Metadata-Version: 2.1
Name: jhub-remote-login
Version: 0.2.81
Summary: REMOTE_USER Authenticator: An Authenticator for Jupyterhub to read user information from HTTP request headers, as when running behind an authenticating proxy. Based on https://github.com/cwaldbieser/jhub_remote_user_authenticator and https://github.com/rasmunk/jhub-authenticators
Home-page: https://github.com/cbjuan/jhub_remote_login
Author: Juan Cruz-Benito
Author-email: juan.cruz@ibm.com
License: GPLv3
Keywords: Interactive,Interpreter,Shell,Web
Platform: Linux
Platform: Mac OS X
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: Intended Audience :: Science/Research
Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Requires-Dist: jupyterhub

.. image:: https://travis-ci.org/cbjuan/jhub_remote_login.svg?branch=master
    :target: https://travis-ci.org/cbjuan/jhub_remote_login

=========================
Jupyterhub Authenticators
=========================

Authenticate to Jupyterhub using an authenticating proxy that can set
the Remote-User header.
Also supports for passing additional information to the jupyter user. This includes a
list of user defined /data headers.

-----------------------------------------
Architecture and Security Recommendations
-----------------------------------------

This type of authentication relies on an HTTP header, and a malicious
client could spoof the REMOTE_USER header.  The recommended architecture for this
type of authentication requires that an authenticating proxy be placed in front
of your Jupyterhub.  Your Jupyerhub should **only** be accessible from the proxy
and **never** directly accessible by a client.  

This type of access is typically enforced with network access controls.  E.g. in
a simple case, the host on which the Jupyterhub service accepts incoming requests
has its host based firewall configured to only accept incoming connections from
the proxy host.

Further, the authenticating proxy should make sure it removes any REMOTE_USER
headers from incoming requests and only applies the header to proxied requests
that have been properly authenticated.

------------
Installation
------------

This package can be installed with `pip` either from a local git repository or from PyPi.

Installation from local git repository::

    cd jhub_remote_login
    pip install .

Installation from PyPi::

    pip install jhub-remote-login

Alternately, you can add the local project folder must be on your PYTHONPATH.

-------------
Configuration
-------------

You should edit your `jupyterhub_config.py` config file to set the
authenticator class::

    c.JupyterHub.authenticator_class = 'jhub_remote_login.RemoteUserAuthenticator'

You should be able to start jupyterhub.  The "/login" resource
will look for the authenticated user name in the HTTP header "Remote-User".
If found, and not blank, you will be logged in as that user.

Alternatively, you can use `RemoteUserLocalAuthenticator`::

    c.JupyterHub.authenticator_class = 'jhub_remote_login.RemoteUserLocalAuthenticator'

This provides the same authentication functionality but is derived from
`LocalAuthenticator` and therefore provides features such as the ability
to add local accounts through the admin interface if configured to do so.

--------------------
Dummy Authentication
--------------------

Provides an option for testing JupyterHub authentication with a dummy authenticator
that can have a global preset password for any account::

    c.JupyterHub.authenticator_class = 'jhub_remote_login.DummyAuthenticator'
    c.DummyAuthenticator.password = 'password'


Note! Don't use in production.

-------------------------------------------------------------
Remote User Authentication extended with user-defined headers
-------------------------------------------------------------

Provides the capability to supply the jupyterhub user with additional state information
via the /data path. This adds two base request paths to the jupyterhub web application::

'/login' -> requires a non empty Remote-User header
'/data' -> requires both an authenticated request and a valid configured header

Before information can be passed to the user via the '/data' path, a list of valid
headers is required. These preset valid headers are then upon a POST request to the
'/data' URl appended to the current authenticated jupyterhub user data dictionary. I.e.
user.data[Header] = HeaderValue

The extended authenticator can be activated by setting the following option in the
jupyterhub config file::

    c.JupyterHub.authenticator_class = 'jhub_remote_login.DataRemoteUserAuthenticator'
    # Making 'State' a valid header to pass to /data
    c.DataRemoteUserAuthenticator.data_headers = ['State']

Beyond providing the custom header possibility, the authenticator also by default
encodes the Remote-User header with 'b32encode'. The authenticator therefore also provides
the possibility of storing the actual value for debugging purposes in the user.real_name
variable via the jupyterhub auth_state mechanism of passing information to
the spawner as noted at `Authenticators <https://jupyterhub.readthedocs
.io/en/stable/reference/authenticators.html>`_.

