Merge pull request #509 from georgejhunt/admin

Sync from georgejhunt:admin

roles/jupyterhub/README.md

@@ -30,9 +30,34 @@ While PAWS is a little bit off topic, if you have an interest in Wikipedia, plea
 
 He explains PAWS as a "powerful Python execution environment http://paws.wmcloud.org [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."
 
-### Known Issues
+### Users changing their own password
+Users can change their password by first logging into their account and then visiting the url http://box.lan/jupyterhub/auth/change-password.
+
+This is the only way to change the admin password, because the Admin screen does not permit deletion of the admin account. It will be necessary to restart jupyterhub before the changed password becomes effective:
+```
+sudo systemctl restart jupyterhub
+```
+### Starting the Admin Panel, and changing user passwords
+The admin can reset user passwords by deleting the user from the JupyterHub admin page. This logs the user out, but does not remove any of their data or home directories. The user can then set a new password by logging in again with their new password.
+
+1. As an admin user, open the Control Panel by clicking the control panel button on the top right of your JupyterHub.
+
+![Control panel button in notebook, top right](control-panel-button1.png)
+
+2. In the control panel, open the Admin link in the top left.
+
+![Admin button in control panel, top left](admin-access-button1.png)
+
+This opens up the JupyterHub admin page, where you can add / delete users, start / stop peoples’ servers and see who is online.
+
+3. Delete the user whose password needs resetting. Remember this does not delete their data or home directory.
+
+![Delete user button for each user](delete-user.png)
+
+If there is a confirmation dialog, confirm the deletion. This will also log the user out if they were currently running.
+
+4. Re-create the user whose password needs resetting within that same dialog.
+
+5. Ask the user to log in again with their new password as usual. This will be their new password going forward.Users changing their own password.
+
 
-* 2021-08-07: The page that allows you to reset/change your own password is not accessible.  Likewise Admin users cannot reset/change the password of any _individual_ user at this time.  <sub><sub>[#2918](https://github.com/iiab/iiab/pull/2918)</sub></sub>
-  * If necessary, a Linux administrator can delete the `/passwords.dbm.db` file at the very top of your Linux filesystem, allowing all JupyterHub users to (re)create new passwords.  This does work, but is very heavy-handed.  <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890551682)</sub></sub>
-* 2021-08-07: Teachers (i.e. Admin users) cannot currently access the very helpful "administrator's page" discussed at [JupyterHub FAQ >> "How do I manage users?"](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html#how-do-i-manage-users) and [roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054 >> "Admin users have extra privileges"](https://github.com/iiab/iiab/blob/d0e8e048347bf46c02a2cdb0da9c5cd0c489fe40/roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054).  <sub><sub>[#2919](https://github.com/iiab/iiab/pull/2919)</sub></sub>
-* 2021-08-08: Password [dbm file](https://github.com/jupyterhub/firstuseauthenticator#firstuseauthenticatordbm_path) `/passwords.dbm.db` should be moved from the top of the filesystem to a better place — e.g. to `/opt/iiab/jupyterhub/etc/` ?  <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890579789)</sub></sub>

roles/jupyterhub/tasks/install.yml

@@ -59,6 +59,25 @@
     src: jupyterhub.service
     dest: /etc/systemd/system/
 
+- name: Fix the async bug in firseuseauthenticator
+  template:
+      src: patch_await.sh
+      dest: "{{ jupyterhub_venv }}/bin/patch_await.sh"
+      mode: 0755
+
+- name: Now run the installed script
+  ansible.builtin.shell:
+      cmd: "{{ jupyterhub_venv }}/bin/patch_await.sh"
+      
+- name: Turn off the warning about http insecurity
+  template:
+      src: patch-http-warning.sh
+      dest: "{{ jupyterhub_venv }}/bin/patch_http-warning.sh"
+      mode: 0755
+
+- name: Now run the installed script
+  ansible.builtin.shell:
+      cmd: "{{ jupyterhub_venv }}/bin/patch_http-warning.sh"
 
 # RECORD JupyterHub AS INSTALLED
 

roles/jupyterhub/templates/jupyterhub_config.py

@@ -1057,7 +1057,8 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  
 #  Defaults to an empty set, in which case no user has admin access.
 #  Default: set()
-c.Authenticator.admin_users = set('Admin')
+c.Authenticator.admin_users = set(['Admin'])
+c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 
 ## Set of usernames that are allowed to log in.
 #  

roles/jupyterhub/templates/patch-http-warning.sh

@@ -0,0 +1,4 @@
+#!/bin/bash -x
+# Do not enable the  warning about the insecurity of http protocol
+
+   sed -i -e's/if (window\.location.*/if (false) {/' {{ jupyterhub_venv }}/share/jupyterhub/templates/login.html

roles/jupyterhub/templates/patch_await.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -x
+# add await to asyncio change password function
+
+cat {{ jupyterhub_venv }}/lib/*/site-packages/firstuseauthenticator/firstuseauthenticator.py |grep 'await self.render'
+if [ $? -ne 0 ];then
+   echo Updating file
+   sed -i -e's/self.render/await self.render/' {{ jupyterhub_venv }}/lib/*/site-packages/firstuseauthenticator/firstuseauthenticator.py 
+else
+   echo Patch already applied. Skipping. . .
+fi
+