Support restricting profile options with github teams *only*

This gets rid of restricting profile options based on github *org* membership, rather than *teams* membership. This is a complete no-op for any of our communities, as it turns out nobody is using this feature! Getting rid of this makes sure that new communities will not use this feature, as it relies on internal implementation details of the GitHub authenticator and may be hard to upstream when the time comes. See 2i2c-org#4021 for upstreaming plan.
yuvipanda · May 2, 2024 · 5705f94 · 5705f94
1 parent 3128ea5
commit 5705f94
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 21 deletions.
diff --git a/docs/hub-deployment-guide/configure-auth/github-orgs.md b/docs/hub-deployment-guide/configure-auth/github-orgs.md
@@ -173,8 +173,7 @@ This only works if the hub is already set to allow people only from certain GitH
 to log in.
 
 The key `allowed_teams` can be set for any profile definition, with a list of GitHub
-teams (formatted as `<github-org>:<team-name>`) or GitHub organizations (formatted
-just as `<github-org>`) that will get access to that profile. Users
+teams (formatted as `<github-org>:<team-name>`) that will get access to that profile. Users
 need to be a member of any one of the listed teams for access. The list of teams a user
 is part of is fetched at login time - so if the user is added to a GitHub team, they need
 to log out and log back in to the JupyterHub (not necessarily to GitHub!) to see the new
@@ -200,7 +199,7 @@ To enable this access,
 
    If `populate_teams_in_auth_state` is not set, this entire feature is disabled.
 
-2. Specify which teams or orgs should have access to which profiles with an
+2. Specify which teams should have access to which profiles with an
    `allowed_teams` key under `profileList`:
 
     ```yaml
@@ -231,6 +230,12 @@ To enable this access,
     `allowed_teams` so 2i2c engineers can log in to debug issues. If
     `allowed_teams` is not set, that profile is not available to anyone.
 
+    ```{note}
+    We used to allow restricting which profiles users can see based on what
+    org they were a part of, rather than just the *teams* they were a part of.
+    We no longer support this.
+    ```
+
 ### Enabling team based access on hub with pre-existing users
 
 If this is being enabled for users on a hub with *pre-existing* users, they

diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml
@@ -1055,24 +1055,6 @@ jupyterhub:
                     allowed_profiles.append(profile)
                     continue
 
-                if "token_response" in auth_state:
-                    access_token = auth_state["token_response"]["access_token"]
-                    token_type = auth_state["token_response"]["token_type"]
-                else:
-                    # token_response was introduced to auth_state in
-                    # oauthenticator 16, so this is adjusting to an auth_state
-                    # set by oauthenticator 15
-                    access_token = auth_state["access_token"]
-                    token_type = "token"
-                for allowed_org in allowed_orgs:
-                    user_in_allowed_org = await spawner.authenticator._check_membership_allowed_organizations(
-                        allowed_org, spawner.user.name, access_token, token_type
-                    )
-                    if user_in_allowed_org:
-                        print(f"Allowing profile {profile['display_name']} for user {spawner.user.name} based on org membership")
-                        allowed_profiles.append(profile)
-                        break
-
             if len(allowed_profiles) == 0:
                 # If no profiles are allowed, user should not be able to spawn anything!
                 # If we don't explicitly stop this, user will be logged into the 'default' settings