jhub-remote-user-authenticator

Release 0.1.0

REMOTE_USER Authenticator: An Authenticator for Jupyterhub to read user information from HTTP request headers, as when running behind an authenticating proxy.

Homepage PyPI Python

Keywords
Interactive, Interpreter, Shell, Web
License
GPL-3.0
Install
pip install jhub-remote-user-authenticator==0.1.0

Documentation

Jupyterhub REMOTE_USER Authenticator

Authenticate to Jupyterhub using an authenticating proxy that can set the REMOTE_USER header.

Architecture and Security Recommendations

This type of authentication relies on an HTTP header, and a malicious client could spoof the REMOTE_USER header. The recommended architecture for this type of authentication requires that an authenticating proxy be placed in front of your Jupyterhub. Your Jupyerhub should only be accessible from the proxy and never directly accessible by a client.

This type of access is typically enforced with network access controls. E.g. in a simple case, the host on which the Jupyterhub service accepts incoming requests has its host based firewall configured to only accept incoming connections from the proxy host.

Further, the authenticating proxy should make sure it removes any REMOTE_USER headers from incoming requests and only applies the header to proxied requests that have been properly authenticated.

Installation

This package can be installed with pip either from a local git repository or from PyPi.

Installation from local git repository:

cd jhub_remote_user_authenticator
pip install .

Installation from PyPi:

pip install jhub_remote_user_authenticator

Alternately, you can add the local project folder must be on your PYTHONPATH.

Configuration

You should edit your :file:`jupyterhub_config.py` to set the authenticator class:

c.JupyterHub.authenticator_class = 'jhub_remote_user_authenticator.remote_user_auth.RemoteUserAuthenticator'

You should be able to start jupyterhub. The "/hub/login" resource will look for the authenticated user name in the HTTP header "REMOTE_USER" [1]. If found, and not blank, you will be logged in as that user.

Alternatively, you can use RemoteUserLocalAuthenticator:

c.JupyterHub.authenticator_class = 'jhub_remote_user_authenticator.remote_user_auth.RemoteUserLocalAuthenticator'

This provides the same authentication functionality but is derived from LocalAuthenticator and therefore provides features such as the ability to add local accounts through the admin interface if configured to do so.

[1] The HTTP header name is configurable. Note that NGINX, a popular proxy, drops headers that contain an underscore by default. See http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers for details.

Stats

Dependencies
1
Dependent packages
2
Dependent repositories
0
Total releases
3
Latest release
First release
Stars
12
Forks
23
Watchers
3
Contributors
3
Repository size
26.4 KB
SourceRank
8

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.1.0
0.0.2
0.0.1

Contributors

Carl Cody Scott Andrea Zonca


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-17 06:34:09 UTC

Login to resync this project