In order for PAM authentication to work for local users, the user under which
the admin app is running needs to be able to read /etc/shadow. Also, that
user needs to be able to run some commands as root and/or any user. To ensure
this, create a custom user (e.g. jupyteradmin), add them to the shadow group (on
Debian: :command:`adduser --system --ingroup shadow jupyteradmin` and create the
file /etc/sudoers.d/jupyteradmin (preferably using visudo) with the
following contents:
jupyteradmin ALL = (root) NOPASSWD: /usr/sbin/chpasswd jupyteradmin ALL = (root) NOPASSWD: /usr/sbin/adduser jupyteradmin ALL = (root) NOPASSWD: /usr/sbin/usermod jupyteradmin ALL = (root) NOPASSWD: /usr/bin/mkdir jupyteradmin ALL = (root) NOPASSWD: /usr/bin/chown jupyteradmin ALL = (root) NOPASSWD: /usr/bin/ln
(In case of issues, verify if the program paths above are correct using
:command:`which <program_name>` or check :file:`sudo.py` for additional commands
which are run with sudo and therefore need to be enabled in this way.)
The app is backed by a SQLite3 database, which can be initialized by running
:command:`flask initdb` (with the FLASK_APP environment variable correctly
set) in the application root. Remember to allow the jupyteradmin user to write
to it (e.g. with :command:`chown jupyterhub:nogroup admin.db`) and its parent
directory (required by SQLite and/or its Python integration).
flask-sendmail needs postfix to be installed and set up to run
correctly, although confusingly, it somehow worked with some providers (GMail)
even without postfix. With others, delivery failed with "Unroutable email
address".
Get inspiration from commits doing them, but basically just modify the app's models and then:
# if the production db should be migrated export FLASK_DEBUG= chmod 777 admin.db
flask db migrate -m "..." # inspect and tweak the migration file flask db upgrade ```
Copyright © 2016 ÚČNK/David Lukeš
Distributed under the GNU General Public License v3.