Authenticating Services¶
Module: jupyterhub.services.auth
¶
Authenticating services with JupyterHub
Cookies are sent to the Hub for verification, replying with a JSON model describing the authenticated user.
HubAuth can be used in any application, even outside tornado.
HubAuthenticated is a mixin class for tornado handlers that should authenticate with the Hub.
-
class
jupyterhub.services.auth.
HubAuth
(**kwargs)¶ A class for authenticating with JupyterHub
This can be used by any application.
If using tornado, use via
HubAuthenticated
mixin. If using manually, use the.user_for_cookie(cookie_value)
method to identify the user corresponding to a given cookie value.The following config must be set:
- api_token (token for authenticating with JupyterHub API), fetched from the JUPYTERHUB_API_TOKEN env by default.
The following config MAY be set:
- api_url: the base URL of the Hub’s internal API, fetched from JUPYTERHUB_API_URL by default.
- cookie_cache_max_age: the number of seconds responses from the Hub should be cached.
- login_url (the public
/hub/login
URL of the Hub). - cookie_name: the name of the cookie I should be using, if different from the default (unlikely).
-
get_user
(handler)¶ Get the Hub user for a given tornado handler.
Checks cookie with the Hub to identify the current user.
Parameters: handler (tornado.web.RequestHandler) – the current request handler Returns: The user model, if a user is identified, None if authentication fails. The ‘name’ field contains the user’s name.
Return type: user_model (dict)
Ask the Hub to identify the user for a given cookie.
Parameters: Returns: The user model, if a user is identified, None if authentication fails.
The ‘name’ field contains the user’s name.
Return type: user_model (dict)
-
class
jupyterhub.services.auth.
HubAuthenticated
¶ Mixin for tornado handlers that are authenticated with JupyterHub
A handler that mixes this in must have the following attributes/properties:
- .hub_auth: A HubAuth instance
- .hub_users: A set of usernames to allow. If left unspecified or None, username will not be checked.
- .hub_groups: A set of group names to allow. If left unspecified or None, groups will not be checked.
Examples:
class MyHandler(HubAuthenticated, web.RequestHandler): hub_users = {'inara', 'mal'} def initialize(self, hub_auth): self.hub_auth = hub_auth @web.authenticated def get(self): ...
-
check_hub_user
(user_model)¶ Check whether Hub-authenticated user should be allowed.
Returns the input if the user should be allowed, None otherwise.
Override if you want to check anything other than the username’s presence in hub_users list.
Parameters: user_model (dict) – the user model returned from HubAuth
Returns: The user model if the user should be allowed, None otherwise. Return type: user_model (dict)