Описание
Globus identity_provider restriction ignored when used with allow_all in JupyterHub 5.0
Impact
JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. The configuration for this would look like:
This worked fine prior to JupyterHub 5.0, because allow_all did not take precedence over identity_provider.
Since JupyterHub 5.0, allow_all does take precedence over identity_provider. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider. identity_provider will basically be ignored.
This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise.
Patches
OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions.
Workarounds
Do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration.
Ссылки
- https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
- https://nvd.nist.gov/vuln/detail/CVE-2024-37300
- https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
- https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users
Пакеты
oauthenticator
< 16.3.1
16.3.1
Связанные уязвимости
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because `allow_all` did not take precedence over `identity_provider`. Since JupyterHub 5.0, `allow_all` does take precedence over `identity_provider`. On a hub with the same config, now all users will be allowed to login, regardless of `identity_provider`. `identity_provider` will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration.