Skip to content

Members of nested groups aren't allowed if only the parent group is listed under allowed_groups #177

Open
@Aethylred

Description

@Aethylred

Bug description

Using a directory service like FreeIPA that allows nested groups, if a nested group is added to c.LDAPAuthenticator.allowed_groups the indirect members (i.e. members of child groups) are not granted access to Jupyter services.

Expected behaviour

We expected indirect group members to be allowed access to jupyterhub services

Actual behaviour

Access is denied.

How to reproduce

  1. Create two groups in the LDAP directory A and B
  2. Add a user to group B
  3. Add group B as a member group of group A
  4. Set group A as an allowed group using c.LDAPAuthenticator.allowed_groups in jupyterhub_config.py
  5. Restart jupyterhub
  6. Attempt to login as the user added to group B

Your personal set up

  • OS: CentOS7
  • Version: 2.2.6
  • Configuration: Diff from default config
# diff /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py.default
98,114d97
< c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
<
< # LDAPAuthenticator settings
< c.LDAPAuthenticator.server_address = 'ipa01.example.org'
< c.LDAPAuthenticator.lookup_dn = False
< c.LDAPAuthenticator.user_attribute = 'uid'
< c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'uid'
< c.LDAPAuthenticator.user_search_base = 'cn=users,cn=accounts,dc=example,dc=org'
< c.LDAPAuthenticator.bind_dn_template = [ 'uid={username},cn=users,cn=accounts,,dc=example,dc=org' ]
< c.LDAPAuthenticator.allowed_groups = [
<     'cn=jupyter-users,cn=groups,cn=accounts,dc=example,dc=org'
< ]
<
123c106
<
---
> #c.JupyterHub.base_url = '/'
189d171
< c.JupyterHub.cookie_secret_file = '/opt/jupyterhub/etc/jupyterhub/jupyterhub_cookie_secret'
200d181
< c.JupyterHub.db_url = 'postgresql+psycopg2://jupyter:[email protected]:5432/jupyter'
390d370
< c.JupyterHub.named_server_limit_per_user = 5
404,405d383
< c.ConfigurableHTTPProxy.pid_file = '/localhome/jupyter/jupyter-proxy.pid'
<
493d470
< c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'
692,699d668
< # Open lab in home directory
< #c.Spawner.default_url = '/lab/tree/home/{username}'
< # Opens notebook in home directory
< #c.Spawner.default_url = '/tree/home/{username}'
< # Opens lab at /
< #c.Spawner.default_url = '/lab'
< # No links
< c.Spawner.default_url = '/lab/workspaces/lab/tree/home/{username}'
795d763
< c.Spawner.notebook_dir = '/'

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions