Merge pull request #3118 from consideRatio/pr/z2jh-3-upgrade

Upgrade to z2jh 3.0.2 from 3.0.0-beta.1 - oauthenticator 15.1 bumped to 16.0

config/clusters/2i2c-aws-us/cosmicds.values.yaml

@@ -76,12 +76,7 @@ jupyterhub:
       JupyterHub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
-        scope:
-          - "email"
-          - "profile"
         oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          - http://github.com/login/oauth/authorize
         allowed_idps:
           # The username claim here is used to do *authorization*, for both
           # admin use and any allow listing we want to do.

config/clusters/2i2c-aws-us/dask-staging.values.yaml

@@ -33,15 +33,6 @@ basehub:
         tag: "2022.06.02"
     hub:
       config:
-        Authenticator:
-          # This hub uses GitHub Org auth and so we don't set
-          # allowed_users in order to not deny access to valid members of
-          # the listed orgs.
-          #
-          # You must always set admin_users, even if it is an empty list,
-          # otherwise `add_staff_user_ids_to_admin_users: true` will fail
-          # silently and no staff members will have admin access.
-          admin_users: []
         JupyterHub:
           authenticator_class: "github"
         GitHubOAuthenticator:

config/clusters/2i2c-aws-us/itcoocean.values.yaml

@@ -57,11 +57,9 @@ jupyterhub:
       - name: volume-mount-ownership-fix
         image: busybox
         command:
-          [
-            "sh",
-            "-c",
-            "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ",
-          ]
+          - sh
+          - -c
+          - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan
         securityContext:
           runAsUser: 0
         volumeMounts:

config/clusters/2i2c-aws-us/researchdelight.values.yaml

@@ -30,19 +30,19 @@ basehub:
     hub:
       image:
         name: quay.io/2i2c/unlisted-choice-experiment
-        tag: "0.0.1-0.dev.git.6863.h406a3546"
+        tag: "0.0.1-0.dev.git.6935.h7141d766"
       config:
         JupyterHub:
           authenticator_class: github
-        Authenticator:
-          enable_auth_state: true
         GitHubOAuthenticator:
           populate_teams_in_auth_state: true
           allowed_organizations:
             - 2i2c-org:hub-access-for-2i2c-staff
             - 2i2c-org:research-delight-team
           scope:
             - read:org
+        Authenticator:
+          enable_auth_state: true
     singleuser:
       image:
         name: quay.io/2i2c/researchdelight-image

config/clusters/2i2c-aws-us/staging.values.yaml

@@ -28,15 +28,6 @@ jupyterhub:
           url: https://2i2c.org
   hub:
     config:
-      Authenticator:
-        # This hub uses GitHub Org auth and so we don't set
-        # allowed_users in order to not deny access to valid members of
-        # the listed orgs.
-        #
-        # You must always set admin_users, even if it is an empty list,
-        # otherwise `add_staff_user_ids_to_admin_users: true` will fail
-        # silently and no staff members will have admin access.
-        admin_users: []
       JupyterHub:
         authenticator_class: "github"
       GitHubOAuthenticator:

config/clusters/2i2c-uk/lis.values.yaml

@@ -49,17 +49,14 @@ jupyterhub:
     config:
       JupyterHub:
         authenticator_class: github
-      Authenticator:
-        # This hub uses GitHub Orgs auth and so we don't set
-        # allowed_users in order to not deny access to valid members of
-        # the listed orgs. These people should have admin access though.
-        admin_users:
-          - LaCrecerelle
-          - matthew-brett
       GitHubOAuthenticator:
+        oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback"
         allowed_organizations:
           - 2i2c-org
           - lisacuk
         scope:
           - read:org
-        oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback"
+      Authenticator:
+        admin_users:
+          - LaCrecerelle
+          - matthew-brett

config/clusters/2i2c-uk/staging.values.yaml

@@ -39,8 +39,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://google.com/accounts/o8/id
         allowed_idps:
           http://google.com/accounts/o8/id:
             username_derivation:

config/clusters/2i2c/aup.values.yaml

@@ -37,21 +37,40 @@ jupyterhub:
       JupyterHub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
-        scope:
-          - "profile"
         oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://github.com/login/oauth/authorize
         allowed_idps:
           http://github.com/login/oauth/authorize:
             username_derivation:
               username_claim: "preferred_username"
+      OAuthenticator:
+        # WARNING: Don't use allow_existing_users with config to allow an
+        #          externally managed group of users, such as
+        #          GitHubOAuthenticator.allowed_organizations, as it breaks a
+        #          common expectations for an admin user.
+        #
+        #          The broken expectation is that removing a user from the
+        #          externally managed group implies that the user won't have
+        #          access any more. In practice the user will still have
+        #          access if it had logged in once before, as it then exists
+        #          in JupyterHub's database of users.
+        #
+        allow_existing_users: True
       Authenticator:
-        # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies
-        #        allow_existing_users=True, while in z3jh 3.0.0 this needs to be
-        #        configured explicitly.
+        # WARNING: Removing a user from admin_users or allowed_users doesn't
+        #          revoke admin status or access.
+        #
+        #          OAuthenticator.allow_existing_users allows any user in the
+        #          JupyterHub database of users able to login. This includes
+        #          any previously logged in user or user previously listed in
+        #          allowed_users or admin_users, as such users are added to
+        #          JupyterHub's database on startup.
+        #
+        #          To revoke admin status or access for a user when
+        #          allow_existing_users is enabled, first remove the user from
+        #          admin_users or allowed_users, then deploy the change, and
+        #          finally revoke the admin status or delete the user via the
+        #          /hub/admin panel.
         #
-        allowed_users: &aup_users
+        admin_users:
           - swalker
           - shaolintl
-        admin_users: *aup_users

config/clusters/2i2c/binder-staging.values.yaml

@@ -83,8 +83,6 @@ binderhub:
             - [email protected]
         CILogonOAuthenticator:
           oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback"
-          shown_idps:
-            - http://google.com/accounts/o8/id
           allowed_idps:
             http://google.com/accounts/o8/id:
               username_derivation:

config/clusters/2i2c/climatematch.values.yaml

@@ -39,11 +39,9 @@ jupyterhub:
       - name: volume-mount-ownership-fix
         image: busybox
         command:
-          [
-            "sh",
-            "-c",
-            "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ",
-          ]
+          - sh
+          - -c
+          - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan
         securityContext:
           runAsUser: 0
         volumeMounts:

config/clusters/2i2c/dask-staging.values.yaml

@@ -44,12 +44,7 @@ basehub:
         JupyterHub:
           authenticator_class: cilogon
         CILogonOAuthenticator:
-          scope:
-            - "email"
-            - "profile"
           oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback"
-          shown_idps:
-            - http://accounts.google.com/o/oauth2/auth
           allowed_idps:
             http://google.com/accounts/o8/id:
               username_derivation:

config/clusters/2i2c/demo.values.yaml

@@ -31,10 +31,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          # Allow Google for 2i2c.org anr dmbl
-          - https://accounts.google.com/o/oauth2/auth
-          - https://enterprise.login.utexas.edu/idp/shibboleth
         allowed_idps:
           # UTexas hub
           https://enterprise.login.utexas.edu/idp/shibboleth:

config/clusters/2i2c/imagebuilding-demo.values.yaml

@@ -60,14 +60,12 @@ jupyterhub:
   hub:
     image:
       name: quay.io/2i2c/dynamic-image-building-experiment
-      tag: "0.0.1-0.dev.git.6765.h33942a27"
+      tag: "0.0.1-0.dev.git.6935.h7141d766"
     config:
       JupyterHub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://google.com/accounts/o8/id
         allowed_idps:
           http://google.com/accounts/o8/id:
             username_derivation:

config/clusters/2i2c/mtu.values.yaml

@@ -39,9 +39,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://google.com/accounts/o8/id
-          - https://sso.mtu.edu/idp/shibboleth
         allowed_idps:
           # Allow 2i2c staff to login with Google
           http://google.com/accounts/o8/id:

config/clusters/2i2c/neurohackademy.values.yaml

@@ -55,24 +55,43 @@ jupyterhub:
     config:
       JupyterHub:
         authenticator_class: cilogon
-      Authenticator:
-        # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies
-        #        allow_existing_users=True, while in z3jh 3.0.0 this needs to be
-        #        configured explicitly.
-        #
-        allowed_users: &neurohackademy_users
-          - arokem
-        admin_users: *neurohackademy_users
       CILogonOAuthenticator:
-        scope:
-          - "profile"
         oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          - https://github.com/login/oauth/authorize
         allowed_idps:
           http://github.com/login/oauth/authorize:
             username_derivation:
               username_claim: "preferred_username"
+      OAuthenticator:
+        # WARNING: Don't use allow_existing_users with config to allow an
+        #          externally managed group of users, such as
+        #          GitHubOAuthenticator.allowed_organizations, as it breaks a
+        #          common expectations for an admin user.
+        #
+        #          The broken expectation is that removing a user from the
+        #          externally managed group implies that the user won't have
+        #          access any more. In practice the user will still have
+        #          access if it had logged in once before, as it then exists
+        #          in JupyterHub's database of users.
+        #
+        allow_existing_users: True
+      Authenticator:
+        # WARNING: Removing a user from admin_users or allowed_users doesn't
+        #          revoke admin status or access.
+        #
+        #          OAuthenticator.allow_existing_users allows any user in the
+        #          JupyterHub database of users able to login. This includes
+        #          any previously logged in user or user previously listed in
+        #          allowed_users or admin_users, as such users are added to
+        #          JupyterHub's database on startup.
+        #
+        #          To revoke admin status or access for a user when
+        #          allow_existing_users is enabled, first remove the user from
+        #          admin_users or allowed_users, then deploy the change, and
+        #          finally revoke the admin status or delete the user via the
+        #          /hub/admin panel.
+        #
+        admin_users:
+          - arokem
     extraFiles:
       configurator-schema-default:
         data:

config/clusters/2i2c/staging.values.yaml

@@ -56,8 +56,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback"
-        shown_idps:
-          - http://google.com/accounts/o8/id
         allowed_idps:
           http://google.com/accounts/o8/id:
             username_derivation:

config/clusters/2i2c/temple.values.yaml

@@ -34,9 +34,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          - https://fim.temple.edu/idp/shibboleth
-          - https://accounts.google.com/o/oauth2/auth
         allowed_idps:
           https://fim.temple.edu/idp/shibboleth:
             username_derivation:

config/clusters/2i2c/ucmerced.values.yaml

@@ -38,9 +38,6 @@ jupyterhub:
         authenticator_class: cilogon
       CILogonOAuthenticator:
         oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback
-        shown_idps:
-          - urn:mace:incommon:ucmerced.edu
-          - https://accounts.google.com/o/oauth2/auth
         allowed_idps:
           urn:mace:incommon:ucmerced.edu:
             username_derivation:

config/clusters/awi-ciroh/common.values.yaml

@@ -33,21 +33,18 @@ basehub:
       config:
         JupyterHub:
           authenticator_class: github
-        Authenticator:
-          # This hub uses GitHub Orgs auth and so we don't set
-          # allowed_users in order to not deny access to valid members of
-          # the listed orgs. These people should have admin access though.
-          admin_users:
-            - jameshalgren
-            - arpita0911patel
-            - karnesh
         GitHubOAuthenticator:
           allowed_organizations:
             - 2i2c-org
             - alabamawaterinstitute
             - NOAA-OWP
           scope:
             - read:org
+        Authenticator:
+          admin_users:
+            - jameshalgren
+            - arpita0911patel
+            - karnesh
     singleuser:
       image:
         # Image build repo: https://github.com/2i2c-org/awi-ciroh-image

config/clusters/callysto/common.values.yaml

@@ -136,9 +136,6 @@ jupyterhub:
           - "102749090965437723445" # Byron Chu (Cybera)
           - "115909958579864751636" # Michael Jones (Cybera)
           - "106951135662332329542" # Elmar Bouwer (Cybera)
-        shown_idps:
-          - https://accounts.google.com/o/oauth2/auth
-          - https://login.microsoftonline.com/common/oauth2/v2.0/authorize
         allowed_idps:
           http://google.com/accounts/o8/id:
             username_derivation: