Authenticators¶
Module: jupyterhub.auth
¶
Base Authenticator class and the default PAM Authenticator
-
class
jupyterhub.auth.
Authenticator
(**kwargs)¶ A class for authentication.
The primary API is one method, authenticate, a tornado coroutine for authenticating users.
-
add_user
(user)¶ Add a new user
By default, this just adds the user to the whitelist.
Subclasses may do more extensive things, such as adding actual unix users, but they should call super to ensure the whitelist is updated.
Parameters: user (User) – The User wrapper object
-
authenticate
(handler, data)¶ Authenticate a user with login form data.
This must be a tornado gen.coroutine. It must return the username on successful authentication, and return None on failed authentication.
Checking the whitelist is handled separately by the caller.
Parameters: - handler (tornado.web.RequestHandler) – the current request handler
- data (dict) – The formdata of the login form. The default form has ‘username’ and ‘password’ fields.
Returns: the username of the authenticated user None: Authentication failed
Return type:
-
check_whitelist
(username)¶ Check a username against our whitelist.
Return True if username is allowed, False otherwise. No whitelist means any username should be allowed.
Names are normalized before being checked against the whitelist.
-
delete_user
(user)¶ Triggered when a user is deleted.
Removes the user from the whitelist. Subclasses should call super to ensure the whitelist is updated.
Parameters: user (User) – The User wrapper object
-
get_authenticated_user
(handler, data)¶ This is the outer API for authenticating a user.
This calls authenticate, which should be overridden in subclasses, normalizes the username if any normalization should be done, and then validates the name in the whitelist.
Subclasses should not need to override this method. The various stages can be overridden separately:
- authenticate turns formdata into a username
- normalize_username normalizes the username
- check_whitelist checks against the user whitelist
-
get_handlers
(app)¶ Return any custom handlers the authenticator needs to register
(e.g. for OAuth).
Parameters: app (JupyterHub Application) – the application object, in case it needs to be accessed for info. Returns: - list of
('/url', Handler)
tuples passed to tornado. - The Hub prefix is added to any URLs.
Return type: list - list of
-
login_url
(base_url)¶ Override to register a custom login handler
Generally used in combination with get_handlers.
Parameters: base_url (str) – the base URL of the Hub (e.g. /hub/) Returns: The login URL, e.g. ‘/hub/login’ Return type: str
-
logout_url
(base_url)¶ Override to register a custom logout handler.
Generally used in combination with get_handlers.
Parameters: base_url (str) – the base URL of the Hub (e.g. /hub/) Returns: The logout URL, e.g. ‘/hub/logout’ Return type: str
-
normalize_username
(username)¶ Normalize a username.
Override in subclasses if usernames should have some normalization. Default: cast to lowercase, lookup in username_map.
-
post_spawn_stop
(user, spawner)¶ Hook called after stopping a user container.
Can be used to do auth-related cleanup, e.g. closing PAM sessions.
-
pre_spawn_start
(user, spawner)¶ Hook called before spawning a user’s server.
Can be used to do auth-related startup, e.g. opening PAM sessions.
-
validate_username
(username)¶ Validate a (normalized) username.
Return True if username is valid, False otherwise.
-
-
class
jupyterhub.auth.
LocalAuthenticator
(**kwargs)¶ Base class for Authenticators that work with local Linux/UNIX users
Checks for local users, and can attempt to create them if they exist.
-
add_system_user
(user)¶ Create a new Linux/UNIX user on the system. Works on FreeBSD and Linux, at least.
-
add_user
(user)¶ Add a new user
If self.create_system_users, the user will attempt to be created.
-
static
system_user_exists
(user)¶ Check if the user exists on the system
-
-
class
jupyterhub.auth.
PAMAuthenticator
(**kwargs)¶ Authenticate local Linux/UNIX users with PAM