40:25.000000 data.tar.xz │ │ +-rw-r--r-- 0 0 0 1962864 2025-05-28 09:40:25.000000 data.tar.xz │ ├── control.tar.xz │ │ ├── control.tar │ │ │ ├── ./md5sums │ │ │ │ ├── ./md5sums │ │ │ │ │┄ Files differ │ ├── data.tar.xz │ │ ├── data.tar │ │ │ ├── ./usr/share/jupyterhub/jupyterhub_config.py │ │ │ │┄ Ordering differences only │ │ │ │ @@ -997,14 +997,888 @@ │ │ │ │ # │ │ │ │ # It should return the new URL to redirect to, or None to preserve current │ │ │ │ # behavior. │ │ │ │ # Default: None │ │ │ │ # c.JupyterHub.user_redirect_hook = None │ │ │ │ │ │ │ │ #------------------------------------------------------------------------------ │ │ │ │ +# Authenticator(LoggingConfigurable) configuration │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +## Base class for implementing an authentication provider for JupyterHub │ │ │ │ + │ │ │ │ +## Set of users that will be granted admin rights on this JupyterHub. │ │ │ │ +# │ │ │ │ +# Note: │ │ │ │ +# │ │ │ │ +# As of JupyterHub 2.0, │ │ │ │ +# full admin rights should not be required, │ │ │ │ +# and more precise permissions can be managed via roles. │ │ │ │ +# │ │ │ │ +# Caution: │ │ │ │ +# │ │ │ │ +# Adding users to `admin_users` can only *grant* admin rights, │ │ │ │ +# removing a username from the admin_users set **DOES NOT** remove admin rights previously granted. │ │ │ │ +# │ │ │ │ +# For an authoritative, restricted set of admins, │ │ │ │ +# assign explicit membership of the `admin` *role*:: │ │ │ │ +# │ │ │ │ +# c.JupyterHub.load_roles = [ │ │ │ │ +# { │ │ │ │ +# "name": "admin", │ │ │ │ +# "users": ["admin1", "..."], │ │ │ │ +# } │ │ │ │ +# ] │ │ │ │ +# │ │ │ │ +# Admin users can take every possible action on behalf of all users, for │ │ │ │ +# example: │ │ │ │ +# │ │ │ │ +# - Use the admin panel to see list of users logged in - Add / remove users in │ │ │ │ +# some authenticators - Restart / halt the hub - Start / stop users' single-user │ │ │ │ +# servers - Can access each individual users' single-user server │ │ │ │ +# │ │ │ │ +# Admin access should be treated the same way root access is. │ │ │ │ +# │ │ │ │ +# Defaults to an empty set, in which case no user has admin access. │ │ │ │ +# Default: set() │ │ │ │ +# c.Authenticator.admin_users = set() │ │ │ │ + │ │ │ │ +## Allow every user who can successfully authenticate to access JupyterHub. │ │ │ │ +# │ │ │ │ +# False by default, which means for most Authenticators, _some_ allow-related │ │ │ │ +# configuration is required to allow users to log in. │ │ │ │ +# │ │ │ │ +# Authenticator subclasses may override the default with e.g.:: │ │ │ │ +# │ │ │ │ +# @default("allow_all") │ │ │ │ +# def _default_allow_all(self): │ │ │ │ +# # if _any_ auth config (depends on the Authenticator) │ │ │ │ +# if self.allowed_users or self.allowed_groups or self.allow_existing_users: │ │ │ │ +# return False │ │ │ │ +# else: │ │ │ │ +# return True │ │ │ │ +# │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# │ │ │ │ +# .. versionchanged:: 5.0 │ │ │ │ +# Prior to 5.0, `allow_all` wasn't defined on its own, │ │ │ │ +# and was instead implicitly True when no allow config was provided, │ │ │ │ +# i.e. `allowed_users` unspecified or empty on the base Authenticator class. │ │ │ │ +# │ │ │ │ +# To preserve pre-5.0 behavior, │ │ │ │ +# set `allow_all = True` if you have no other allow configuration. │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.allow_all = False │ │ │ │ + │ │ │ │ +## Allow existing users to login. │ │ │ │ +# │ │ │ │ +# Defaults to True if `allowed_users` is set for historical reasons, and False │ │ │ │ +# otherwise. │ │ │ │ +# │ │ │ │ +# With this enabled, all users present in the JupyterHub database are allowed to │ │ │ │ +# login. This has the effect of any user who has _previously_ been allowed to │ │ │ │ +# login via any means will continue to be allowed until the user is deleted via │ │ │ │ +# the /hub/admin page or REST API. │ │ │ │ +# │ │ │ │ +# .. warning:: │ │ │ │ +# │ │ │ │ +# Before enabling this you should review the existing users in the │ │ │ │ +# JupyterHub admin panel at `/hub/admin`. You may find users existing │ │ │ │ +# there because they have previously been declared in config such as │ │ │ │ +# `allowed_users` or allowed to sign in. │ │ │ │ +# │ │ │ │ +# .. warning:: │ │ │ │ +# │ │ │ │ +# When this is enabled and you wish to remove access for one or more │ │ │ │ +# users previously allowed, you must make sure that they │ │ │ │ +# are removed from the jupyterhub database. This can be tricky to do │ │ │ │ +# if you stop allowing an externally managed group of users for example. │ │ │ │ +# │ │ │ │ +# With this enabled, JupyterHub admin users can visit `/hub/admin` or use │ │ │ │ +# JupyterHub's REST API to add and remove users to manage who can login. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.allow_existing_users = False │ │ │ │ + │ │ │ │ +## Set of usernames that are allowed to log in. │ │ │ │ +# │ │ │ │ +# Use this to limit which authenticated users may login. Default behavior: only │ │ │ │ +# users in this set are allowed. │ │ │ │ +# │ │ │ │ +# If empty, does not perform any restriction, in which case any authenticated │ │ │ │ +# user is allowed. │ │ │ │ +# │ │ │ │ +# Authenticators may extend :meth:`.Authenticator.check_allowed` to combine │ │ │ │ +# `allowed_users` with other configuration to either expand or restrict access. │ │ │ │ +# │ │ │ │ +# .. versionchanged:: 1.2 │ │ │ │ +# `Authenticator.whitelist` renamed to `allowed_users` │ │ │ │ +# Default: set() │ │ │ │ +# c.Authenticator.allowed_users = set() │ │ │ │ + │ │ │ │ +## Is there any allow config? │ │ │ │ +# │ │ │ │ +# Used to show a warning if it looks like nobody can access the Hub, │ │ │ │ +# which can happen when upgrading to JupyterHub 5, │ │ │ │ +# now that `allow_all` defaults to False. │ │ │ │ +# │ │ │ │ +# Deployments can set this explicitly to True to suppress │ │ │ │ +# the "No allow config found" warning. │ │ │ │ +# │ │ │ │ +# Will be True if any config tagged with `.tag(allow_config=True)` │ │ │ │ +# or starts with `allow` is truthy. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.any_allow_config = False │ │ │ │ + │ │ │ │ +## The max age (in seconds) of authentication info │ │ │ │ +# before forcing a refresh of user auth info. │ │ │ │ +# │ │ │ │ +# Refreshing auth info allows, e.g. requesting/re-validating auth │ │ │ │ +# tokens. │ │ │ │ +# │ │ │ │ +# See :meth:`.refresh_user` for what happens when user auth info is refreshed │ │ │ │ +# (nothing by default). │ │ │ │ +# Default: 300 │ │ │ │ +# c.Authenticator.auth_refresh_age = 300 │ │ │ │ + │ │ │ │ +## Automatically begin the login process │ │ │ │ +# │ │ │ │ +# rather than starting with a "Login with..." link at `/hub/login` │ │ │ │ +# │ │ │ │ +# To work, `.login_url()` must give a URL other than the default `/hub/login`, │ │ │ │ +# such as an oauth handler or another automatic login handler, │ │ │ │ +# registered with `.get_handlers()`. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 0.8 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.auto_login = False │ │ │ │ + │ │ │ │ +## Automatically begin login process for OAuth2 authorization requests │ │ │ │ +# │ │ │ │ +# When another application is using JupyterHub as OAuth2 provider, it sends │ │ │ │ +# users to `/hub/api/oauth2/authorize`. If the user isn't logged in already, and │ │ │ │ +# auto_login is not set, the user will be dumped on the hub's home page, without │ │ │ │ +# any context on what to do next. │ │ │ │ +# │ │ │ │ +# Setting this to true will automatically redirect users to login if they aren't │ │ │ │ +# logged in *only* on the `/hub/api/oauth2/authorize` endpoint. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 1.5 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.auto_login_oauth2_authorize = False │ │ │ │ + │ │ │ │ +## Set of usernames that are not allowed to log in. │ │ │ │ +# │ │ │ │ +# Use this with supported authenticators to restrict which users can not log in. │ │ │ │ +# This is an additional block list that further restricts users, beyond whatever │ │ │ │ +# restrictions the authenticator has in place. │ │ │ │ +# │ │ │ │ +# If empty, does not perform any additional restriction. │ │ │ │ +# │ │ │ │ +# .. versionadded: 0.9 │ │ │ │ +# │ │ │ │ +# .. versionchanged:: 5.2 │ │ │ │ +# Users blocked via `blocked_users` that may have logged in in the past │ │ │ │ +# have all permissions and group membership revoked │ │ │ │ +# and all servers stopped at JupyterHub startup. │ │ │ │ +# Previously, User permissions (e.g. API tokens) │ │ │ │ +# and servers were unaffected and required additional │ │ │ │ +# administrator operations to block after a user is added to `blocked_users`. │ │ │ │ +# │ │ │ │ +# .. versionchanged:: 1.2 │ │ │ │ +# `Authenticator.blacklist` renamed to `blocked_users` │ │ │ │ +# Default: set() │ │ │ │ +# c.Authenticator.blocked_users = set() │ │ │ │ + │ │ │ │ +## Delete any users from the database that do not pass validation │ │ │ │ +# │ │ │ │ +# When JupyterHub starts, `.add_user` will be called │ │ │ │ +# on each user in the database to verify that all users are still valid. │ │ │ │ +# │ │ │ │ +# If `delete_invalid_users` is True, │ │ │ │ +# any users that do not pass validation will be deleted from the database. │ │ │ │ +# Use this if users might be deleted from an external system, │ │ │ │ +# such as local user accounts. │ │ │ │ +# │ │ │ │ +# If False (default), invalid users remain in the Hub's database │ │ │ │ +# and a warning will be issued. │ │ │ │ +# This is the default to avoid data loss due to config changes. │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.delete_invalid_users = False │ │ │ │ + │ │ │ │ +## Enable persisting auth_state (if available). │ │ │ │ +# │ │ │ │ +# auth_state will be encrypted and stored in the Hub's database. │ │ │ │ +# This can include things like authentication tokens, etc. │ │ │ │ +# to be passed to Spawners as environment variables. │ │ │ │ +# │ │ │ │ +# Encrypting auth_state requires the cryptography package. │ │ │ │ +# │ │ │ │ +# Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must │ │ │ │ +# contain one (or more, separated by ;) 32B encryption keys. │ │ │ │ +# These can be either base64 or hex-encoded. │ │ │ │ +# │ │ │ │ +# If encryption is unavailable, auth_state cannot be persisted. │ │ │ │ +# │ │ │ │ +# New in JupyterHub 0.8 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.enable_auth_state = False │ │ │ │ + │ │ │ │ +## Let authenticator manage user groups │ │ │ │ +# │ │ │ │ +# If True, Authenticator.authenticate and/or .refresh_user │ │ │ │ +# may return a list of group names in the 'groups' field, │ │ │ │ +# which will be assigned to the user. │ │ │ │ +# │ │ │ │ +# All group-assignment APIs are disabled if this is True. │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.manage_groups = False │ │ │ │ + │ │ │ │ +## Let authenticator manage roles │ │ │ │ +# │ │ │ │ +# If True, Authenticator.authenticate and/or .refresh_user │ │ │ │ +# may return a list of roles in the 'roles' field, │ │ │ │ +# which will be added to the database. │ │ │ │ +# │ │ │ │ +# When enabled, all role management will be handled by the │ │ │ │ +# authenticator; in particular, assignment of roles via │ │ │ │ +# `JupyterHub.load_roles` traitlet will not be possible. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.manage_roles = False │ │ │ │ + │ │ │ │ +## The prompt string for the extra OTP (One Time Password) field. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# Default: 'OTP:' │ │ │ │ +# c.Authenticator.otp_prompt = 'OTP:' │ │ │ │ + │ │ │ │ +## An optional hook function that you can implement to do some bootstrapping work │ │ │ │ +# during authentication. For example, loading user account details from an │ │ │ │ +# external system. │ │ │ │ +# │ │ │ │ +# This function is called after the user has passed all authentication checks │ │ │ │ +# and is ready to successfully authenticate. This function must return the │ │ │ │ +# auth_model dict reguardless of changes to it. The hook is called with 3 │ │ │ │ +# positional arguments: `(authenticator, handler, auth_model)`. │ │ │ │ +# │ │ │ │ +# This may be a coroutine. │ │ │ │ +# │ │ │ │ +# .. versionadded: 1.0 │ │ │ │ +# │ │ │ │ +# Example:: │ │ │ │ +# │ │ │ │ +# import os │ │ │ │ +# import pwd │ │ │ │ +# def my_hook(authenticator, handler, auth_model): │ │ │ │ +# user_data = pwd.getpwnam(auth_model['name']) │ │ │ │ +# spawn_data = { │ │ │ │ +# 'pw_data': user_data │ │ │ │ +# 'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid) │ │ │ │ +# } │ │ │ │ +# │ │ │ │ +# if auth_model['auth_state'] is None: │ │ │ │ +# auth_model['auth_state'] = {} │ │ │ │ +# auth_model['auth_state']['spawn_data'] = spawn_data │ │ │ │ +# │ │ │ │ +# return auth_model │ │ │ │ +# │ │ │ │ +# c.Authenticator.post_auth_hook = my_hook │ │ │ │ +# Default: None │ │ │ │ +# c.Authenticator.post_auth_hook = None │ │ │ │ + │ │ │ │ +## Force refresh of auth prior to spawn. │ │ │ │ +# │ │ │ │ +# This forces :meth:`.refresh_user` to be called prior to launching │ │ │ │ +# a server, to ensure that auth state is up-to-date. │ │ │ │ +# │ │ │ │ +# This can be important when e.g. auth tokens that may have expired │ │ │ │ +# are passed to the spawner via environment variables from auth_state. │ │ │ │ +# │ │ │ │ +# If refresh_user cannot refresh the user auth data, │ │ │ │ +# launch will fail until the user logs in again. │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.refresh_pre_spawn = False │ │ │ │ + │ │ │ │ +## Prompt for OTP (One Time Password) in the login form. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.request_otp = False │ │ │ │ + │ │ │ │ +## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ +# │ │ │ │ +# If True: │ │ │ │ +# - stale managed roles will be removed, │ │ │ │ +# - stale assignments to managed roles will be removed. │ │ │ │ +# │ │ │ │ +# Any role not present in `load_managed_roles()` will be considered │ │ │ │ +# 'stale'. │ │ │ │ +# │ │ │ │ +# The 'stale' status for role assignments is also determined from │ │ │ │ +# `load_managed_roles()` result: │ │ │ │ +# │ │ │ │ +# - user role assignments status will depend on whether the `users` key │ │ │ │ +# is defined or not: │ │ │ │ +# │ │ │ │ +# * if a list is defined under the `users` key and the user is not listed, then the user role assignment will be considered 'stale', │ │ │ │ +# * if the `users` key is not provided, the user role assignment will be preserved; │ │ │ │ +# - service and group role assignments will be considered 'stale': │ │ │ │ +# │ │ │ │ +# * if not included in the `services` and `groups` list, │ │ │ │ +# * if the `services` and `groups` keys are not provided. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# Default: False │ │ │ │ +# c.Authenticator.reset_managed_roles_on_startup = False │ │ │ │ + │ │ │ │ +## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ +# │ │ │ │ +# Primarily used to normalize OAuth user names to local users. │ │ │ │ +# Default: {} │ │ │ │ +# c.Authenticator.username_map = {} │ │ │ │ + │ │ │ │ +## Regular expression pattern that all valid usernames must match. │ │ │ │ +# │ │ │ │ +# If a username does not match the pattern specified here, authentication will │ │ │ │ +# not be attempted. │ │ │ │ +# │ │ │ │ +# If not set, allow any username. │ │ │ │ +# Default: '' │ │ │ │ +# c.Authenticator.username_pattern = '' │ │ │ │ + │ │ │ │ +## Deprecated, use `Authenticator.allowed_users` │ │ │ │ +# Default: set() │ │ │ │ +# c.Authenticator.whitelist = set() │ │ │ │ + │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +# NullAuthenticator(Authenticator) configuration │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +## Null Authenticator for JupyterHub │ │ │ │ +# │ │ │ │ +# For cases where authentication should be disabled, e.g. only allowing access │ │ │ │ +# via API tokens. │ │ │ │ +# │ │ │ │ +# .. versionadded:: 2.0 │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.admin_users │ │ │ │ +# c.NullAuthenticator.admin_users = set() │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allow_all │ │ │ │ +# c.NullAuthenticator.allow_all = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allow_existing_users │ │ │ │ +# c.NullAuthenticator.allow_existing_users = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allowed_users │ │ │ │ +# c.NullAuthenticator.allowed_users = set() │ │ │ │ + │ │ │ │ +## Is there any allow config? │ │ │ │ +# See also: Authenticator.any_allow_config │ │ │ │ +# c.NullAuthenticator.any_allow_config = False │ │ │ │ + │ │ │ │ +## The max age (in seconds) of authentication info │ │ │ │ +# See also: Authenticator.auth_refresh_age │ │ │ │ +# c.NullAuthenticator.auth_refresh_age = 300 │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.auto_login_oauth2_authorize │ │ │ │ +# c.NullAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.blocked_users │ │ │ │ +# c.NullAuthenticator.blocked_users = set() │ │ │ │ + │ │ │ │ +## Delete any users from the database that do not pass validation │ │ │ │ +# See also: Authenticator.delete_invalid_users │ │ │ │ +# c.NullAuthenticator.delete_invalid_users = False │ │ │ │ + │ │ │ │ +## Enable persisting auth_state (if available). │ │ │ │ +# See also: Authenticator.enable_auth_state │ │ │ │ +# c.NullAuthenticator.enable_auth_state = False │ │ │ │ + │ │ │ │ +## Let authenticator manage user groups │ │ │ │ +# See also: Authenticator.manage_groups │ │ │ │ +# c.NullAuthenticator.manage_groups = False │ │ │ │ + │ │ │ │ +## Let authenticator manage roles │ │ │ │ +# See also: Authenticator.manage_roles │ │ │ │ +# c.NullAuthenticator.manage_roles = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.otp_prompt │ │ │ │ +# c.NullAuthenticator.otp_prompt = 'OTP:' │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.post_auth_hook │ │ │ │ +# c.NullAuthenticator.post_auth_hook = None │ │ │ │ + │ │ │ │ +## Force refresh of auth prior to spawn. │ │ │ │ +# See also: Authenticator.refresh_pre_spawn │ │ │ │ +# c.NullAuthenticator.refresh_pre_spawn = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.request_otp │ │ │ │ +# c.NullAuthenticator.request_otp = False │ │ │ │ + │ │ │ │ +## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ +# See also: Authenticator.reset_managed_roles_on_startup │ │ │ │ +# c.NullAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ + │ │ │ │ +## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ +# See also: Authenticator.username_map │ │ │ │ +# c.NullAuthenticator.username_map = {} │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.username_pattern │ │ │ │ +# c.NullAuthenticator.username_pattern = '' │ │ │ │ + │ │ │ │ +## Deprecated, use `Authenticator.allowed_users` │ │ │ │ +# See also: Authenticator.whitelist │ │ │ │ +# c.NullAuthenticator.whitelist = set() │ │ │ │ + │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +# Proxy(LoggingConfigurable) configuration │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +## Base class for configurable proxies that JupyterHub can use. │ │ │ │ +# │ │ │ │ +# A proxy implementation should subclass this and must define the following │ │ │ │ +# methods: │ │ │ │ +# │ │ │ │ +# - :meth:`.get_all_routes` return a dictionary of all JupyterHub-related routes │ │ │ │ +# - :meth:`.add_route` adds a route - :meth:`.delete_route` deletes a route │ │ │ │ +# │ │ │ │ +# In addition to these, the following method(s) may need to be implemented: │ │ │ │ +# │ │ │ │ +# - :meth:`.start` start the proxy, if it should be launched by the Hub │ │ │ │ +# instead of externally managed. │ │ │ │ +# If the proxy is externally managed, it should set :attr:`should_start` to False. │ │ │ │ +# - :meth:`.stop` stop the proxy. Only used if :meth:`.start` is also used. │ │ │ │ +# │ │ │ │ +# And the following method(s) are optional, but can be provided: │ │ │ │ +# │ │ │ │ +# - :meth:`.get_route` gets a single route. │ │ │ │ +# There is a default implementation that extracts data from :meth:`.get_all_routes`, │ │ │ │ +# but implementations may choose to provide a more efficient implementation │ │ │ │ +# of fetching a single route. │ │ │ │ + │ │ │ │ +## Additional routes to be maintained in the proxy. │ │ │ │ +# │ │ │ │ +# A dictionary with a route specification as key, and a URL as target. The hub │ │ │ │ +# will ensure this route is present in the proxy. │ │ │ │ +# │ │ │ │ +# If the hub is running in host based mode (with JupyterHub.subdomain_host set), │ │ │ │ +# the routespec *must* have a domain component (example.com/my-url/). If the hub │ │ │ │ +# is not running in host based mode, the routespec *must not* have a domain │ │ │ │ +# component (/my-url/). │ │ │ │ +# │ │ │ │ +# Helpful when the hub is running in API-only mode. │ │ │ │ +# Default: {} │ │ │ │ +# c.Proxy.extra_routes = {} │ │ │ │ + │ │ │ │ +## Should the Hub start the proxy │ │ │ │ +# │ │ │ │ +# If True, the Hub will start the proxy and stop it. │ │ │ │ +# Set to False if the proxy is managed externally, │ │ │ │ +# such as by systemd, docker, or another service manager. │ │ │ │ +# Default: True │ │ │ │ +# c.Proxy.should_start = True │ │ │ │ + │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +# ConfigurableHTTPProxy(Proxy) configuration │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +## Proxy implementation for the default configurable-http-proxy. │ │ │ │ +# │ │ │ │ +# This is the default proxy implementation for running the nodejs proxy │ │ │ │ +# `configurable-http-proxy`. │ │ │ │ +# │ │ │ │ +# If the proxy should not be run as a subprocess of the Hub, (e.g. in a separate │ │ │ │ +# container), set:: │ │ │ │ +# │ │ │ │ +# c.ConfigurableHTTPProxy.should_start = False │ │ │ │ + │ │ │ │ +## The ip (or hostname) of the proxy's API endpoint │ │ │ │ +# Default: '' │ │ │ │ +# c.ConfigurableHTTPProxy.api_url = '' │ │ │ │ + │ │ │ │ +## The Proxy auth token │ │ │ │ +# │ │ │ │ +# Loaded from the CONFIGPROXY_AUTH_TOKEN env variable by default. │ │ │ │ +# Default: '' │ │ │ │ +# c.ConfigurableHTTPProxy.auth_token = '' │ │ │ │ + │ │ │ │ +## Interval (in seconds) at which to check if the proxy is running. │ │ │ │ +# Default: 5 │ │ │ │ +# c.ConfigurableHTTPProxy.check_running_interval = 5 │ │ │ │ + │ │ │ │ +## The command to start the proxy │ │ │ │ +# Default: ['configurable-http-proxy'] │ │ │ │ +# c.ConfigurableHTTPProxy.command = ['configurable-http-proxy'] │ │ │ │ + │ │ │ │ +## The number of requests allowed to be concurrently outstanding to the proxy │ │ │ │ +# │ │ │ │ +# Limiting this number avoids potential timeout errors by sending too many │ │ │ │ +# requests to update the proxy at once │ │ │ │ +# Default: 10 │ │ │ │ +# c.ConfigurableHTTPProxy.concurrency = 10 │ │ │ │ + │ │ │ │ +## Add debug-level logging to the Proxy. │ │ │ │ +# Default: False │ │ │ │ +# c.ConfigurableHTTPProxy.debug = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Proxy.extra_routes │ │ │ │ +# c.ConfigurableHTTPProxy.extra_routes = {} │ │ │ │ + │ │ │ │ +## Proxy log level │ │ │ │ +# Choices: any of ['debug', 'info', 'warn', 'error'] (case-insensitive) │ │ │ │ +# Default: 'info' │ │ │ │ +# c.ConfigurableHTTPProxy.log_level = 'info' │ │ │ │ + │ │ │ │ +## File in which to write the PID of the proxy process. │ │ │ │ +# Default: 'jupyterhub-proxy.pid' │ │ │ │ +# c.ConfigurableHTTPProxy.pid_file = 'jupyterhub-proxy.pid' │ │ │ │ + │ │ │ │ +## Should the Hub start the proxy │ │ │ │ +# See also: Proxy.should_start │ │ │ │ +# c.ConfigurableHTTPProxy.should_start = True │ │ │ │ + │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +# CryptKeeper(SingletonConfigurable) configuration │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +## Encapsulate encryption configuration │ │ │ │ +# │ │ │ │ +# Use via the encryption_config singleton below. │ │ │ │ + │ │ │ │ +# Default: [] │ │ │ │ +# c.CryptKeeper.keys = [] │ │ │ │ + │ │ │ │ +## The number of threads to allocate for encryption │ │ │ │ +# Default: 12 │ │ │ │ +# c.CryptKeeper.n_threads = 12 │ │ │ │ + │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +# LocalAuthenticator(Authenticator) configuration │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +## Base class for Authenticators that work with local Linux/UNIX users │ │ │ │ +# │ │ │ │ +# Checks for local users, and can attempt to create them if they exist. │ │ │ │ + │ │ │ │ +## The command to use for creating users as a list of strings │ │ │ │ +# │ │ │ │ +# For each element in the list, the string USERNAME will be replaced with the │ │ │ │ +# user's username. The username will also be appended as the final argument. │ │ │ │ +# │ │ │ │ +# For Linux, the default value is: │ │ │ │ +# │ │ │ │ +# ['adduser', '-q', '--gecos', '""', '--disabled-password'] │ │ │ │ +# │ │ │ │ +# To specify a custom home directory, set this to: │ │ │ │ +# │ │ │ │ +# ['adduser', '-q', '--gecos', '""', '--home', '/customhome/USERNAME', '-- │ │ │ │ +# disabled-password'] │ │ │ │ +# │ │ │ │ +# This will run the command: │ │ │ │ +# │ │ │ │ +# adduser -q --gecos "" --home /customhome/river --disabled-password river │ │ │ │ +# │ │ │ │ +# when the user 'river' is created. │ │ │ │ +# Default: [] │ │ │ │ +# c.LocalAuthenticator.add_user_cmd = [] │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.admin_users │ │ │ │ +# c.LocalAuthenticator.admin_users = set() │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allow_all │ │ │ │ +# c.LocalAuthenticator.allow_all = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allow_existing_users │ │ │ │ +# c.LocalAuthenticator.allow_existing_users = False │ │ │ │ + │ │ │ │ +## Allow login from all users in these UNIX groups. │ │ │ │ +# │ │ │ │ +# .. versionchanged:: 5.0 │ │ │ │ +# `allowed_groups` may be specified together with allowed_users, │ │ │ │ +# to grant access by group OR name. │ │ │ │ +# Default: set() │ │ │ │ +# c.LocalAuthenticator.allowed_groups = set() │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allowed_users │ │ │ │ +# c.LocalAuthenticator.allowed_users = set() │ │ │ │ + │ │ │ │ +## Is there any allow config? │ │ │ │ +# See also: Authenticator.any_allow_config │ │ │ │ +# c.LocalAuthenticator.any_allow_config = False │ │ │ │ + │ │ │ │ +## The max age (in seconds) of authentication info │ │ │ │ +# See also: Authenticator.auth_refresh_age │ │ │ │ +# c.LocalAuthenticator.auth_refresh_age = 300 │ │ │ │ + │ │ │ │ +## Automatically begin the login process │ │ │ │ +# See also: Authenticator.auto_login │ │ │ │ +# c.LocalAuthenticator.auto_login = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.auto_login_oauth2_authorize │ │ │ │ +# c.LocalAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.blocked_users │ │ │ │ +# c.LocalAuthenticator.blocked_users = set() │ │ │ │ + │ │ │ │ +## If set to True, will attempt to create local system users if they do not exist │ │ │ │ +# already. │ │ │ │ +# │ │ │ │ +# Supports Linux and BSD variants only. │ │ │ │ +# Default: False │ │ │ │ +# c.LocalAuthenticator.create_system_users = False │ │ │ │ + │ │ │ │ +## Delete any users from the database that do not pass validation │ │ │ │ +# See also: Authenticator.delete_invalid_users │ │ │ │ +# c.LocalAuthenticator.delete_invalid_users = False │ │ │ │ + │ │ │ │ +## Enable persisting auth_state (if available). │ │ │ │ +# See also: Authenticator.enable_auth_state │ │ │ │ +# c.LocalAuthenticator.enable_auth_state = False │ │ │ │ + │ │ │ │ +## DEPRECATED: use allowed_groups │ │ │ │ +# Default: set() │ │ │ │ +# c.LocalAuthenticator.group_whitelist = set() │ │ │ │ + │ │ │ │ +## Let authenticator manage user groups │ │ │ │ +# See also: Authenticator.manage_groups │ │ │ │ +# c.LocalAuthenticator.manage_groups = False │ │ │ │ + │ │ │ │ +## Let authenticator manage roles │ │ │ │ +# See also: Authenticator.manage_roles │ │ │ │ +# c.LocalAuthenticator.manage_roles = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.otp_prompt │ │ │ │ +# c.LocalAuthenticator.otp_prompt = 'OTP:' │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.post_auth_hook │ │ │ │ +# c.LocalAuthenticator.post_auth_hook = None │ │ │ │ + │ │ │ │ +## Force refresh of auth prior to spawn. │ │ │ │ +# See also: Authenticator.refresh_pre_spawn │ │ │ │ +# c.LocalAuthenticator.refresh_pre_spawn = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.request_otp │ │ │ │ +# c.LocalAuthenticator.request_otp = False │ │ │ │ + │ │ │ │ +## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ +# See also: Authenticator.reset_managed_roles_on_startup │ │ │ │ +# c.LocalAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ + │ │ │ │ +## Dictionary of uids to use at user creation time. This helps ensure that users │ │ │ │ +# created from the database get the same uid each time they are created in │ │ │ │ +# temporary deployments or containers. │ │ │ │ +# Default: {} │ │ │ │ +# c.LocalAuthenticator.uids = {} │ │ │ │ + │ │ │ │ +## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ +# See also: Authenticator.username_map │ │ │ │ +# c.LocalAuthenticator.username_map = {} │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.username_pattern │ │ │ │ +# c.LocalAuthenticator.username_pattern = '' │ │ │ │ + │ │ │ │ +## Deprecated, use `Authenticator.allowed_users` │ │ │ │ +# See also: Authenticator.whitelist │ │ │ │ +# c.LocalAuthenticator.whitelist = set() │ │ │ │ + │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +# PAMAuthenticator(LocalAuthenticator) configuration │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ +## Authenticate local UNIX users with PAM │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: LocalAuthenticator.add_user_cmd │ │ │ │ +# c.PAMAuthenticator.add_user_cmd = [] │ │ │ │ + │ │ │ │ +## Authoritative list of user groups that determine admin access. Users not in │ │ │ │ +# these groups can still be granted admin status through admin_users. │ │ │ │ +# │ │ │ │ +# allowed/blocked rules still apply. │ │ │ │ +# │ │ │ │ +# Note: As of JupyterHub 2.0, full admin rights should not be required, and more │ │ │ │ +# precise permissions can be managed via roles. │ │ │ │ +# Default: set() │ │ │ │ +# c.PAMAuthenticator.admin_groups = set() │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.admin_users │ │ │ │ +# c.PAMAuthenticator.admin_users = set() │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allow_all │ │ │ │ +# c.PAMAuthenticator.allow_all = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allow_existing_users │ │ │ │ +# c.PAMAuthenticator.allow_existing_users = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: LocalAuthenticator.allowed_groups │ │ │ │ +# c.PAMAuthenticator.allowed_groups = set() │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.allowed_users │ │ │ │ +# c.PAMAuthenticator.allowed_users = set() │ │ │ │ + │ │ │ │ +## Is there any allow config? │ │ │ │ +# See also: Authenticator.any_allow_config │ │ │ │ +# c.PAMAuthenticator.any_allow_config = False │ │ │ │ + │ │ │ │ +## The max age (in seconds) of authentication info │ │ │ │ +# See also: Authenticator.auth_refresh_age │ │ │ │ +# c.PAMAuthenticator.auth_refresh_age = 300 │ │ │ │ + │ │ │ │ +## Automatically begin the login process │ │ │ │ +# See also: Authenticator.auto_login │ │ │ │ +# c.PAMAuthenticator.auto_login = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.auto_login_oauth2_authorize │ │ │ │ +# c.PAMAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.blocked_users │ │ │ │ +# c.PAMAuthenticator.blocked_users = set() │ │ │ │ + │ │ │ │ +## Whether to check the user's account status via PAM during authentication. │ │ │ │ +# │ │ │ │ +# The PAM account stack performs non-authentication based account management. It │ │ │ │ +# is typically used to restrict/permit access to a service and this step is │ │ │ │ +# needed to access the host's user access control. │ │ │ │ +# │ │ │ │ +# Disabling this can be dangerous as authenticated but unauthorized users may be │ │ │ │ +# granted access and, therefore, arbitrary execution on the system. │ │ │ │ +# Default: True │ │ │ │ +# c.PAMAuthenticator.check_account = True │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: LocalAuthenticator.create_system_users │ │ │ │ +# c.PAMAuthenticator.create_system_users = False │ │ │ │ + │ │ │ │ +## Delete any users from the database that do not pass validation │ │ │ │ +# See also: Authenticator.delete_invalid_users │ │ │ │ +# c.PAMAuthenticator.delete_invalid_users = False │ │ │ │ + │ │ │ │ +## Enable persisting auth_state (if available). │ │ │ │ +# See also: Authenticator.enable_auth_state │ │ │ │ +# c.PAMAuthenticator.enable_auth_state = False │ │ │ │ + │ │ │ │ +## The text encoding to use when communicating with PAM │ │ │ │ +# Default: 'utf8' │ │ │ │ +# c.PAMAuthenticator.encoding = 'utf8' │ │ │ │ + │ │ │ │ +## Number of executor threads. │ │ │ │ +# │ │ │ │ +# PAM auth requests happen in this thread, so it is mostly waiting for the pam │ │ │ │ +# stack. One thread is usually enough, unless your pam stack is doing something │ │ │ │ +# slow like network requests │ │ │ │ +# Default: 4 │ │ │ │ +# c.PAMAuthenticator.executor_threads = 4 │ │ │ │ + │ │ │ │ +## DEPRECATED: use allowed_groups │ │ │ │ +# See also: LocalAuthenticator.group_whitelist │ │ │ │ +# c.PAMAuthenticator.group_whitelist = set() │ │ │ │ + │ │ │ │ +## Let authenticator manage user groups │ │ │ │ +# See also: Authenticator.manage_groups │ │ │ │ +# c.PAMAuthenticator.manage_groups = False │ │ │ │ + │ │ │ │ +## Let authenticator manage roles │ │ │ │ +# See also: Authenticator.manage_roles │ │ │ │ +# c.PAMAuthenticator.manage_roles = False │ │ │ │ + │ │ │ │ +## Whether to open a new PAM session when spawners are started. │ │ │ │ +# │ │ │ │ +# This may trigger things like mounting shared filesystems, loading credentials, │ │ │ │ +# etc. depending on system configuration. │ │ │ │ +# │ │ │ │ +# The lifecycle of PAM sessions is not correct, so many PAM session │ │ │ │ +# configurations will not work. │ │ │ │ +# │ │ │ │ +# If any errors are encountered when opening/closing PAM sessions, this is │ │ │ │ +# automatically set to False. │ │ │ │ +# │ │ │ │ +# .. versionchanged:: 2.2 │ │ │ │ +# │ │ │ │ +# Due to longstanding problems in the session lifecycle, │ │ │ │ +# this is now disabled by default. │ │ │ │ +# You may opt-in to opening sessions by setting this to True. │ │ │ │ +# Default: False │ │ │ │ +# c.PAMAuthenticator.open_sessions = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.otp_prompt │ │ │ │ +# c.PAMAuthenticator.otp_prompt = 'OTP:' │ │ │ │ + │ │ │ │ +## Round-trip the username via PAM lookups to make sure it is unique │ │ │ │ +# │ │ │ │ +# PAM can accept multiple usernames that map to the same user, for example │ │ │ │ +# DOMAIN\username in some cases. To prevent this, convert username into uid, │ │ │ │ +# then back to uid to normalize. │ │ │ │ +# Default: False │ │ │ │ +# c.PAMAuthenticator.pam_normalize_username = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.post_auth_hook │ │ │ │ +# c.PAMAuthenticator.post_auth_hook = None │ │ │ │ + │ │ │ │ +## Force refresh of auth prior to spawn. │ │ │ │ +# See also: Authenticator.refresh_pre_spawn │ │ │ │ +# c.PAMAuthenticator.refresh_pre_spawn = False │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.request_otp │ │ │ │ +# c.PAMAuthenticator.request_otp = False │ │ │ │ + │ │ │ │ +## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ +# See also: Authenticator.reset_managed_roles_on_startup │ │ │ │ +# c.PAMAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ + │ │ │ │ +## The name of the PAM service to use for authentication │ │ │ │ +# Default: 'login' │ │ │ │ +# c.PAMAuthenticator.service = 'login' │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: LocalAuthenticator.uids │ │ │ │ +# c.PAMAuthenticator.uids = {} │ │ │ │ + │ │ │ │ +## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ +# See also: Authenticator.username_map │ │ │ │ +# c.PAMAuthenticator.username_map = {} │ │ │ │ + │ │ │ │ +## │ │ │ │ +# See also: Authenticator.username_pattern │ │ │ │ +# c.PAMAuthenticator.username_pattern = '' │ │ │ │ + │ │ │ │ +## Deprecated, use `Authenticator.allowed_users` │ │ │ │ +# See also: Authenticator.whitelist │ │ │ │ +# c.PAMAuthenticator.whitelist = set() │ │ │ │ + │ │ │ │ +#------------------------------------------------------------------------------ │ │ │ │ # Spawner(LoggingConfigurable) configuration │ │ │ │ #------------------------------------------------------------------------------ │ │ │ │ ## Base class for spawning single-user notebook servers. │ │ │ │ # │ │ │ │ # Subclass this, and override the following methods: │ │ │ │ # │ │ │ │ # - load_state - get_state - start - stop - poll │ │ │ │ @@ -1661,485 +2535,14 @@ │ │ │ │ # │ │ │ │ # If the process does not exit cleanly after this many seconds of SIGTERM, a │ │ │ │ # SIGKILL is sent. │ │ │ │ # Default: 5 │ │ │ │ # c.LocalProcessSpawner.term_timeout = 5 │ │ │ │ │ │ │ │ #------------------------------------------------------------------------------ │ │ │ │ -# CryptKeeper(SingletonConfigurable) configuration │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -## Encapsulate encryption configuration │ │ │ │ -# │ │ │ │ -# Use via the encryption_config singleton below. │ │ │ │ - │ │ │ │ -# Default: [] │ │ │ │ -# c.CryptKeeper.keys = [] │ │ │ │ - │ │ │ │ -## The number of threads to allocate for encryption │ │ │ │ -# Default: 12 │ │ │ │ -# c.CryptKeeper.n_threads = 12 │ │ │ │ - │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -# Authenticator(LoggingConfigurable) configuration │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -## Base class for implementing an authentication provider for JupyterHub │ │ │ │ - │ │ │ │ -## Set of users that will be granted admin rights on this JupyterHub. │ │ │ │ -# │ │ │ │ -# Note: │ │ │ │ -# │ │ │ │ -# As of JupyterHub 2.0, │ │ │ │ -# full admin rights should not be required, │ │ │ │ -# and more precise permissions can be managed via roles. │ │ │ │ -# │ │ │ │ -# Caution: │ │ │ │ -# │ │ │ │ -# Adding users to `admin_users` can only *grant* admin rights, │ │ │ │ -# removing a username from the admin_users set **DOES NOT** remove admin rights previously granted. │ │ │ │ -# │ │ │ │ -# For an authoritative, restricted set of admins, │ │ │ │ -# assign explicit membership of the `admin` *role*:: │ │ │ │ -# │ │ │ │ -# c.JupyterHub.load_roles = [ │ │ │ │ -# { │ │ │ │ -# "name": "admin", │ │ │ │ -# "users": ["admin1", "..."], │ │ │ │ -# } │ │ │ │ -# ] │ │ │ │ -# │ │ │ │ -# Admin users can take every possible action on behalf of all users, for │ │ │ │ -# example: │ │ │ │ -# │ │ │ │ -# - Use the admin panel to see list of users logged in - Add / remove users in │ │ │ │ -# some authenticators - Restart / halt the hub - Start / stop users' single-user │ │ │ │ -# servers - Can access each individual users' single-user server │ │ │ │ -# │ │ │ │ -# Admin access should be treated the same way root access is. │ │ │ │ -# │ │ │ │ -# Defaults to an empty set, in which case no user has admin access. │ │ │ │ -# Default: set() │ │ │ │ -# c.Authenticator.admin_users = set() │ │ │ │ - │ │ │ │ -## Allow every user who can successfully authenticate to access JupyterHub. │ │ │ │ -# │ │ │ │ -# False by default, which means for most Authenticators, _some_ allow-related │ │ │ │ -# configuration is required to allow users to log in. │ │ │ │ -# │ │ │ │ -# Authenticator subclasses may override the default with e.g.:: │ │ │ │ -# │ │ │ │ -# @default("allow_all") │ │ │ │ -# def _default_allow_all(self): │ │ │ │ -# # if _any_ auth config (depends on the Authenticator) │ │ │ │ -# if self.allowed_users or self.allowed_groups or self.allow_existing_users: │ │ │ │ -# return False │ │ │ │ -# else: │ │ │ │ -# return True │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# │ │ │ │ -# .. versionchanged:: 5.0 │ │ │ │ -# Prior to 5.0, `allow_all` wasn't defined on its own, │ │ │ │ -# and was instead implicitly True when no allow config was provided, │ │ │ │ -# i.e. `allowed_users` unspecified or empty on the base Authenticator class. │ │ │ │ -# │ │ │ │ -# To preserve pre-5.0 behavior, │ │ │ │ -# set `allow_all = True` if you have no other allow configuration. │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.allow_all = False │ │ │ │ - │ │ │ │ -## Allow existing users to login. │ │ │ │ -# │ │ │ │ -# Defaults to True if `allowed_users` is set for historical reasons, and False │ │ │ │ -# otherwise. │ │ │ │ -# │ │ │ │ -# With this enabled, all users present in the JupyterHub database are allowed to │ │ │ │ -# login. This has the effect of any user who has _previously_ been allowed to │ │ │ │ -# login via any means will continue to be allowed until the user is deleted via │ │ │ │ -# the /hub/admin page or REST API. │ │ │ │ -# │ │ │ │ -# .. warning:: │ │ │ │ -# │ │ │ │ -# Before enabling this you should review the existing users in the │ │ │ │ -# JupyterHub admin panel at `/hub/admin`. You may find users existing │ │ │ │ -# there because they have previously been declared in config such as │ │ │ │ -# `allowed_users` or allowed to sign in. │ │ │ │ -# │ │ │ │ -# .. warning:: │ │ │ │ -# │ │ │ │ -# When this is enabled and you wish to remove access for one or more │ │ │ │ -# users previously allowed, you must make sure that they │ │ │ │ -# are removed from the jupyterhub database. This can be tricky to do │ │ │ │ -# if you stop allowing an externally managed group of users for example. │ │ │ │ -# │ │ │ │ -# With this enabled, JupyterHub admin users can visit `/hub/admin` or use │ │ │ │ -# JupyterHub's REST API to add and remove users to manage who can login. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.allow_existing_users = False │ │ │ │ - │ │ │ │ -## Set of usernames that are allowed to log in. │ │ │ │ -# │ │ │ │ -# Use this to limit which authenticated users may login. Default behavior: only │ │ │ │ -# users in this set are allowed. │ │ │ │ -# │ │ │ │ -# If empty, does not perform any restriction, in which case any authenticated │ │ │ │ -# user is allowed. │ │ │ │ -# │ │ │ │ -# Authenticators may extend :meth:`.Authenticator.check_allowed` to combine │ │ │ │ -# `allowed_users` with other configuration to either expand or restrict access. │ │ │ │ -# │ │ │ │ -# .. versionchanged:: 1.2 │ │ │ │ -# `Authenticator.whitelist` renamed to `allowed_users` │ │ │ │ -# Default: set() │ │ │ │ -# c.Authenticator.allowed_users = set() │ │ │ │ - │ │ │ │ -## Is there any allow config? │ │ │ │ -# │ │ │ │ -# Used to show a warning if it looks like nobody can access the Hub, │ │ │ │ -# which can happen when upgrading to JupyterHub 5, │ │ │ │ -# now that `allow_all` defaults to False. │ │ │ │ -# │ │ │ │ -# Deployments can set this explicitly to True to suppress │ │ │ │ -# the "No allow config found" warning. │ │ │ │ -# │ │ │ │ -# Will be True if any config tagged with `.tag(allow_config=True)` │ │ │ │ -# or starts with `allow` is truthy. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.any_allow_config = False │ │ │ │ - │ │ │ │ -## The max age (in seconds) of authentication info │ │ │ │ -# before forcing a refresh of user auth info. │ │ │ │ -# │ │ │ │ -# Refreshing auth info allows, e.g. requesting/re-validating auth │ │ │ │ -# tokens. │ │ │ │ -# │ │ │ │ -# See :meth:`.refresh_user` for what happens when user auth info is refreshed │ │ │ │ -# (nothing by default). │ │ │ │ -# Default: 300 │ │ │ │ -# c.Authenticator.auth_refresh_age = 300 │ │ │ │ - │ │ │ │ -## Automatically begin the login process │ │ │ │ -# │ │ │ │ -# rather than starting with a "Login with..." link at `/hub/login` │ │ │ │ -# │ │ │ │ -# To work, `.login_url()` must give a URL other than the default `/hub/login`, │ │ │ │ -# such as an oauth handler or another automatic login handler, │ │ │ │ -# registered with `.get_handlers()`. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 0.8 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.auto_login = False │ │ │ │ - │ │ │ │ -## Automatically begin login process for OAuth2 authorization requests │ │ │ │ -# │ │ │ │ -# When another application is using JupyterHub as OAuth2 provider, it sends │ │ │ │ -# users to `/hub/api/oauth2/authorize`. If the user isn't logged in already, and │ │ │ │ -# auto_login is not set, the user will be dumped on the hub's home page, without │ │ │ │ -# any context on what to do next. │ │ │ │ -# │ │ │ │ -# Setting this to true will automatically redirect users to login if they aren't │ │ │ │ -# logged in *only* on the `/hub/api/oauth2/authorize` endpoint. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 1.5 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.auto_login_oauth2_authorize = False │ │ │ │ - │ │ │ │ -## Set of usernames that are not allowed to log in. │ │ │ │ -# │ │ │ │ -# Use this with supported authenticators to restrict which users can not log in. │ │ │ │ -# This is an additional block list that further restricts users, beyond whatever │ │ │ │ -# restrictions the authenticator has in place. │ │ │ │ -# │ │ │ │ -# If empty, does not perform any additional restriction. │ │ │ │ -# │ │ │ │ -# .. versionadded: 0.9 │ │ │ │ -# │ │ │ │ -# .. versionchanged:: 5.2 │ │ │ │ -# Users blocked via `blocked_users` that may have logged in in the past │ │ │ │ -# have all permissions and group membership revoked │ │ │ │ -# and all servers stopped at JupyterHub startup. │ │ │ │ -# Previously, User permissions (e.g. API tokens) │ │ │ │ -# and servers were unaffected and required additional │ │ │ │ -# administrator operations to block after a user is added to `blocked_users`. │ │ │ │ -# │ │ │ │ -# .. versionchanged:: 1.2 │ │ │ │ -# `Authenticator.blacklist` renamed to `blocked_users` │ │ │ │ -# Default: set() │ │ │ │ -# c.Authenticator.blocked_users = set() │ │ │ │ - │ │ │ │ -## Delete any users from the database that do not pass validation │ │ │ │ -# │ │ │ │ -# When JupyterHub starts, `.add_user` will be called │ │ │ │ -# on each user in the database to verify that all users are still valid. │ │ │ │ -# │ │ │ │ -# If `delete_invalid_users` is True, │ │ │ │ -# any users that do not pass validation will be deleted from the database. │ │ │ │ -# Use this if users might be deleted from an external system, │ │ │ │ -# such as local user accounts. │ │ │ │ -# │ │ │ │ -# If False (default), invalid users remain in the Hub's database │ │ │ │ -# and a warning will be issued. │ │ │ │ -# This is the default to avoid data loss due to config changes. │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.delete_invalid_users = False │ │ │ │ - │ │ │ │ -## Enable persisting auth_state (if available). │ │ │ │ -# │ │ │ │ -# auth_state will be encrypted and stored in the Hub's database. │ │ │ │ -# This can include things like authentication tokens, etc. │ │ │ │ -# to be passed to Spawners as environment variables. │ │ │ │ -# │ │ │ │ -# Encrypting auth_state requires the cryptography package. │ │ │ │ -# │ │ │ │ -# Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must │ │ │ │ -# contain one (or more, separated by ;) 32B encryption keys. │ │ │ │ -# These can be either base64 or hex-encoded. │ │ │ │ -# │ │ │ │ -# If encryption is unavailable, auth_state cannot be persisted. │ │ │ │ -# │ │ │ │ -# New in JupyterHub 0.8 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.enable_auth_state = False │ │ │ │ - │ │ │ │ -## Let authenticator manage user groups │ │ │ │ -# │ │ │ │ -# If True, Authenticator.authenticate and/or .refresh_user │ │ │ │ -# may return a list of group names in the 'groups' field, │ │ │ │ -# which will be assigned to the user. │ │ │ │ -# │ │ │ │ -# All group-assignment APIs are disabled if this is True. │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.manage_groups = False │ │ │ │ - │ │ │ │ -## Let authenticator manage roles │ │ │ │ -# │ │ │ │ -# If True, Authenticator.authenticate and/or .refresh_user │ │ │ │ -# may return a list of roles in the 'roles' field, │ │ │ │ -# which will be added to the database. │ │ │ │ -# │ │ │ │ -# When enabled, all role management will be handled by the │ │ │ │ -# authenticator; in particular, assignment of roles via │ │ │ │ -# `JupyterHub.load_roles` traitlet will not be possible. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.manage_roles = False │ │ │ │ - │ │ │ │ -## The prompt string for the extra OTP (One Time Password) field. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# Default: 'OTP:' │ │ │ │ -# c.Authenticator.otp_prompt = 'OTP:' │ │ │ │ - │ │ │ │ -## An optional hook function that you can implement to do some bootstrapping work │ │ │ │ -# during authentication. For example, loading user account details from an │ │ │ │ -# external system. │ │ │ │ -# │ │ │ │ -# This function is called after the user has passed all authentication checks │ │ │ │ -# and is ready to successfully authenticate. This function must return the │ │ │ │ -# auth_model dict reguardless of changes to it. The hook is called with 3 │ │ │ │ -# positional arguments: `(authenticator, handler, auth_model)`. │ │ │ │ -# │ │ │ │ -# This may be a coroutine. │ │ │ │ -# │ │ │ │ -# .. versionadded: 1.0 │ │ │ │ -# │ │ │ │ -# Example:: │ │ │ │ -# │ │ │ │ -# import os │ │ │ │ -# import pwd │ │ │ │ -# def my_hook(authenticator, handler, auth_model): │ │ │ │ -# user_data = pwd.getpwnam(auth_model['name']) │ │ │ │ -# spawn_data = { │ │ │ │ -# 'pw_data': user_data │ │ │ │ -# 'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid) │ │ │ │ -# } │ │ │ │ -# │ │ │ │ -# if auth_model['auth_state'] is None: │ │ │ │ -# auth_model['auth_state'] = {} │ │ │ │ -# auth_model['auth_state']['spawn_data'] = spawn_data │ │ │ │ -# │ │ │ │ -# return auth_model │ │ │ │ -# │ │ │ │ -# c.Authenticator.post_auth_hook = my_hook │ │ │ │ -# Default: None │ │ │ │ -# c.Authenticator.post_auth_hook = None │ │ │ │ - │ │ │ │ -## Force refresh of auth prior to spawn. │ │ │ │ -# │ │ │ │ -# This forces :meth:`.refresh_user` to be called prior to launching │ │ │ │ -# a server, to ensure that auth state is up-to-date. │ │ │ │ -# │ │ │ │ -# This can be important when e.g. auth tokens that may have expired │ │ │ │ -# are passed to the spawner via environment variables from auth_state. │ │ │ │ -# │ │ │ │ -# If refresh_user cannot refresh the user auth data, │ │ │ │ -# launch will fail until the user logs in again. │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.refresh_pre_spawn = False │ │ │ │ - │ │ │ │ -## Prompt for OTP (One Time Password) in the login form. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.request_otp = False │ │ │ │ - │ │ │ │ -## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ -# │ │ │ │ -# If True: │ │ │ │ -# - stale managed roles will be removed, │ │ │ │ -# - stale assignments to managed roles will be removed. │ │ │ │ -# │ │ │ │ -# Any role not present in `load_managed_roles()` will be considered │ │ │ │ -# 'stale'. │ │ │ │ -# │ │ │ │ -# The 'stale' status for role assignments is also determined from │ │ │ │ -# `load_managed_roles()` result: │ │ │ │ -# │ │ │ │ -# - user role assignments status will depend on whether the `users` key │ │ │ │ -# is defined or not: │ │ │ │ -# │ │ │ │ -# * if a list is defined under the `users` key and the user is not listed, then the user role assignment will be considered 'stale', │ │ │ │ -# * if the `users` key is not provided, the user role assignment will be preserved; │ │ │ │ -# - service and group role assignments will be considered 'stale': │ │ │ │ -# │ │ │ │ -# * if not included in the `services` and `groups` list, │ │ │ │ -# * if the `services` and `groups` keys are not provided. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# Default: False │ │ │ │ -# c.Authenticator.reset_managed_roles_on_startup = False │ │ │ │ - │ │ │ │ -## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ -# │ │ │ │ -# Primarily used to normalize OAuth user names to local users. │ │ │ │ -# Default: {} │ │ │ │ -# c.Authenticator.username_map = {} │ │ │ │ - │ │ │ │ -## Regular expression pattern that all valid usernames must match. │ │ │ │ -# │ │ │ │ -# If a username does not match the pattern specified here, authentication will │ │ │ │ -# not be attempted. │ │ │ │ -# │ │ │ │ -# If not set, allow any username. │ │ │ │ -# Default: '' │ │ │ │ -# c.Authenticator.username_pattern = '' │ │ │ │ - │ │ │ │ -## Deprecated, use `Authenticator.allowed_users` │ │ │ │ -# Default: set() │ │ │ │ -# c.Authenticator.whitelist = set() │ │ │ │ - │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -# DummyAuthenticator(Authenticator) configuration │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -## Dummy Authenticator for testing │ │ │ │ -# │ │ │ │ -# By default, any username + password is allowed If a non-empty password is set, │ │ │ │ -# any username will be allowed if it logs in with that password. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 1.0 │ │ │ │ -# │ │ │ │ -# .. versionadded:: 5.0 │ │ │ │ -# `allow_all` defaults to True, │ │ │ │ -# preserving default behavior. │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.admin_users │ │ │ │ -# c.DummyAuthenticator.admin_users = set() │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allow_all │ │ │ │ -# c.DummyAuthenticator.allow_all = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allow_existing_users │ │ │ │ -# c.DummyAuthenticator.allow_existing_users = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allowed_users │ │ │ │ -# c.DummyAuthenticator.allowed_users = set() │ │ │ │ - │ │ │ │ -## Is there any allow config? │ │ │ │ -# See also: Authenticator.any_allow_config │ │ │ │ -# c.DummyAuthenticator.any_allow_config = False │ │ │ │ - │ │ │ │ -## The max age (in seconds) of authentication info │ │ │ │ -# See also: Authenticator.auth_refresh_age │ │ │ │ -# c.DummyAuthenticator.auth_refresh_age = 300 │ │ │ │ - │ │ │ │ -## Automatically begin the login process │ │ │ │ -# See also: Authenticator.auto_login │ │ │ │ -# c.DummyAuthenticator.auto_login = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.auto_login_oauth2_authorize │ │ │ │ -# c.DummyAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.blocked_users │ │ │ │ -# c.DummyAuthenticator.blocked_users = set() │ │ │ │ - │ │ │ │ -## Delete any users from the database that do not pass validation │ │ │ │ -# See also: Authenticator.delete_invalid_users │ │ │ │ -# c.DummyAuthenticator.delete_invalid_users = False │ │ │ │ - │ │ │ │ -## Enable persisting auth_state (if available). │ │ │ │ -# See also: Authenticator.enable_auth_state │ │ │ │ -# c.DummyAuthenticator.enable_auth_state = False │ │ │ │ - │ │ │ │ -## Let authenticator manage user groups │ │ │ │ -# See also: Authenticator.manage_groups │ │ │ │ -# c.DummyAuthenticator.manage_groups = False │ │ │ │ - │ │ │ │ -## Let authenticator manage roles │ │ │ │ -# See also: Authenticator.manage_roles │ │ │ │ -# c.DummyAuthenticator.manage_roles = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.otp_prompt │ │ │ │ -# c.DummyAuthenticator.otp_prompt = 'OTP:' │ │ │ │ - │ │ │ │ -## Set a global password for all users wanting to log in. │ │ │ │ -# │ │ │ │ -# This allows users with any username to log in with the same static password. │ │ │ │ -# Default: '' │ │ │ │ -# c.DummyAuthenticator.password = '' │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.post_auth_hook │ │ │ │ -# c.DummyAuthenticator.post_auth_hook = None │ │ │ │ - │ │ │ │ -## Force refresh of auth prior to spawn. │ │ │ │ -# See also: Authenticator.refresh_pre_spawn │ │ │ │ -# c.DummyAuthenticator.refresh_pre_spawn = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.request_otp │ │ │ │ -# c.DummyAuthenticator.request_otp = False │ │ │ │ - │ │ │ │ -## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ -# See also: Authenticator.reset_managed_roles_on_startup │ │ │ │ -# c.DummyAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ - │ │ │ │ -## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ -# See also: Authenticator.username_map │ │ │ │ -# c.DummyAuthenticator.username_map = {} │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.username_pattern │ │ │ │ -# c.DummyAuthenticator.username_pattern = '' │ │ │ │ - │ │ │ │ -## Deprecated, use `Authenticator.allowed_users` │ │ │ │ -# See also: Authenticator.whitelist │ │ │ │ -# c.DummyAuthenticator.whitelist = set() │ │ │ │ - │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ # SimpleLocalProcessSpawner(LocalProcessSpawner) configuration │ │ │ │ #------------------------------------------------------------------------------ │ │ │ │ ## A version of LocalProcessSpawner that doesn't require users to exist on the │ │ │ │ # system beforehand. │ │ │ │ # │ │ │ │ # Only use this for testing. │ │ │ │ # │ │ │ │ @@ -2296,512 +2699,109 @@ │ │ │ │ # c.SimpleLocalProcessSpawner.start_timeout = 60 │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: LocalProcessSpawner.term_timeout │ │ │ │ # c.SimpleLocalProcessSpawner.term_timeout = 5 │ │ │ │ │ │ │ │ #------------------------------------------------------------------------------ │ │ │ │ -# Proxy(LoggingConfigurable) configuration │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -## Base class for configurable proxies that JupyterHub can use. │ │ │ │ -# │ │ │ │ -# A proxy implementation should subclass this and must define the following │ │ │ │ -# methods: │ │ │ │ -# │ │ │ │ -# - :meth:`.get_all_routes` return a dictionary of all JupyterHub-related routes │ │ │ │ -# - :meth:`.add_route` adds a route - :meth:`.delete_route` deletes a route │ │ │ │ -# │ │ │ │ -# In addition to these, the following method(s) may need to be implemented: │ │ │ │ -# │ │ │ │ -# - :meth:`.start` start the proxy, if it should be launched by the Hub │ │ │ │ -# instead of externally managed. │ │ │ │ -# If the proxy is externally managed, it should set :attr:`should_start` to False. │ │ │ │ -# - :meth:`.stop` stop the proxy. Only used if :meth:`.start` is also used. │ │ │ │ -# │ │ │ │ -# And the following method(s) are optional, but can be provided: │ │ │ │ -# │ │ │ │ -# - :meth:`.get_route` gets a single route. │ │ │ │ -# There is a default implementation that extracts data from :meth:`.get_all_routes`, │ │ │ │ -# but implementations may choose to provide a more efficient implementation │ │ │ │ -# of fetching a single route. │ │ │ │ - │ │ │ │ -## Additional routes to be maintained in the proxy. │ │ │ │ -# │ │ │ │ -# A dictionary with a route specification as key, and a URL as target. The hub │ │ │ │ -# will ensure this route is present in the proxy. │ │ │ │ -# │ │ │ │ -# If the hub is running in host based mode (with JupyterHub.subdomain_host set), │ │ │ │ -# the routespec *must* have a domain component (example.com/my-url/). If the hub │ │ │ │ -# is not running in host based mode, the routespec *must not* have a domain │ │ │ │ -# component (/my-url/). │ │ │ │ -# │ │ │ │ -# Helpful when the hub is running in API-only mode. │ │ │ │ -# Default: {} │ │ │ │ -# c.Proxy.extra_routes = {} │ │ │ │ - │ │ │ │ -## Should the Hub start the proxy │ │ │ │ -# │ │ │ │ -# If True, the Hub will start the proxy and stop it. │ │ │ │ -# Set to False if the proxy is managed externally, │ │ │ │ -# such as by systemd, docker, or another service manager. │ │ │ │ -# Default: True │ │ │ │ -# c.Proxy.should_start = True │ │ │ │ - │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -# ConfigurableHTTPProxy(Proxy) configuration │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -## Proxy implementation for the default configurable-http-proxy. │ │ │ │ -# │ │ │ │ -# This is the default proxy implementation for running the nodejs proxy │ │ │ │ -# `configurable-http-proxy`. │ │ │ │ -# │ │ │ │ -# If the proxy should not be run as a subprocess of the Hub, (e.g. in a separate │ │ │ │ -# container), set:: │ │ │ │ -# │ │ │ │ -# c.ConfigurableHTTPProxy.should_start = False │ │ │ │ - │ │ │ │ -## The ip (or hostname) of the proxy's API endpoint │ │ │ │ -# Default: '' │ │ │ │ -# c.ConfigurableHTTPProxy.api_url = '' │ │ │ │ - │ │ │ │ -## The Proxy auth token │ │ │ │ -# │ │ │ │ -# Loaded from the CONFIGPROXY_AUTH_TOKEN env variable by default. │ │ │ │ -# Default: '' │ │ │ │ -# c.ConfigurableHTTPProxy.auth_token = '' │ │ │ │ - │ │ │ │ -## Interval (in seconds) at which to check if the proxy is running. │ │ │ │ -# Default: 5 │ │ │ │ -# c.ConfigurableHTTPProxy.check_running_interval = 5 │ │ │ │ - │ │ │ │ -## The command to start the proxy │ │ │ │ -# Default: ['configurable-http-proxy'] │ │ │ │ -# c.ConfigurableHTTPProxy.command = ['configurable-http-proxy'] │ │ │ │ - │ │ │ │ -## The number of requests allowed to be concurrently outstanding to the proxy │ │ │ │ -# │ │ │ │ -# Limiting this number avoids potential timeout errors by sending too many │ │ │ │ -# requests to update the proxy at once │ │ │ │ -# Default: 10 │ │ │ │ -# c.ConfigurableHTTPProxy.concurrency = 10 │ │ │ │ - │ │ │ │ -## Add debug-level logging to the Proxy. │ │ │ │ -# Default: False │ │ │ │ -# c.ConfigurableHTTPProxy.debug = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Proxy.extra_routes │ │ │ │ -# c.ConfigurableHTTPProxy.extra_routes = {} │ │ │ │ - │ │ │ │ -## Proxy log level │ │ │ │ -# Choices: any of ['debug', 'info', 'warn', 'error'] (case-insensitive) │ │ │ │ -# Default: 'info' │ │ │ │ -# c.ConfigurableHTTPProxy.log_level = 'info' │ │ │ │ - │ │ │ │ -## File in which to write the PID of the proxy process. │ │ │ │ -# Default: 'jupyterhub-proxy.pid' │ │ │ │ -# c.ConfigurableHTTPProxy.pid_file = 'jupyterhub-proxy.pid' │ │ │ │ - │ │ │ │ -## Should the Hub start the proxy │ │ │ │ -# See also: Proxy.should_start │ │ │ │ -# c.ConfigurableHTTPProxy.should_start = True │ │ │ │ - │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -# NullAuthenticator(Authenticator) configuration │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -## Null Authenticator for JupyterHub │ │ │ │ -# │ │ │ │ -# For cases where authentication should be disabled, e.g. only allowing access │ │ │ │ -# via API tokens. │ │ │ │ -# │ │ │ │ -# .. versionadded:: 2.0 │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.admin_users │ │ │ │ -# c.NullAuthenticator.admin_users = set() │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allow_all │ │ │ │ -# c.NullAuthenticator.allow_all = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allow_existing_users │ │ │ │ -# c.NullAuthenticator.allow_existing_users = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allowed_users │ │ │ │ -# c.NullAuthenticator.allowed_users = set() │ │ │ │ - │ │ │ │ -## Is there any allow config? │ │ │ │ -# See also: Authenticator.any_allow_config │ │ │ │ -# c.NullAuthenticator.any_allow_config = False │ │ │ │ - │ │ │ │ -## The max age (in seconds) of authentication info │ │ │ │ -# See also: Authenticator.auth_refresh_age │ │ │ │ -# c.NullAuthenticator.auth_refresh_age = 300 │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.auto_login_oauth2_authorize │ │ │ │ -# c.NullAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.blocked_users │ │ │ │ -# c.NullAuthenticator.blocked_users = set() │ │ │ │ - │ │ │ │ -## Delete any users from the database that do not pass validation │ │ │ │ -# See also: Authenticator.delete_invalid_users │ │ │ │ -# c.NullAuthenticator.delete_invalid_users = False │ │ │ │ - │ │ │ │ -## Enable persisting auth_state (if available). │ │ │ │ -# See also: Authenticator.enable_auth_state │ │ │ │ -# c.NullAuthenticator.enable_auth_state = False │ │ │ │ - │ │ │ │ -## Let authenticator manage user groups │ │ │ │ -# See also: Authenticator.manage_groups │ │ │ │ -# c.NullAuthenticator.manage_groups = False │ │ │ │ - │ │ │ │ -## Let authenticator manage roles │ │ │ │ -# See also: Authenticator.manage_roles │ │ │ │ -# c.NullAuthenticator.manage_roles = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.otp_prompt │ │ │ │ -# c.NullAuthenticator.otp_prompt = 'OTP:' │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.post_auth_hook │ │ │ │ -# c.NullAuthenticator.post_auth_hook = None │ │ │ │ - │ │ │ │ -## Force refresh of auth prior to spawn. │ │ │ │ -# See also: Authenticator.refresh_pre_spawn │ │ │ │ -# c.NullAuthenticator.refresh_pre_spawn = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.request_otp │ │ │ │ -# c.NullAuthenticator.request_otp = False │ │ │ │ - │ │ │ │ -## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ -# See also: Authenticator.reset_managed_roles_on_startup │ │ │ │ -# c.NullAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ - │ │ │ │ -## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ -# See also: Authenticator.username_map │ │ │ │ -# c.NullAuthenticator.username_map = {} │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.username_pattern │ │ │ │ -# c.NullAuthenticator.username_pattern = '' │ │ │ │ - │ │ │ │ -## Deprecated, use `Authenticator.allowed_users` │ │ │ │ -# See also: Authenticator.whitelist │ │ │ │ -# c.NullAuthenticator.whitelist = set() │ │ │ │ - │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -# LocalAuthenticator(Authenticator) configuration │ │ │ │ +# DummyAuthenticator(Authenticator) configuration │ │ │ │ #------------------------------------------------------------------------------ │ │ │ │ -## Base class for Authenticators that work with local Linux/UNIX users │ │ │ │ -# │ │ │ │ -# Checks for local users, and can attempt to create them if they exist. │ │ │ │ - │ │ │ │ -## The command to use for creating users as a list of strings │ │ │ │ -# │ │ │ │ -# For each element in the list, the string USERNAME will be replaced with the │ │ │ │ -# user's username. The username will also be appended as the final argument. │ │ │ │ -# │ │ │ │ -# For Linux, the default value is: │ │ │ │ -# │ │ │ │ -# ['adduser', '-q', '--gecos', '""', '--disabled-password'] │ │ │ │ -# │ │ │ │ -# To specify a custom home directory, set this to: │ │ │ │ -# │ │ │ │ -# ['adduser', '-q', '--gecos', '""', '--home', '/customhome/USERNAME', '-- │ │ │ │ -# disabled-password'] │ │ │ │ -# │ │ │ │ -# This will run the command: │ │ │ │ -# │ │ │ │ -# adduser -q --gecos "" --home /customhome/river --disabled-password river │ │ │ │ -# │ │ │ │ -# when the user 'river' is created. │ │ │ │ -# Default: [] │ │ │ │ -# c.LocalAuthenticator.add_user_cmd = [] │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.admin_users │ │ │ │ -# c.LocalAuthenticator.admin_users = set() │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allow_all │ │ │ │ -# c.LocalAuthenticator.allow_all = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allow_existing_users │ │ │ │ -# c.LocalAuthenticator.allow_existing_users = False │ │ │ │ - │ │ │ │ -## Allow login from all users in these UNIX groups. │ │ │ │ -# │ │ │ │ -# .. versionchanged:: 5.0 │ │ │ │ -# `allowed_groups` may be specified together with allowed_users, │ │ │ │ -# to grant access by group OR name. │ │ │ │ -# Default: set() │ │ │ │ -# c.LocalAuthenticator.allowed_groups = set() │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.allowed_users │ │ │ │ -# c.LocalAuthenticator.allowed_users = set() │ │ │ │ - │ │ │ │ -## Is there any allow config? │ │ │ │ -# See also: Authenticator.any_allow_config │ │ │ │ -# c.LocalAuthenticator.any_allow_config = False │ │ │ │ - │ │ │ │ -## The max age (in seconds) of authentication info │ │ │ │ -# See also: Authenticator.auth_refresh_age │ │ │ │ -# c.LocalAuthenticator.auth_refresh_age = 300 │ │ │ │ - │ │ │ │ -## Automatically begin the login process │ │ │ │ -# See also: Authenticator.auto_login │ │ │ │ -# c.LocalAuthenticator.auto_login = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.auto_login_oauth2_authorize │ │ │ │ -# c.LocalAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.blocked_users │ │ │ │ -# c.LocalAuthenticator.blocked_users = set() │ │ │ │ - │ │ │ │ -## If set to True, will attempt to create local system users if they do not exist │ │ │ │ -# already. │ │ │ │ +## Dummy Authenticator for testing │ │ │ │ # │ │ │ │ -# Supports Linux and BSD variants only. │ │ │ │ -# Default: False │ │ │ │ -# c.LocalAuthenticator.create_system_users = False │ │ │ │ - │ │ │ │ -## Delete any users from the database that do not pass validation │ │ │ │ -# See also: Authenticator.delete_invalid_users │ │ │ │ -# c.LocalAuthenticator.delete_invalid_users = False │ │ │ │ - │ │ │ │ -## Enable persisting auth_state (if available). │ │ │ │ -# See also: Authenticator.enable_auth_state │ │ │ │ -# c.LocalAuthenticator.enable_auth_state = False │ │ │ │ - │ │ │ │ -## DEPRECATED: use allowed_groups │ │ │ │ -# Default: set() │ │ │ │ -# c.LocalAuthenticator.group_whitelist = set() │ │ │ │ - │ │ │ │ -## Let authenticator manage user groups │ │ │ │ -# See also: Authenticator.manage_groups │ │ │ │ -# c.LocalAuthenticator.manage_groups = False │ │ │ │ - │ │ │ │ -## Let authenticator manage roles │ │ │ │ -# See also: Authenticator.manage_roles │ │ │ │ -# c.LocalAuthenticator.manage_roles = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.otp_prompt │ │ │ │ -# c.LocalAuthenticator.otp_prompt = 'OTP:' │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.post_auth_hook │ │ │ │ -# c.LocalAuthenticator.post_auth_hook = None │ │ │ │ - │ │ │ │ -## Force refresh of auth prior to spawn. │ │ │ │ -# See also: Authenticator.refresh_pre_spawn │ │ │ │ -# c.LocalAuthenticator.refresh_pre_spawn = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.request_otp │ │ │ │ -# c.LocalAuthenticator.request_otp = False │ │ │ │ - │ │ │ │ -## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ -# See also: Authenticator.reset_managed_roles_on_startup │ │ │ │ -# c.LocalAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ - │ │ │ │ -## Dictionary of uids to use at user creation time. This helps ensure that users │ │ │ │ -# created from the database get the same uid each time they are created in │ │ │ │ -# temporary deployments or containers. │ │ │ │ -# Default: {} │ │ │ │ -# c.LocalAuthenticator.uids = {} │ │ │ │ - │ │ │ │ -## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ -# See also: Authenticator.username_map │ │ │ │ -# c.LocalAuthenticator.username_map = {} │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: Authenticator.username_pattern │ │ │ │ -# c.LocalAuthenticator.username_pattern = '' │ │ │ │ - │ │ │ │ -## Deprecated, use `Authenticator.allowed_users` │ │ │ │ -# See also: Authenticator.whitelist │ │ │ │ -# c.LocalAuthenticator.whitelist = set() │ │ │ │ - │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -# PAMAuthenticator(LocalAuthenticator) configuration │ │ │ │ -#------------------------------------------------------------------------------ │ │ │ │ -## Authenticate local UNIX users with PAM │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: LocalAuthenticator.add_user_cmd │ │ │ │ -# c.PAMAuthenticator.add_user_cmd = [] │ │ │ │ - │ │ │ │ -## Authoritative list of user groups that determine admin access. Users not in │ │ │ │ -# these groups can still be granted admin status through admin_users. │ │ │ │ +# By default, any username + password is allowed If a non-empty password is set, │ │ │ │ +# any username will be allowed if it logs in with that password. │ │ │ │ # │ │ │ │ -# allowed/blocked rules still apply. │ │ │ │ +# .. versionadded:: 1.0 │ │ │ │ # │ │ │ │ -# Note: As of JupyterHub 2.0, full admin rights should not be required, and more │ │ │ │ -# precise permissions can be managed via roles. │ │ │ │ -# Default: set() │ │ │ │ -# c.PAMAuthenticator.admin_groups = set() │ │ │ │ +# .. versionadded:: 5.0 │ │ │ │ +# `allow_all` defaults to True, │ │ │ │ +# preserving default behavior. │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.admin_users │ │ │ │ -# c.PAMAuthenticator.admin_users = set() │ │ │ │ +# c.DummyAuthenticator.admin_users = set() │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.allow_all │ │ │ │ -# c.PAMAuthenticator.allow_all = False │ │ │ │ +# c.DummyAuthenticator.allow_all = False │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.allow_existing_users │ │ │ │ -# c.PAMAuthenticator.allow_existing_users = False │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: LocalAuthenticator.allowed_groups │ │ │ │ -# c.PAMAuthenticator.allowed_groups = set() │ │ │ │ +# c.DummyAuthenticator.allow_existing_users = False │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.allowed_users │ │ │ │ -# c.PAMAuthenticator.allowed_users = set() │ │ │ │ +# c.DummyAuthenticator.allowed_users = set() │ │ │ │ │ │ │ │ ## Is there any allow config? │ │ │ │ # See also: Authenticator.any_allow_config │ │ │ │ -# c.PAMAuthenticator.any_allow_config = False │ │ │ │ +# c.DummyAuthenticator.any_allow_config = False │ │ │ │ │ │ │ │ ## The max age (in seconds) of authentication info │ │ │ │ # See also: Authenticator.auth_refresh_age │ │ │ │ -# c.PAMAuthenticator.auth_refresh_age = 300 │ │ │ │ +# c.DummyAuthenticator.auth_refresh_age = 300 │ │ │ │ │ │ │ │ ## Automatically begin the login process │ │ │ │ # See also: Authenticator.auto_login │ │ │ │ -# c.PAMAuthenticator.auto_login = False │ │ │ │ +# c.DummyAuthenticator.auto_login = False │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.auto_login_oauth2_authorize │ │ │ │ -# c.PAMAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ +# c.DummyAuthenticator.auto_login_oauth2_authorize = False │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.blocked_users │ │ │ │ -# c.PAMAuthenticator.blocked_users = set() │ │ │ │ - │ │ │ │ -## Whether to check the user's account status via PAM during authentication. │ │ │ │ -# │ │ │ │ -# The PAM account stack performs non-authentication based account management. It │ │ │ │ -# is typically used to restrict/permit access to a service and this step is │ │ │ │ -# needed to access the host's user access control. │ │ │ │ -# │ │ │ │ -# Disabling this can be dangerous as authenticated but unauthorized users may be │ │ │ │ -# granted access and, therefore, arbitrary execution on the system. │ │ │ │ -# Default: True │ │ │ │ -# c.PAMAuthenticator.check_account = True │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: LocalAuthenticator.create_system_users │ │ │ │ -# c.PAMAuthenticator.create_system_users = False │ │ │ │ +# c.DummyAuthenticator.blocked_users = set() │ │ │ │ │ │ │ │ ## Delete any users from the database that do not pass validation │ │ │ │ # See also: Authenticator.delete_invalid_users │ │ │ │ -# c.PAMAuthenticator.delete_invalid_users = False │ │ │ │ +# c.DummyAuthenticator.delete_invalid_users = False │ │ │ │ │ │ │ │ ## Enable persisting auth_state (if available). │ │ │ │ # See also: Authenticator.enable_auth_state │ │ │ │ -# c.PAMAuthenticator.enable_auth_state = False │ │ │ │ - │ │ │ │ -## The text encoding to use when communicating with PAM │ │ │ │ -# Default: 'utf8' │ │ │ │ -# c.PAMAuthenticator.encoding = 'utf8' │ │ │ │ - │ │ │ │ -## Number of executor threads. │ │ │ │ -# │ │ │ │ -# PAM auth requests happen in this thread, so it is mostly waiting for the pam │ │ │ │ -# stack. One thread is usually enough, unless your pam stack is doing something │ │ │ │ -# slow like network requests │ │ │ │ -# Default: 4 │ │ │ │ -# c.PAMAuthenticator.executor_threads = 4 │ │ │ │ - │ │ │ │ -## DEPRECATED: use allowed_groups │ │ │ │ -# See also: LocalAuthenticator.group_whitelist │ │ │ │ -# c.PAMAuthenticator.group_whitelist = set() │ │ │ │ +# c.DummyAuthenticator.enable_auth_state = False │ │ │ │ │ │ │ │ ## Let authenticator manage user groups │ │ │ │ # See also: Authenticator.manage_groups │ │ │ │ -# c.PAMAuthenticator.manage_groups = False │ │ │ │ +# c.DummyAuthenticator.manage_groups = False │ │ │ │ │ │ │ │ ## Let authenticator manage roles │ │ │ │ # See also: Authenticator.manage_roles │ │ │ │ -# c.PAMAuthenticator.manage_roles = False │ │ │ │ - │ │ │ │ -## Whether to open a new PAM session when spawners are started. │ │ │ │ -# │ │ │ │ -# This may trigger things like mounting shared filesystems, loading credentials, │ │ │ │ -# etc. depending on system configuration. │ │ │ │ -# │ │ │ │ -# The lifecycle of PAM sessions is not correct, so many PAM session │ │ │ │ -# configurations will not work. │ │ │ │ -# │ │ │ │ -# If any errors are encountered when opening/closing PAM sessions, this is │ │ │ │ -# automatically set to False. │ │ │ │ -# │ │ │ │ -# .. versionchanged:: 2.2 │ │ │ │ -# │ │ │ │ -# Due to longstanding problems in the session lifecycle, │ │ │ │ -# this is now disabled by default. │ │ │ │ -# You may opt-in to opening sessions by setting this to True. │ │ │ │ -# Default: False │ │ │ │ -# c.PAMAuthenticator.open_sessions = False │ │ │ │ +# c.DummyAuthenticator.manage_roles = False │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.otp_prompt │ │ │ │ -# c.PAMAuthenticator.otp_prompt = 'OTP:' │ │ │ │ +# c.DummyAuthenticator.otp_prompt = 'OTP:' │ │ │ │ │ │ │ │ -## Round-trip the username via PAM lookups to make sure it is unique │ │ │ │ +## Set a global password for all users wanting to log in. │ │ │ │ # │ │ │ │ -# PAM can accept multiple usernames that map to the same user, for example │ │ │ │ -# DOMAIN\username in some cases. To prevent this, convert username into uid, │ │ │ │ -# then back to uid to normalize. │ │ │ │ -# Default: False │ │ │ │ -# c.PAMAuthenticator.pam_normalize_username = False │ │ │ │ +# This allows users with any username to log in with the same static password. │ │ │ │ +# Default: '' │ │ │ │ +# c.DummyAuthenticator.password = '' │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.post_auth_hook │ │ │ │ -# c.PAMAuthenticator.post_auth_hook = None │ │ │ │ +# c.DummyAuthenticator.post_auth_hook = None │ │ │ │ │ │ │ │ ## Force refresh of auth prior to spawn. │ │ │ │ # See also: Authenticator.refresh_pre_spawn │ │ │ │ -# c.PAMAuthenticator.refresh_pre_spawn = False │ │ │ │ +# c.DummyAuthenticator.refresh_pre_spawn = False │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.request_otp │ │ │ │ -# c.PAMAuthenticator.request_otp = False │ │ │ │ +# c.DummyAuthenticator.request_otp = False │ │ │ │ │ │ │ │ ## Reset managed roles to result of `load_managed_roles()` on startup. │ │ │ │ # See also: Authenticator.reset_managed_roles_on_startup │ │ │ │ -# c.PAMAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ - │ │ │ │ -## The name of the PAM service to use for authentication │ │ │ │ -# Default: 'login' │ │ │ │ -# c.PAMAuthenticator.service = 'login' │ │ │ │ - │ │ │ │ -## │ │ │ │ -# See also: LocalAuthenticator.uids │ │ │ │ -# c.PAMAuthenticator.uids = {} │ │ │ │ +# c.DummyAuthenticator.reset_managed_roles_on_startup = False │ │ │ │ │ │ │ │ ## Dictionary mapping authenticator usernames to JupyterHub users. │ │ │ │ # See also: Authenticator.username_map │ │ │ │ -# c.PAMAuthenticator.username_map = {} │ │ │ │ +# c.DummyAuthenticator.username_map = {} │ │ │ │ │ │ │ │ ## │ │ │ │ # See also: Authenticator.username_pattern │ │ │ │ -# c.PAMAuthenticator.username_pattern = '' │ │ │ │ +# c.DummyAuthenticator.username_pattern = '' │ │ │ │ │ │ │ │ ## Deprecated, use `Authenticator.allowed_users` │ │ │ │ # See also: Authenticator.whitelist │ │ │ │ -# c.PAMAuthenticator.whitelist = set() │ │ │ │ +# c.DummyAuthenticator.whitelist = set()