feat: add ldap configuration
- add group members to jupyterhub_user - add svc_jupyterhub user for ldap binding - paramatarise all ldap fields required - manage the notebook data directory
This commit is contained in:
@@ -3,6 +3,7 @@ class profiles::jupyter::jupyterhub (
|
||||
Stdlib::AbsolutePath $base_path = '/opt/jupyterhub',
|
||||
Stdlib::AbsolutePath $venv_path = "${base_path}/venv",
|
||||
Stdlib::AbsolutePath $config_path = "${base_path}/config.py",
|
||||
Stdlib::AbsolutePath $notebook_path = '/home/jupyter/work',
|
||||
Hash $vault_config = {},
|
||||
String $owner = 'jupyterhub',
|
||||
String $group = 'jupyterhub',
|
||||
@@ -13,13 +14,19 @@ class profiles::jupyter::jupyterhub (
|
||||
'dockerspawner',
|
||||
'jupyterhub-ldapauthenticator',
|
||||
],
|
||||
String $ldap_server_address = 'ldap://ldap.service.consul',
|
||||
String $ldap_bind_dn_template = 'cn={username},ou=people,ou=users,dc=main,dc=unkin,dc=net',
|
||||
Boolean $ldap_use_ssl = false,
|
||||
Array $ldap_allowed_groups = ['ou=jupyterhub_user,ou=groups,dc=main,dc=unkin,dc=net'],
|
||||
Array $ldap_admin_users = [],
|
||||
String $docker_image = 'git.query.consul/unkin/almalinux8-jupyterinstance:latest',
|
||||
String $docker_network = 'jupyterhub',
|
||||
String $ldap_server_address = 'ldap://ldap.service.consul',
|
||||
String $ldap_tls_strategy = 'insecure',
|
||||
Array $ldap_allowed_groups = ['ou=jupyterhub_user,ou=groups,dc=main,dc=unkin,dc=net'],
|
||||
Array $ldap_admin_users = [],
|
||||
String $ldap_bind_user = 'cn=svc_jupyterhub,ou=services,ou=users,dc=main,dc=unkin,dc=net',
|
||||
String $ldap_bind_pass = 'change-me',
|
||||
String $ldap_user_search_base = 'ou=people,ou=users,dc=main,dc=unkin,dc=net',
|
||||
String $ldap_user_search_filter = '({login_attr}={login})',
|
||||
String $ldap_group_search_filter = '(uniqueMember={userdn})',
|
||||
String $ldap_user_attribute = 'uid',
|
||||
String $ldap_user_dn_attribute = 'cn',
|
||||
String $docker_image = 'git.query.consul/unkin/almalinux8-jupyterinstance:latest',
|
||||
String $docker_network = 'bridge',
|
||||
){
|
||||
|
||||
# ensure nodejs:20 is installed
|
||||
@@ -93,7 +100,7 @@ class profiles::jupyter::jupyterhub (
|
||||
username => $owner,
|
||||
uid => 1101,
|
||||
gid => 1101,
|
||||
groups => ['systemd-journal'],
|
||||
groups => ['systemd-journal', 'docker'],
|
||||
system => true,
|
||||
}
|
||||
|
||||
@@ -107,11 +114,5 @@ class profiles::jupyter::jupyterhub (
|
||||
],
|
||||
}
|
||||
|
||||
## create symbolic link in $PATH
|
||||
#file { "/usr/local/bin/${script_name}":
|
||||
# ensure => 'link',
|
||||
# target => "${base_path}/${script_name}",
|
||||
# require => File["${base_path}/${script_name}"],
|
||||
#}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,12 +16,11 @@ c.DockerSpawner.image = '<%= @docker_image %>'
|
||||
c.DockerSpawner.network_name = '<%= @docker_network %>'
|
||||
|
||||
# Notebook directory and mount location
|
||||
notebook_dir = '/home/jupyter/work'
|
||||
c.DockerSpawner.notebook_dir = notebook_dir
|
||||
c.DockerSpawner.notebook_dir = '<%= @notebook_path %>'
|
||||
|
||||
# Optional: Volume mapping for user data persistence
|
||||
c.DockerSpawner.volumes = {
|
||||
'jupyterhub-user-{username}': notebook_dir
|
||||
'jupyterhub-user-{username}': '<%= @notebook_path %>'
|
||||
}
|
||||
|
||||
# DockerSpawner options
|
||||
@@ -33,11 +32,20 @@ c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
|
||||
|
||||
# LDAP Server settings
|
||||
c.LDAPAuthenticator.server_address = '<%= @ldap_server_address %>'
|
||||
c.LDAPAuthenticator.bind_dn_template = '<%= @ldap_bind_dn_template %>'
|
||||
c.LDAPAuthenticator.use_ssl = <%= @ldap_use_ssl ? 'True' : 'False' %>
|
||||
c.LDAPAuthenticator.tls_strategy = '<%= @ldap_tls_strategy %>'
|
||||
|
||||
# Restrict access to a specific LDAP group
|
||||
c.LDAPAuthenticator.allowed_groups = <%= @ldap_allowed_groups.to_s %>
|
||||
|
||||
# List LDAP users as admins
|
||||
c.LDAPAuthenticator.admin_users = <%= @ldap_admin_users.to_s %>
|
||||
|
||||
# Lookup settings
|
||||
c.LDAPAuthenticator.lookup_dn = True
|
||||
c.LDAPAuthenticator.lookup_dn_search_filter = '<%= @ldap_user_search_filter %>'
|
||||
c.LDAPAuthenticator.lookup_dn_search_user = '<%= @ldap_bind_user %>'
|
||||
c.LDAPAuthenticator.lookup_dn_search_password = '<%= @ldap_bind_pass %>'
|
||||
c.LDAPAuthenticator.user_search_base = '<%= @ldap_user_search_base %>'
|
||||
c.LDAPAuthenticator.user_attribute = '<%= @ldap_user_attribute %>'
|
||||
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = '<%= @ldap_user_dn_attribute %>'
|
||||
c.LDAPAuthenticator.group_search_filter = '<%= @ldap_group_search_filter %>'
|
||||
|
||||
Reference in New Issue
Block a user