Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
User hook for the build endpoint
See original GitHub issueProposed change
This issue is related to the idea mentioned in this Discourse topic: https://discourse.jupyter.org/t/binderhub-with-private-gitlab-and-user-scopes/3502
Looking at the code, it seems like there is (at the moment) no hook or option that could be set to tweak the behavior of the /build endpoint, or more generally of the buidler.
The idea is to be able to implement fine-grained access control to BinderHub based on the JupyterHub authenticator used to authenticate users.
The use case is summarized as follows:
- Users authenticate to their BinderHub using their private GitLab instance as the authenticator
- This means that each BinderHub user now corresponds to a GitLab user
- When they enter the repository in the input field, they can only build repositories they have access to
- If they don’t have access, the
Could not resolve ref for my-project/repo. Double check your URL.would ideally be shown - This would happen before triggering a new build
- [Optional] The UI only shows
GitLabin the dropdown menu (after configuringrepo_providers). This looks like it should be solved by https://github.com/jupyterhub/binderhub/pull/1038 🎉
Alternative options
An alternative option might be to add an extra build handler to the main app, and change the frontend to use that endpoint instead.
However this adds a lot of complexity to the BinderHub admin as it would require maintaining custom Docker images and helm charts with these changes.
Who would use this feature?
Those who want to have a custom BinderHub setup implementing user access based on the user access pattern from the JupyterHub authenticator (GitLab, GitHub).
(Optional): Suggest a solution
Provided that an access token was generated according to: https://binderhub.readthedocs.io/en/latest/zero-to-binderhub/setup-binderhub.html#accessing-private-repositories
For a binderhub user that has read-only access to all repositories.
And the token set as:
config:
GitLabRepoProvider:
private_token: "<access token>"
At the moment it’s possible to have control on the launch behavior, by providing the following snippet to the helm chart config:
However users can still trigger a build to a repository they do not have access to.
It looks like this could be implemented by providing a custom RepoProvider (in the helm config value, that could derive from an existing one).
But it would require some user specific information to be passed to the RepoProvider to be able to decide whether or not it is possible to resolve the ref for that user, probably somewhere around this line:
A custom hook similar to the pre_spawn_hook or user_redirect_hook in JupyterHub could also help.
Or how about having a pre_build_hook, similar to the existing pre_launch_hook?
The pre_build_hook could then perform some API requests to GitHub / GitLab to check if a user has access to a specific repo.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:14 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Just tested and we can indeed retrieve the user
auth_state👍For example in the
pre_launch_hookwith:With a
pre_build_hook, we could probably achieve a similar thing with:I am for
pre_build_hook:pre_build_hookshould be called just before these lineshttps://github.com/jupyterhub/binderhub/blob/72bcb59cf956f53a07f0d4b45f12cc6c1257c6cf/binderhub/builder.py#L234-L240
user_model = self.hub_auth.get_user(self)