Set AuthZ

Set authorization entitlements as described in https://docs.psnc.pl/pages/viewpage.action?spaceKey=EOSCLOT123&title=Authorisation+Entitlements

common/deployments/hub-staging.yaml

@@ -63,6 +63,8 @@ singleuser:
           - "--CondaKernelSpecManager.env_filter='/opt/conda$'"
         extra_annotations:
           "egi.eu/flavor": "small-environment-2-vcpu-4-gb-ram"
+      vo_claims:
+        - urn:geant:eosc-federation.eu:res:notebooks.open-science-cloud.ec.europa.eu:2-vcpu-4-gb-ram:act:ppa
     - display_name: Medium Environment - 4 vCPU / 8 GB RAM
       description: >
         The notebook environment includes Python, R, Julia and Octave kernels.
@@ -75,6 +77,8 @@ singleuser:
         cpu_limit: 4
         mem_guarantee: 1G
         mem_limit: 8G
+      vo_claims:
+        - urn:geant:eosc-federation.eu:res:notebooks.open-science-cloud.ec.europa.eu:4-vcpu-8-gb-ram:act:ppa
     - display_name: Large Environment - 8 vCPU / 16 GB RAM / GPU
       description: >
         The notebook environment includes Python, R, Julia and Octave kernels with GPU.
@@ -91,6 +95,8 @@ singleuser:
           nvidia.com/gpu: 1
         extra_resource_limits:
           nvidia.com/gpu: 1
+      vo_claims:
+        - urn:geant:eosc-federation.eu:res:notebooks.open-science-cloud.ec.europa.eu:8-vcpu-16-gb-ram-gpu:act:ppa
   cmd: jupyterhub-singleuser-webdav-wrapper
   extraFiles:
     wait-remote-home.sh:
@@ -163,8 +169,11 @@ hub:
         # valtri@civ.zcu.cz
         - 94d3cde7-3121-4b33-b4c2-526c67e8cb38@eosc-federation.eu
       allowed_groups:
-        - urn:geant:eosc-federation.eu:staging:group:eosc
-      auto_login: true
+        - urn:geant:eosc-federation.eu:res:notebooks.open-science-cloud.ec.europa.eu:2-vcpu-4-gb-ram:act:ppa
+        - urn:geant:eosc-federation.eu:res:notebooks.open-science-cloud.ec.europa.eu:4-vcpu-8-gb-ram:act:ppa
+        - urn:geant:eosc-federation.eu:res:notebooks.open-science-cloud.ec.europa.eu:8-vcpu-16-gb-ram-gpu:act:ppa
+      admin_groups:
+        - urn:geant:eosc-federation.eu:group:asg:notebooks.open-science-cloud.ec.europa.eu:role=admin
       claim_groups_key: "entitlements"
     EGICheckinAuthenticator:
       checkin_host: "{{ secret['checkin_host'] }}"
@@ -193,84 +202,11 @@ hub:
       c.JupyterHub.extra_handlers = [(r'/welcome', WelcomeHandler)]
     egi-notebooks-b2drop: |-
 {%- raw %}
-      import base64
       import json
-      from jinja2 import BaseLoader
-      from jinja2 import Environment
       from egi_notebooks_hub.onedata import OnedataSpawner
-      from kubernetes_asyncio.client.rest import ApiException
       from tornado.httpclient import AsyncHTTPClient, HTTPClientError, HTTPRequest
 
-
-      class B2DropSpawner(OnedataSpawner):
-          async def auth_state_hook(self, spawner, auth_state):
-              await super().auth_state_hook(spawner, auth_state)
-              self.b2drop_ready = False
-              self.b2drop_user = ""
-              self.b2drop_pwd = ""
-              try:
-                  secret = await self.api.read_namespaced_secret(self.token_secret_name, self.namespace)
-              except ApiException:
-                  return
-              if secret and secret.data:
-                   self.b2drop_user = base64.b64decode(secret.data.get("b2drop-user", "")).decode()
-                   self.b2drop_pwd = base64.b64decode(secret.data.get("b2drop-pwd", "")).decode()
-                   self.b2drop_ready = (self.b2drop_user and self.b2drop_pwd)
-
-          def _render_options_form(self, profile_list):
-              # old:self._profile_list = self._init_profile_list(profile_list)
-              self._profile_list = self._get_initialized_profile_list(profile_list)
-
-              profile_form_template = Environment(loader=BaseLoader).from_string(
-                  self.profile_form_template
-              )
-              return profile_form_template.render(profile_list=self._profile_list, b2drop_ready=self.b2drop_ready, b2drop_user=self.b2drop_user, b2drop_pwd=self.b2drop_pwd)
-
-          async def pre_spawn_hook(self, spawner):
-              await super(B2DropSpawner, self).pre_spawn_hook(spawner)
-              b2drop_user = self.user_options.get("b2drop-user", "")
-              b2drop_pwd = self.user_options.get("b2drop-pwd", "")
-              if not (b2drop_user and b2drop_pwd):
-                  secret = await self.api.read_namespaced_secret(self.token_secret_name, self.namespace)
-                  if secret and secret.data:
-                      b2drop_user = base64.b64decode(secret.data.get("b2drop-user", "")).decode()
-                      b2drop_pwd = base64.b64decode(secret.data.get("b2drop-pwd", "")).decode()
-              if b2drop_user and b2drop_pwd:
-                  volume_mounts = [
-                    {"mountPath": "/owncloud:shared", "name": "owncloud-home"},
-                  ]
-                  spawner.extra_containers.append(
-                    {
-                        "name": "b2drop",
-                        "image": "eginotebooks/webdav-rclone-sidecar:sha-0a62679",
-                        "env": [
-                            {"name": "WEBDAV_URL", "value": "https://b2drop.eudat.eu/remote.php/webdav"},
-                            {"name": "WEBDAV_PWD", "value": b2drop_pwd},
-                            {"name": "WEBDAV_USER", "value": b2drop_user},
-                            {"name": "WEBDAV_VENDOR", "value": "other"},
-                            {"name": "MOUNT_PATH", "value": "/owncloud/b2drop"},
-                            {"name": "MOUNT_WAIT_POINT", "value": "webdav-fs: /owncloud fuse.rclone"},
-                        ],
-                        "resources": self.sidecar_resources,
-                        "securityContext": {
-                            "runAsUser": 1000,
-                            "fsUser": 1000,
-                            "fsGroup": 100,
-                            "privileged": True,
-                            "capabilities": {"add": ["SYS_ADMIN"]},
-                        },
-                        "volumeMounts": volume_mounts,
-                    }
-                  )
-
-          def options_from_form(self, formdata):
-              data = super(B2DropSpawner, self)._options_from_form(formdata)
-              data.update({'b2drop-user': formdata.get('b2drop-user', [None])[0],
-                           'b2drop-pwd': formdata.get('b2drop-pwd', [None])[0]})
-              return data
-
-
-      class WebDavOIDCSpawner(B2DropSpawner):
+      class WebDavOIDCSpawner(OnedataSpawner):
           # ownCloud Infinite Scale parameters
           # (https://owncloud.dev/apis/http/graph/spaces/#list-my-spaces-get-medrives)
           OCIS_URL = "https://ocis-staging.apps.bst2-test.paas.psnc.pl"
@@ -365,100 +301,9 @@ hub:
               else:
                 self.log.info("No auth state, skipping ownCloud")
 
-
       c.JupyterHub.spawner_class = WebDavOIDCSpawner
-      c.B2DropSpawner.token_mount_path = "/var/run/secrets/oidc/"
-      c.B2DropSpawner.http_timeout = 90
-      c.B2DropSpawner.profile_form_template = """
-        <style>
-            /*
-                .profile divs holds two div tags: one for a radio button, and one
-                for the profile's content.
-            */
-            #kubespawner-profiles-list .profile {
-                display: flex;
-                flex-direction: row;
-                font-weight: normal;
-                border-bottom: 1px solid #ccc;
-                padding-bottom: 12px;
-            }
-
-            #kubespawner-profiles-list .profile .radio {
-                padding: 12px;
-            }
-
-            /* .option divs holds a label and a select tag */
-            #kubespawner-profiles-list .profile .option {
-                display: flex;
-                flex-direction: row;
-                align-items: center;
-                padding-bottom: 12px;
-            }
-
-            #kubespawner-profiles-list .profile .option label {
-                font-weight: normal;
-                margin-right: 8px;
-                min-width: 96px;
-            }
-        </style>
-
-        <div class='form-group' id='kubespawner-profiles-list'>
-            {%- for profile in profile_list %}
-            {#- Wrap everything in a <label> so clicking anywhere selects the option #}
-            <label for='profile-item-{{ profile.slug }}' class='profile'>
-                <div class='radio'>
-                    <input type='radio' name='profile' id='profile-item-{{ profile.slug }}' value='{{ profile.slug }}' {% if profile.default %}checked{% endif %} />
-                </div>
-                <div>
-                    <h3>{{ profile.display_name }}</h3>
-
-                    {%- if profile.description %}
-                    <p>{{ profile.description }}</p>
-                    {%- endif %}
-
-                    {%- if profile.profile_options %}
-                    <div>
-                        {%- for k, option in profile.profile_options.items() %}
-                        <div class='option'>
-                            <label for='profile-option-{{profile.slug}}-{{k}}'>{{option.display_name}}</label>
-                            <select name="profile-option-{{profile.slug}}-{{k}}" class="form-control">
-                                {%- for k, choice in option['choices'].items() %}
-                                <option value="{{ k }}" {% if choice.default %}selected{%endif %}>{{ choice.display_name }}</option>
-                                {%- endfor %}
-                            </select>
-                        </div>
-                        {%- endfor %}
-                    </div>
-                    {%- endif %}
-                </div>
-            </label>
-            {%- endfor %}
-            <div class="panel-group" id="accordion" role="tablist" aria-multiselectable="true">
-              <div class="panel panel-default">
-                <div class="panel-heading" role="tab" id="headingOne">
-                  <h4 class="panel-title">
-                    <a class="collabpsed" role="button" data-toggle="collapse" data-parent="#accordion" href="#collapseOne" aria-expanded="false" aria-controls="collapseOne">
-                      B2DROP connection
-                    </a>
-                    {%if b2drop_ready %}<span class="label label-success">Already configured!</span>{% endif %}
-                  </h4>
-                </div>
-                <div id="collapseOne" class="panel-collapse collapse" role="tabpanel" aria-labelledby="headingOne">
-                  <div class="panel-body">
-                    <div class='form-group'>
-                      <label for="b2drop-user" class="form-label">B2DROP app Username</label>
-                      <input type="text" class="form-control" name="b2drop-user" id="b2drop-user" aria-describedby="b2drop-user-help" value="{{ b2drop_user }}">
-                      <div id="b2drop-user-help" class="form-text">Create new app password at <a href="https://b2drop.eudat.eu/settings/user/security">B2DROP security configuration</a></div>
-                    </div>
-                    <div class='form-group'>
-                        <label for="b2drop-pwd" class="form-label">B2DROP app Password</label>
-                        <input type="password" class="form-control" name="b2drop-pwd" id="b2drop-pwd" value="{{ b2drop_pwd }}">
-                    </div>
-                  </div>
-                </div>
-              </div>
-        </div>
-        """
+      c.WebDavOIDCSpawner.token_mount_path = "/var/run/secrets/oidc/"
+      c.WebDavOIDCSpawner.http_timeout = 90
 {% endraw %}
   extraFiles:
     welcome.html:
@@ -466,4 +311,17 @@ hub:
       stringData: |-
 {%- raw %}
         {% extends "login.html" %}
+{% endraw %}
+    403.html:
+      mountPath: /usr/local/share/jupyterhub/templates/403.html
+      stringData: |-
+{%- raw %}
+        {% extends "error.html" %}
+        {% block main %}
+        <div class="error">
+          <h1>Unauthorized</h1>
+          <p>You don't have the correct entitlements to access this service.</p>
+          <p>If you think you should be granted access, please open an issue!</p>
+        </div>
+        {% endblock %}
 {% endraw %}