Created
January 22, 2016 03:56
-
-
Save kagesenshi/9395cd6d36c7ac3be2d1 to your computer and use it in GitHub Desktop.
Jupyterhub Spawner with Kerberos keytabs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # to use this, set REALM to your KRB realm, and create keytabs for each user in | |
| # /etc/security/keystabs/<username>.jupyter.keytab | |
| # | |
| # Save this file in your site-packages directory as krbspawner.py | |
| # | |
| # then in /etc/jupyterhub_config.py, set: | |
| # | |
| # c.JupyterHub.spawner_class = 'krbspawner.KerberosSpawner' | |
| from jupyterhub.spawner import LocalProcessSpawner | |
| from jupyterhub.traitlets import Command | |
| from jupyterhub.utils import random_port | |
| from subprocess import Popen | |
| from tornado import gen | |
| import pipes | |
| REALM='EXAMPLE.COM' | |
| class KerberosSpawner(LocalProcessSpawner): | |
| @gen.coroutine | |
| def start(self): | |
| """Start the process""" | |
| if self.ip: | |
| self.user.server.ip = self.ip | |
| self.user.server.port = random_port() | |
| cmd = [] | |
| env = self.env.copy() | |
| cmd.extend(self.cmd) | |
| cmd.extend(self.get_args()) | |
| self.log.info("Spawning %s", ' '.join(pipes.quote(s) for s in cmd)) | |
| kinit = ['kinit', '-t', | |
| '/etc/security/keytabs/%s.jupyter.keytab' % self.user.name, | |
| '%s@%s' % (self.user.name, REALM)] | |
| Popen(kinit, preexec_fn=self.make_preexec_fn(self.user.name)).wait() | |
| self.proc = Popen(cmd, env=env, | |
| preexec_fn=self.make_preexec_fn(self.user.name), | |
| ) | |
| self.pid = self.proc.pid |
@kagesenshi, great work on this! @lostinplace and I were able to track down the issues on our end (Kerberos cache was owned by root and couldnt be updated by other users). We ended up modifying a few lines, but line 35 was the culprit.
We changed it from:
kinit = ['kinit', '-t',
to:
kinit = ['kinit', '-V','-kt',
Without -k, the user is prompted for a password and would have to be SSH'ed into the jupyterhub server. The -V flag gives us verbose output even on success (and this was how we tracked down the permissions issue). Turns out the command will output success even if it cant update the cache file.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
this doesn't seem to be working. after calling kinit (with -kt) the spawned user/notebook still does not have valid identity credentials