multi user: canonical username

[oliver-sanders]

On some systems, it might be possible for a user to authenticate using multiple different user names.

This is fine, however, for multi-user setups it may make it hard for users to access other users servers because the user name you authenticate with is what Jupyter Hub configures the configurable-http-proxy to use for accessing your server.

E.G. If a user can authenticate as either:

• usera
• usera.some.domain

Then the URL to their server would be either:

• https://hub-url/users/usera/
• https://hub-url/users/usera.some.domain/

For these setups it would be advantageous to have a canonical user name to avoid the confusion.

Ideas:

• Scan Jupyter docs, if we're lucky there may be a configuration somewhere?
• Subclass the authenticator?
• Pre-populate user records in the DB?

[oliver-sanders]

This has been observed to cause issues with the Cylc authorization layer.

[oliver-sanders]

It looks like JupterHub has an interface for this, providing you are able to map aliases onto the "canonical" username.

https://jupyterhub.readthedocs.io/en/4.1.3/reference/authenticators.html#normalize-usernames

[oliver-sanders]

The pam_normalize_username option does the trick!

https://jupyterhub.readthedocs.io/en/4.1.3/reference/api/auth.html#jupyterhub.auth.PAMAuthenticator.pam_normalize_username

This "round trips" the username going from username to uid to username.

The remainder of this issue is about documentation. We should probably collect this, along with other configurations into a list of recommended configurations or something of the ilk?