def test_ensure_group():
"""
Test group creation & removal
"""
# Use a prefix to make sure we never start with a number
groupname = 'g' + str(uuid.uuid4())[:8]
# Validate that no group exists
with pytest.raises(KeyError):
grp.getgrnam(groupname)
try:
# Create group
user.ensure_group(groupname)
# This raises if group doesn't exist
grp.getgrnam(groupname)
# Do it again, this should be a noop
user.ensure_group(groupname)
grp.getgrnam(groupname)
finally:
# Remove the group
user.remove_group(groupname)
with pytest.raises(KeyError):
grp.getgrnam(groupname)
def ensure_usergroups():
"""
Sets up user groups & sudo rules
"""
user.ensure_group('jupyterhub-admins')
user.ensure_group('jupyterhub-users')
logger.info("Granting passwordless sudo to JupyterHub admins...")
with open('/etc/sudoers.d/jupyterhub-admins', 'w') as f:
# JupyterHub admins should have full passwordless sudo access
f.write('%jupyterhub-admins ALL = (ALL) NOPASSWD: ALL\n')
# `sudo -E` should preserve the $PATH we set. This allows
# admins in jupyter terminals to do `sudo -E pip install <package>`,
# `pip` is in the $PATH we set in jupyterhub_config.py to include the user conda env.
f.write('Defaults exempt_group = jupyterhub-admins\n')
def test_group_membership():
"""
Test group memberships can be added / removed
"""
username = '******' + str(uuid.uuid4())[:8]
groupname = 'g' + str(uuid.uuid4())[:8]
# Validate that no group exists
with pytest.raises(KeyError):
grp.getgrnam(groupname)
with pytest.raises(KeyError):
pwd.getpwnam(username)
try:
user.ensure_group(groupname)
user.ensure_user(username)
user.ensure_user_group(username, groupname)
assert username in grp.getgrnam(groupname).gr_mem
# Do it again, this should be a noop
user.ensure_user_group(username, groupname)
assert username in grp.getgrnam(groupname).gr_mem
# Remove it
user.remove_user_group(username, groupname)
assert username not in grp.getgrnam(groupname).gr_mem
# Do it again, this should be a noop
user.remove_user_group(username, groupname)
assert username not in grp.getgrnam(groupname).gr_mem
finally:
# Remove the group
user.remove_user(username)
user.remove_group(groupname)
with pytest.raises(KeyError):
grp.getgrnam(groupname)
with pytest.raises(KeyError):
pwd.getpwnam(username)
def tljh_config_post_install(config):
"""
Configure /srv/scratch and change configs/mods
"""
### mkdir -p /srv/scratch
### sudo chown root:jupyterhub-users /srv/scratch
### sudo chmod 777 /srv/scratch
### sudo chmod g+s /srv/scratch
### sudo ln -s /srv/scratch /etc/skel/scratch
sh.mkdir('/srv/scratch', '-p')
# jupyterhub-users doesn't get created until a user logs in
# make sure it's created before changing permissions on directory
ensure_group('jupyterhub-users')
sh.chown('root:jupyterhub-users', '/srv/scratch')
sh.chmod('777', '/srv/scratch')
sh.chmod('g+s', '/srv/scratch')
sh.ln('-s', '/srv/scratch', '/etc/skel/scratch')
Conda constructor does not play well with conda-forge, so we can ship this
with constructor
"""
# FIXME: Use fully deterministic package lists here
conda.ensure_conda_packages(prefix, ['jupyterhub==0.9.0'])
conda.ensure_pip_packages(prefix, [
'jupyterhub-dummyauthenticator==0.3.1',
'jupyterhub-systemdspawner==0.9.12',
])
ensure_jupyterhub_package(HUB_ENV_PREFIX)
ensure_jupyterhub_service(HUB_ENV_PREFIX)
user.ensure_group('jupyterhub-admins')
user.ensure_group('jupyterhub-users')
with open('/etc/sudoers.d/jupyterhub-admins', 'w') as f:
# JupyterHub admins should have full passwordless sudo access
f.write('%jupyterhub-admins ALL = (ALL) NOPASSWD: ALL\n')
# `sudo -E` should preserve the $PATH we set. This allows
# admins in jupyter terminals to do `sudo -E pip install <package>`,
# `pip` is in the $PATH we set in jupyterhub_config.py to include the user conda env.
f.write('Defaults exempt_group = jupyterhub-admins\n')
conda.ensure_conda_env(USER_ENV_PREFIX)
conda.ensure_conda_packages(USER_ENV_PREFIX, [
# Conda's latest version is on conda much more so than on PyPI.
'conda==4.5.4'
])
