Group access in JupyterHub

[Mike Bopf]

I have JupyterHub working for a individual users using SystemUserSpawner via a PAMAuthentication. However, I'd like to be able to share certain Jupyter Notebooks between different users, realizing that we could step on each other. One solution would be to enable UNIX groups inside Jupyterhub, but the "load_group" configuration item isn't working as I'd expect. This is what I have in the jupyterhub_config.py:

      c.JupyterHub.load_groups = { 'ourgroup': [ 'mike', 'dave', 'tom' ] }

"ourgroup" is an existing UNIX group on the server and mike, dave and tom are existing users with access to that group. If I bring up a Terminal inside Jupyter, the "whoami" command returns "mike", but the "groups" command also returns "mike". I'd like my group to be "ourgroup", instead, or at least add "ourgroup" to my list of groups. I can create and edit files owned by mike, but not 775 files with group "ourgroup". Unsurprisingly, an "ls -l" of a file with group "ourgroup" just lists the groupId number, not "ourgroup".

Am I using the JupyterHub.load_groups correctly? Is there another way to get this functionality? I'm removing the Docker image each time before I run to make sure that changes take affect.

Thanks muchly,
mike

[MinRK]

On Thu, Jul 20, 2017 at 9:46 PM, Mike Bopf <mike...@gmail.com> wrote:

I have JupyterHub working for a individual users using SystemUserSpawner via a PAMAuthentication. However, I'd like to be able to share certain Jupyter Notebooks between different users, realizing that we could step on each other. One solution would be to enable UNIX groups inside Jupyterhub, but the "load_group" configuration item isn't working as I'd expect. This is what I have in the jupyterhub_config.py:

      c.JupyterHub.load_groups = { 'ourgroup': [ 'mike', 'dave', 'tom' ] }

"ourgroup" is an existing UNIX group on the server and mike, dave and tom are existing users with access to that group. If I bring up a Terminal inside Jupyter, the "whoami" command returns "mike", but the "groups" command also returns "mike". I'd like my group to be "ourgroup", instead, or at least add "ourgroup" to my list of groups. I can create and edit files owned by mike, but not 775 files with group "ourgroup". Unsurprisingly, an "ls -l" of a file with group "ourgroup" just lists the groupId number, not "ourgroup".

JupyterHub groups are an internal concept, and probably aren’t relevant to you if you already have unix groups and permissions set up. I think the main missing thing is setting the group or groups of the process spawned in docker.

The LocalProcessSpawner sets the groups of the process with os.setgroups(). SystemUserSpawner lacks this logic. You can tell docker to launch a container with a specific user id and gid via the user argument. The docker-stacks also support setting UID and GID at runtime, but doing so requires that the container initially start as root. Here’s how to set up uid + gid, assuming your image is based on one of the docker-stacks:

import pwd
import grp

from dockerspawner import SystemUserSpawner

class SystemGroupSpawner(SystemUserSpawner):

    # local unix groups a user might be a member of
    groups = ['admin']

    def get_env(self):
        env = super().get_env()
        # don't set USER env, which SystemUserSpawner uses.
        env.pop('USER',  None)
        # set notebook UID
        env['NB_UID'] = self.user_id
        for groupname in self.groups:
            group = grp.getgrnam(groupname)
            # find the first group in our group list that the user is a member of,
            # and set the group id
            if self.user.name in group.gr_mem:
                env['NB_GID'] = group.gr_gid
        return env

# Select our custom Spawner
c.JupyterHub.spawner_class = SystemGroupSpawner
# Select one of the docker-stacks (https://github.com/jupyter/docker-stacks)
c.SystemGroupSpawner.container_image = 'jupyter/base-notebook'

# must start container as root in order for docker-stacks to set up NB_UID / NB_GID correctly
c.SystemGroupSpawner.extra_create_kwargs = {'user': 'root'}

# This line should be redundant with above,
# but there's a bug in docker-stacks assuming $UID is the user id
# BUG: https://github.com/jupyter/docker-stacks/pull/420
c.SystemGroupSpawner.environment = {'UID': '0'}

as a gist

-Min

Am I using the JupyterHub.load_groups correctly? Is there another way to get this functionality? I'm removing the Docker image each time before I run to make sure that changes take affect.

Thanks muchly,
mike

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscribe@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/906a5f7f-60da-45df-a5bf-a3675656e535%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

​

[Mike Bopf]

Thanks so much for the quick reply! However, it's still not doing what I want. When I run it with my group name ('ceb'), I end up being logged in as user "jovyan" and group "users". I also end up in an empty, jupyter-local version of /home/{username} instead of my home directory on the host. That's how it works with the default

I'm not sure if it matters, but I had to modify the networking stuff, including using port 8443 for the SSL to work on our server. I'm also using PAM authentication instead of GitHub. Here's my config (same as attached file):

jupyterhub_configMWB.py as gist

I'm relatively new to Python, but maybe popping off the entire USER env causes problems especially given my authentication method. Would it make more sense for me to create a custom Dockerfile that handles the group permissions differently (i.e., doesn't create "jovyan" and "users")?

Thanks again for all your help,

mike

​