Add Authentication¶
The last thing we need to do before testing is configure an authenticator. JupyterHub has pluggable authentication, and implementations for many common authentication models already exist. Here we discuss a few that may be of interest - for more information see JupyterHub’s authenticator docs.
Dummy Authenticator¶
The dummy authenticator is useful for testing purposes, but should not be used in production. It accepts any username and password combination as valid. To make things slightly more secure, you can set a single global shared password.
We recommend installing this authenticator to test that things are working before moving on to an actually secure authenticator implementation.
# Install the authenticator in JupyterHub's python environment
$ pip install jupyterhub-dummyauthenticator
c.JupyterHub.authenticator_class = 'dummyauthenticator.DummyAuthenticator'
# Optionally add a shared global password to be used by all users
c.DummyAuthenticator.password = "password-for-testing"
Kerberos Authenticator¶
The kerberos authenticator can be used to enable user authentication with Kerberos.
# Install the authenticator in JupyterHub's python environment
$ pip install jupyterhub-kerberosauthenticator
Kerberos authentication requires a keytab for the HTTP service principal
for the host running JupyterHub. Keytabs can be created on the command-line as
follows:
$ kadmin -q "addprinc -randkey HTTP/FQDN"
$ kadmin -q "xst -norandkey -k /etc/jupyterhub/HTTP.keytab HTTP/FQDN"
# Make the keytab readable/writable only by jupyterhub
$ chown jupyterhub /etc/jupyterhub/HTTP.keytab
$ chmod 400 /etc/jupyterhub/HTTP.keytab
where FQDN is the fully qualified domain name of the host running
JupyterHub. Alternatively you could include the HTTP principal in the
keytab created during spawner configuration.
The authenticator can then be enabled by adding the following lines to your
jupyterhub_config.py:
c.JupyterHub.authenticator_class = 'kerberosauthenticator.KerberosAuthenticator'
c.JupyterHub.keytab = '/etc/jupyterhub/HTTP.keytab'
For more information see the kerberos authenticator docs.
LDAP Authenticator¶
The LDAP authenticator can be used to authenticate with LDAP or Active Directory. An example install and configuration might look like:
# Install the authenticator in JupyterHub's python environment
$ pip install jupyterhub-ldapauthenticator
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'address.of.your.ldap.server'
c.LDAPAuthenticator.bind_dn_template = 'cn={username},ou=edir,ou=people,ou=EXAMPLE-UNIT,o=EXAMPLE'
See the ldapauthenticator documentation for more information.
Remote User Authenticator¶
The remote user authenticator makes use of the REMOTE_USER header for
authentication. This allows use of JupyterHub with an external authenticating
proxy (such as Apache Knox).
# Install the authenticator in JupyterHub's python environment
$ pip install jhub_remote_user_authenticator
c.JupyterHub.authenticator_class = 'jhub_remote_user_authenticator.remote_user_auth.RemoteUserAuthenticator'
For more information see the remote user authenticator docs.
