Jwt 如何使用Google IAP对JupyterHub进行身份验证?
我已经为我的JupyterHub应用程序配置了Google,并希望使用它来验证我的用户。如何实现这一点?谷歌将签名的JWT头传递给前面有IAP的应用程序,如中所述。您可以使用在JupyterHub中启用基于JWT的身份验证 通过jupyterhub_config.py进行配置 在jupyterhub服务器上安装jwtauthenticator后,添加以下配置: jupyterhub_config.py 通过zero-to-jupyterhub-k8s进行配置 如果您使用zero-to-jupyterhub-k8s在Kubernetes集群中配置jupyterhub,那么首先需要将jupyterhub jwtauthenticator包烘焙到您的hub映像中 使用目录中的以下Dockerfile和cloudbuild.yaml,执行gcloud builds submit-config cloudbuild.yaml。使用适当的项目 Dockerfile cloudbuild.yaml 价值观 对于零到jupyterhub-k8s: 价值观Jwt 如何使用Google IAP对JupyterHub进行身份验证?,jwt,jupyterhub,google-iap,Jwt,Jupyterhub,Google Iap,我已经为我的JupyterHub应用程序配置了Google,并希望使用它来验证我的用户。如何实现这一点?谷歌将签名的JWT头传递给前面有IAP的应用程序,如中所述。您可以使用在JupyterHub中启用基于JWT的身份验证 通过jupyterhub_config.py进行配置 在jupyterhub服务器上安装jwtauthenticator后,添加以下配置: jupyterhub_config.py 通过zero-to-jupyterhub-k8s进行配置 如果您使用zero-to-jupyt
Google将签名的JWT头传递给前面有IAP的应用程序,如中所述。您可以使用在JupyterHub中启用基于JWT的身份验证 通过jupyterhub_config.py进行配置 在jupyterhub服务器上安装jwtauthenticator后,添加以下配置: jupyterhub_config.py 通过zero-to-jupyterhub-k8s进行配置 如果您使用zero-to-jupyterhub-k8s在Kubernetes集群中配置jupyterhub,那么首先需要将jupyterhub jwtauthenticator包烘焙到您的hub映像中 使用目录中的以下Dockerfile和cloudbuild.yaml,执行gcloud builds submit-config cloudbuild.yaml。使用适当的项目 Dockerfile cloudbuild.yaml 价值观 对于零到jupyterhub-k8s: 价值观
c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'
c.JSONWebTokenAuthenticator.header_name = 'x-goog-iap-jwt-assertion'
c.JSONWebTokenAuthenticator.header_is_authorization = False
c.JSONWebTokenAuthenticator.expected_audience = '/projects/PROJECT_NUMBER/global/backendServices/SERVICE_ID`
c.JSONWebTokenAuthenticator.username_claim_field = 'email'
# Retrieved from https://www.gstatic.com/iap/verify/public_key
c.JSONWebTokenAuthenticator.secret = """
{
"2nMJtw" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL\nGIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==\n-----END PUBLIC KEY-----\n",
"6BEeoA" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElmi1hJdqtbvdX1INOf5B9dWvkydY\noowHUXiw8ELWzk/YHESNr8vXQoyOuLOEtLZeCQbFkeLUqxYp1sTArKNu/A==\n-----END PUBLIC KEY-----\n",
"FAWt5w" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8auUAdTS54HmUuIabrTKvWawxmbs\n81kdbzQMV/Tae0EhLgin8qnJ4lklJrxEzksXg5OtBuzE62DIj+CePN20Pg==\n-----END PUBLIC KEY-----\n",
"LYyP2g" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESlXFFkJ3JxMsXyXNrqzE3ozl/091\n3PmNbccLLWfeQFUYtJqGtl8ESuYxRwc/QwZp5Wcl0HCq6GuFDx4/Tk18Ig==\n-----END PUBLIC KEY-----\n",
"f9R3yg" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESqCmEwytkqG6tL6a2GTQGmSNI4jH\nYo5MeDUs7DpETVhCXXLIFrLg2sZvNqw8SGnnonLoeqgOSqRdjJBGt4I6jQ==\n-----END PUBLIC KEY-----\n"
}
"""
FROM jupyterhub/k8s-hub:0.7.0
RUN pip3 install --no-cache-dir jupyterhub-jwtauthenticator
steps:
- name: 'gcr.io/cloud-builders/docker'
args: [ 'pull', 'docker.io/jupyterhub/k8s-hub:0.7.0' ]
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/k8s-hub', '.' ]
images:
- 'gcr.io/$PROJECT_ID/k8s-hub'
hub:
image:
name: gcr.io/<project>/k8s-hub
tag: latest
auth:
type: custom
custom:
className: 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'
config:
header_name: x-goog-iap-jwt-assertion
header_is_authorization: false
expected_audience: '/projects/PROJECT_NUMBER/global/backendServices/SERVICE_ID'
username_claim_field: email
# Retrieved from https://www.gstatic.com/iap/verify/public_key
secret: |
{
"2nMJtw" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL\nGIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==\n-----END PUBLIC KEY-----\n",
"6BEeoA" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElmi1hJdqtbvdX1INOf5B9dWvkydY\noowHUXiw8ELWzk/YHESNr8vXQoyOuLOEtLZeCQbFkeLUqxYp1sTArKNu/A==\n-----END PUBLIC KEY-----\n",
"FAWt5w" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8auUAdTS54HmUuIabrTKvWawxmbs\n81kdbzQMV/Tae0EhLgin8qnJ4lklJrxEzksXg5OtBuzE62DIj+CePN20Pg==\n-----END PUBLIC KEY-----\n",
"LYyP2g" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESlXFFkJ3JxMsXyXNrqzE3ozl/091\n3PmNbccLLWfeQFUYtJqGtl8ESuYxRwc/QwZp5Wcl0HCq6GuFDx4/Tk18Ig==\n-----END PUBLIC KEY-----\n",
"f9R3yg" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESqCmEwytkqG6tL6a2GTQGmSNI4jH\nYo5MeDUs7DpETVhCXXLIFrLg2sZvNqw8SGnnonLoeqgOSqRdjJBGt4I6jQ==\n-----END PUBLIC KEY-----\n"
}
from urllib import request
c.JSONWebTokenLocalAuthenticator.secret = request.urlopen('https://www.gstatic.com/iap/verify/public_key').read()
hub:
extraConfig:
config-jwtauthenticator: |
from urllib import request
c.JSONWebTokenLocalAuthenticator.secret = request.urlopen('https://www.gstatic.com/iap/verify/public_key').read()