Authenticators¶
Module: jupyterhub.auth
¶
Base Authenticator class and the default PAM Authenticator
-
class
jupyterhub.auth.
Authenticator
(**kwargs)¶ Base class for implementing an authentication provider for JupyterHub
-
add_user
(user)¶ Hook called when a user is added to JupyterHub
- This is called:
- When a user first authenticates
- When the hub restarts, for all users.
This method may be a coroutine.
By default, this just adds the user to the whitelist.
Subclasses may do more extensive things, such as adding actual unix users, but they should call super to ensure the whitelist is updated.
Note that this should be idempotent, since it is called whenever the hub restarts for all users.
Parameters: user (User) – The User wrapper object
-
authenticate
(handler, data)¶ Authenticate a user with login form data
This must be a tornado gen.coroutine. It must return the username on successful authentication, and return None on failed authentication.
Checking the whitelist is handled separately by the caller.
Parameters: - handler (tornado.web.RequestHandler) – the current request handler
- data (dict) – The formdata of the login form. The default form has ‘username’ and ‘password’ fields.
Returns: username – The username of the authenticated user, or None if Authentication failed
Return type: str or None
-
check_whitelist
(username)¶ Check if a username is allowed to authenticate based on whitelist configuration
Return True if username is allowed, False otherwise. No whitelist means any username is allowed.
Names are normalized before being checked against the whitelist.
-
delete_user
(user)¶ Hook called when a user is deleted
Removes the user from the whitelist. Subclasses should call super to ensure the whitelist is updated.
Parameters: user (User) – The User wrapper object
-
get_authenticated_user
(handler, data)¶ Authenticate the user who is attempting to log in
Returns normalized username if successful, None otherwise.
This calls authenticate, which should be overridden in subclasses, normalizes the username if any normalization should be done, and then validates the name in the whitelist.
This is the outer API for authenticating a user. Subclasses should not need to override this method.
- The various stages can be overridden separately:
- authenticate turns formdata into a username
- normalize_username normalizes the username
- check_whitelist checks against the user whitelist
-
get_handlers
(app)¶ Return any custom handlers the authenticator needs to register
Used in conjugation with login_url and logout_url.
Parameters: app (JupyterHub Application) – the application object, in case it needs to be accessed for info. Returns: handlers – list of ('/url', Handler)
tuples passed to tornado. The Hub prefix is added to any URLs.Return type: list
-
login_url
(base_url)¶ Override this when registering a custom login handler
Generally used by authenticators that do not use simple form based authentication.
The subclass overriding this is responsible for making sure there is a handler available to handle the URL returned from this method, using the get_handlers method.
Parameters: base_url (str) – the base URL of the Hub (e.g. /hub/) Returns: The login URL, e.g. ‘/hub/login’ Return type: str
-
logout_url
(base_url)¶ Override when registering a custom logout handler
The subclass overriding this is responsible for making sure there is a handler available to handle the URL returned from this method, using the get_handlers method.
Parameters: base_url (str) – the base URL of the Hub (e.g. /hub/) Returns: The logout URL, e.g. ‘/hub/logout’ Return type: str
-
normalize_username
(username)¶ Normalize the given username and return it
Override in subclasses if usernames need different normalization rules.
The default attempts to lowercase the username and apply username_map if it is set.
-
post_spawn_stop
(user, spawner)¶ Hook called after stopping a user container
Can be used to do auth-related cleanup, e.g. closing PAM sessions.
-
pre_spawn_start
(user, spawner)¶ Hook called before spawning a user’s server
Can be used to do auth-related startup, e.g. opening PAM sessions.
-
validate_username
(username)¶ Validate a normalized username
Return True if username is valid, False otherwise.
-
-
class
jupyterhub.auth.
LocalAuthenticator
(**kwargs)¶ Base class for Authenticators that work with local Linux/UNIX users
Checks for local users, and can attempt to create them if they exist.
-
add_system_user
(user)¶ Create a new local UNIX user on the system.
Tested to work on FreeBSD and Linux, at least.
-
add_user
(user)¶ Hook called whenever a new user is added
If self.create_system_users, the user will attempt to be created if it doesn’t exist.
-
check_group_whitelist
(username)¶ If group_whitelist is configured, check if authenticating user is part of group.
-
static
system_user_exists
(user)¶ Check if the user exists on the system
-
-
class
jupyterhub.auth.
PAMAuthenticator
(**kwargs)¶ Authenticate local UNIX users with PAM