On Thu, Jul 20, 2017 at 9:46 PM, Mike Bopf <[email protected]> wrote:
I have JupyterHub working for a individual users using SystemUserSpawner
> via a PAMAuthentication. However, I'd like to be able to share certain
> Jupyter Notebooks between different users, realizing that we could step on
> each other. One solution would be to enable UNIX groups inside Jupyterhub,
> but the "load_group" configuration item isn't working as I'd expect. This
> is what I have in the jupyterhub_config.py:
>
> c.JupyterHub.load_groups = { 'ourgroup': [ 'mike', 'dave', 'tom' ] }
>
> "ourgroup" is an existing UNIX group on the server and mike, dave and tom
> are existing users with access to that group. If I bring up a Terminal
> inside Jupyter, the "whoami" command returns "mike", but the "groups"
> command also returns "mike". I'd like my group to be "ourgroup", instead,
> or at least add "ourgroup" to my list of groups. I can create and edit
> files owned by mike, but not 775 files with group "ourgroup".
> Unsurprisingly, an "ls -l" of a file with group "ourgroup" just lists the
> groupId number, not "ourgroup".
>
JupyterHub groups are an internal concept, and probably aren’t relevant to
you if you already have unix groups and permissions set up. I think the
main missing thing is setting the group or groups of the process spawned in
docker.
The LocalProcessSpawner sets the groups of the process with os.setgroups()
<https://github.com/jupyterhub/jupyterhub/blob/0.7.2/jupyterhub/spawner.py#L652-L663>.
SystemUserSpawner lacks this logic. You can tell docker to launch a
container with a specific user id and gid via the user argument. The
docker-stacks also support setting UID and GID at runtime, but doing so
requires that the container initially start as root. Here’s how to set up
uid + gid, assuming your image is based on one of the docker-stacks
<https://github.com/jupyter/docker-stacks>:
import pwdimport grp
from dockerspawner import SystemUserSpawner
class SystemGroupSpawner(SystemUserSpawner):
# local unix groups a user might be a member of
groups = ['admin']
def get_env(self):
env = super().get_env()
# don't set USER env, which SystemUserSpawner uses.
env.pop('USER', None)
# set notebook UID
env['NB_UID'] = self.user_id
for groupname in self.groups:
group = grp.getgrnam(groupname)
# find the first group in our group list that the user is
a member of,
# and set the group id
if self.user.name in group.gr_mem:
env['NB_GID'] = group.gr_gid
return env
# Select our custom Spawner
c.JupyterHub.spawner_class = SystemGroupSpawner# Select one of the
docker-stacks (https://github.com/jupyter/docker-stacks)
c.SystemGroupSpawner.container_image = 'jupyter/base-notebook'
# must start container as root in order for docker-stacks to set up
NB_UID / NB_GID correctly
c.SystemGroupSpawner.extra_create_kwargs = {'user': 'root'}
# This line should be redundant with above,# but there's a bug in
docker-stacks assuming $UID is the user id# BUG:
https://github.com/jupyter/docker-stacks/pull/420
c.SystemGroupSpawner.environment = {'UID': '0'}
as a gist <https://gist.github.com/minrk/b9103e935052a70ba00dc93e06be6636>
-Min
> Am I using the JupyterHub.load_groups correctly? Is there another way to
> get this functionality? I'm removing the Docker image each time before I
> run to make sure that changes take affect.
>
> Thanks muchly,
> mike
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Project Jupyter" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/jupyter/906a5f7f-60da-45df-a5bf-a3675656e535%40googlegroups.com
> <https://groups.google.com/d/msgid/jupyter/906a5f7f-60da-45df-a5bf-a3675656e535%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jupyter/CAHNn8BXK6kObQOocRYoXeHES4_UWB4nX1PiPT1f4JFs8vwyRdA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
