Page MenuHomePhabricator
Create Task
Maniphest T324126

Investigate whether admin privileges on Jupyter are correct
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

From T321088#8431760 :

It turns out that all analytics-admins can now access the Admin tab. This was already in the config, but may not have been working in a previous version.

# If set, JupyterHub admin access will be enabled for users in these groups.
'admin_posix_groups': ['ops', 'analytics-admins'],

We will double check to see if this level of access is correct, or whether it should be modified

To illustrate this, below is a redacted screenshot from a jupyterhub instance started by @BTullis, who is in the ops group.
The view was similar for @xcollazo whoc is in the analytics-admins group.

image.png (678×1 px, 111 KB)

Given that this might have only recently started working, the purpose of this ticket is just to:

  • check that this level of access to start/stop others' servers is desirable
  • check that users outside of these groups do not have access to do so

Related Objects

Event Timeline

xcollazo created this task.Nov 30 2022, 4:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 30 2022, 4:40 PM
xcollazo mentioned this in T321088: Add support for jupyterhub on conda-analytics.Nov 30 2022, 4:45 PM
BTullis updated the task description. (Show Details)Nov 30 2022, 5:01 PM
BTullis added subscribers: Ottomata, Milimetric, JAllemandou.
Ottomata added a comment.Nov 30 2022, 5:55 PM

Yes, I think it is fine for analytics-admins to have this privilege.

xcollazo added a comment.Nov 30 2022, 7:17 PM

Adding steps for a non-admin user to verify that they do not see the 'Admin' tab:

  1. Connect to JupyterHub in the usual way, say: ssh -N stat1007.eqiad.wmnet -L 8880:127.0.0.1:8880
  2. On a browser, go to http://localhost:8880/hub/home
  3. Confirm whether the 'Admin' tab is there or not
  4. Force the system to show the Admin screen by going directly to http://localhost:8880/hub/admin

The expected outcome is step (3) is for there to be no 'Admin' tab. For step (4), the expected outcome is an error page and/or HTTP 401 Unauthorized.

nshahquinn-wmf subscribed.Nov 30 2022, 7:24 PM
In T324126#8432904, @xcollazo wrote:

Adding steps for a non-admin user to verify that they do not see the 'Admin' tab:

  1. Connect to JupyterHub in the usual way, say: ssh -N stat1007.eqiad.wmnet -L 8880:127.0.0.1:8880
  2. On a browser, go to http://localhost:8880/hub/home
  3. Confirm whether the 'Admin' tab is there or not

I don't see an "Admin" tab.

Screenshot 2022-11-30 at 11.23.01.png (572×2 px, 87 KB)

  1. Force the system to show the Admin screen by going directly to http://localhost:8880/hub/admin

The expected outcome is step (3) is for there to be no 'Admin' tab. For step (4), the expected outcome is an error page and/or HTTP 401 Unauthorized.

I get a 403 Forbidden error.

Screenshot 2022-11-30 at 11.22.44.png (612×2 px, 90 KB)

xcollazo edited projects, added Data Pipelines (Sprint 05-06); removed Data Pipelines.Nov 30 2022, 7:29 PM
xcollazo set the point value for this task to 1.
xcollazo moved this task from Ready to In Progress on the Data Pipelines (Sprint 05-06) board.
EChetty assigned this task to xcollazo.Dec 1 2022, 5:36 PM
xcollazo added a comment.Dec 1 2022, 5:43 PM

All right, @Ottomata agrees these admin privileges are reasonable, and @nshahquinn-wmf confirms that as a non-admin user he cannot access this page.

I'm good to close this. You good @BTullis ?

xcollazo moved this task from In Progress to Done on the Data Pipelines (Sprint 05-06) board.Dec 5 2022, 5:09 PM
xcollazo closed this task as Resolved.Dec 5 2022, 6:20 PM

Synced with @BTullis, he's ok to close. Closing.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL