add rucio authenticator and token exchange

vre-hub · Jun 14, 2024 · 0e6eb53 · 0e6eb53
1 parent 0f699d3
commit 0e6eb53
Showing 1 changed file with 58 additions and 68 deletions.
diff --git a/infrastructure/cluster/flux/jhub-dev/jhub-dev-release.yaml b/infrastructure/cluster/flux/jhub-dev/jhub-dev-release.yaml
@@ -55,7 +55,8 @@ spec:
       config:
         JupyterHub: 
           authenticator_class: "generic-oauth"
-        GenericOAuthenticator:
+        RucioAuthenticator:
+        # GenericOAuthenticator:
           #client_id: "" # set through secret
           #client_secret: "" # set through secret
           authorize_url: https://iam-escape.cloud.cnaf.infn.it/authorize
@@ -70,68 +71,57 @@ spec:
           admin_users:
             - garcia
             - gguerrie
-        # RucioAuthenticator:
-        #   # client_id: "" # set through secret
-        #   # client_secret: "" # set through secret
-        #   authorize_url: https://iam-escape.cloud.cnaf.infn.it/authorize
-        #   token_url: https://iam-escape.cloud.cnaf.infn.it/token
-        #   userdata_url: https://iam-escape.cloud.cnaf.infn.it/userinfo
-        #   username_key: preferred_username
-        #   scope:
-        #     - openid
-        #     - profile
-        #     - email
 
-      # extraConfig:
-      #   token-exchange: |
-      #     import pprint
-      #     import os
-      #     import warnings
-      #     import requests
-      #     from oauthenticator.generic import GenericOAuthenticator
+      extraConfig:
+        token-exchange: |
+          import pprint
+          import os
+          import warnings
+          import requests
+          from oauthenticator.generic import GenericOAuthenticator
 
-      #     # custom authenticator to enable auth_state and get access token to set as env var for rucio extension
-      #     class RucioAuthenticator(GenericOAuthenticator):
-      #         def __init__(self, **kwargs):
-      #             super().__init__(**kwargs)
-      #             self.enable_auth_state = True
+          # custom authenticator to enable auth_state and get access token to set as env var for rucio extension
+          class RucioAuthenticator(GenericOAuthenticator):
+              def __init__(self, **kwargs):
+                  super().__init__(**kwargs)
+                  self.enable_auth_state = True
 
-      #         def exchange_token(self, token):
-      #             params = {
-      #                 'client_id': self.client_id,
-      #                 'client_secret': self.client_secret,
-      #                 'grant_type': 'urn:ietf:params:oauth:grant-type:token-exchange',
-      #                 'subject_token': token,
-      #                 'scope': 'openid profile',
-      #                 'audience': 'rucio'
-      #             }
-      #             response = requests.post(self.token_url, data=params)
-      #             rucio_token = response.json()['access_token']
-      #             return rucio_token
+              def exchange_token(self, token):
+                  params = {
+                      'client_id': self.client_id,
+                      'client_secret': self.client_secret,
+                      'grant_type': 'urn:ietf:params:oauth:grant-type:token-exchange',
+                      'subject_token': token,
+                      'scope': 'openid profile',
+                      'audience': 'rucio'
+                  }
+                  response = requests.post(self.token_url, data=params)
+                  rucio_token = response.json()['access_token']
+                  return rucio_token
                   
-      #         async def pre_spawn_start(self, user, spawner):
-      #             auth_state = await user.get_auth_state()
-      #             pprint.pprint(auth_state)
-      #             if not auth_state:
-      #                 # user has no auth state
-      #                 return
+              async def pre_spawn_start(self, user, spawner):
+                  auth_state = await user.get_auth_state()
+                  pprint.pprint(auth_state)
+                  if not auth_state:
+                      # user has no auth state
+                      return
                   
-      #             # define token environment variable from auth_state
-      #             spawner.environment['RUCIO_ACCESS_TOKEN'] = self.exchange_token(auth_state['access_token'])
-      #             spawner.environment['EOS_ACCESS_TOKEN'] = auth_state['access_token']
+                  # define token environment variable from auth_state
+                  spawner.environment['RUCIO_ACCESS_TOKEN'] = self.exchange_token(auth_state['access_token'])
+                  spawner.environment['EOS_ACCESS_TOKEN'] = auth_state['access_token']
           
-      #     # set the above authenticator as the default
-      #     c.JupyterHub.authenticator_class = RucioAuthenticator
+          # set the above authenticator as the default
+          c.JupyterHub.authenticator_class = RucioAuthenticator
 
-      #     # enable authentication state
-      #     c.GenericOAuthenticator.enable_auth_state = True
+          # enable authentication state
+          c.GenericOAuthenticator.enable_auth_state = True
 
-      #     if 'JUPYTERHUB_CRYPT_KEY' not in os.environ:
-      #         warnings.warn(
-      #             "Need JUPYTERHUB_CRYPT_KEY env for persistent auth_state.\n"
-      #             "    export JUPYTERHUB_CRYPT_KEY=$(openssl rand -hex 32)"
-      #         )
-      #         c.CryptKeeper.keys = [os.urandom(32)]
+          if 'JUPYTERHUB_CRYPT_KEY' not in os.environ:
+              warnings.warn(
+                  "Need JUPYTERHUB_CRYPT_KEY env for persistent auth_state.\n"
+                  "    export JUPYTERHUB_CRYPT_KEY=$(openssl rand -hex 32)"
+              )
+              c.CryptKeeper.keys = [os.urandom(32)]
         
     singleuser:
       defaultUrl: "/lab"
@@ -216,19 +206,19 @@ spec:
       cmd: null
       extraEnv:
 
-      #   RUCIO_WILDCARD_ENABLED: "1"
-      #   RUCIO_BASE_URL: "https://vre-rucio.cern.ch"
-      #   RUCIO_AUTH_URL: "https://vre-rucio-auth.cern.ch"
-      #   RUCIO_WEBUI_URL: "https://vre-rucio-ui.cern.ch"
-      #   RUCIO_DISPLAY_NAME: "RUCIO - CERN VRE"
-      #   RUCIO_NAME: "vre-rucio.cern.ch"
-      #   RUCIO_SITE_NAME: "CERN"
-      #   RUCIO_OIDC_AUTH: "env"
-      #   RUCIO_OIDC_ENV_NAME: "RUCIO_ACCESS_TOKEN"
-      #   RUCIO_DEFAULT_AUTH_TYPE: "oidc"
-      #   RUCIO_OAUTH_ID: "rucio"
-      #   RUCIO_DEFAULT_INSTANCE: "vre-rucio.cern.ch"
-      #   RUCIO_DESTINATION_RSE: "CERN-EOS"
+        RUCIO_WILDCARD_ENABLED: "1"
+        RUCIO_BASE_URL: "https://vre-rucio.cern.ch"
+        RUCIO_AUTH_URL: "https://vre-rucio-auth.cern.ch"
+        RUCIO_WEBUI_URL: "https://vre-rucio-ui.cern.ch"
+        RUCIO_DISPLAY_NAME: "RUCIO - CERN VRE"
+        RUCIO_NAME: "vre-rucio.cern.ch"
+        RUCIO_SITE_NAME: "CERN"
+        RUCIO_OIDC_AUTH: "env"
+        RUCIO_OIDC_ENV_NAME: "RUCIO_ACCESS_TOKEN"
+        RUCIO_DEFAULT_AUTH_TYPE: "oidc"
+        RUCIO_OAUTH_ID: "rucio"
+        RUCIO_DEFAULT_INSTANCE: "vre-rucio.cern.ch"
+        RUCIO_DESTINATION_RSE: "CERN-EOS"
       #   RUCIO_RSE_MOUNT_PATH: "/eos/cern-eos-rse"
       #   RUCIO_PATH_BEGINS_AT: "2"
       #   RUCIO_CA_CERT: "/certs/rucio_ca.pem"