Summary
The Keycloak authenticator sets allow_all = True, so every user whose token is valid for the configured client is admitted to the hub. In a shared or broadly provisioned realm, users intended for other services enter the JupyterHub trust domain and can consume resources.
Severity: Medium · CWE-863 (Incorrect Authorization)
Validation: Confirmed against HEAD f932d80 on 2026-07-14 (assessed at 69c84f7; unchanged since).
Evidence
config/jupyterhub/00-gateway-auth.py:557-560 sets c.Authenticator.auto_login = True and c.Authenticator.allow_all = True, with an inline comment noting any KC-authenticated user is admitted and that deployments should tighten via admin_groups/allowed_groups.
- There is no default
allowed_groups restriction; profile and storage controls do not gate baseline hub access.
Impact
Admission depends only on holding a valid token for the client. In a multi-tenant or broadly provisioned realm, users provisioned for other services gain hub access and can consume compute. This admission decision is also what exposes them to the scope surface described in the H-01 issue.
Remediation
- Require an explicit platform-access group or client role, and default to deny when absent.
- Separate admission from administrator and profile authorization.
- Apply resource quotas.
Acceptance criteria
Source: data-science-pack 0.1.0 security assessment (pinned commit 69c84f72df259ec755ed40bfc83f20158c550d55), finding M-08.
Summary
The Keycloak authenticator sets
allow_all = True, so every user whose token is valid for the configured client is admitted to the hub. In a shared or broadly provisioned realm, users intended for other services enter the JupyterHub trust domain and can consume resources.Severity: Medium · CWE-863 (Incorrect Authorization)
Validation: Confirmed against HEAD
f932d80on 2026-07-14 (assessed at69c84f7; unchanged since).Evidence
config/jupyterhub/00-gateway-auth.py:557-560setsc.Authenticator.auto_login = Trueandc.Authenticator.allow_all = True, with an inline comment noting any KC-authenticated user is admitted and that deployments should tighten viaadmin_groups/allowed_groups.allowed_groupsrestriction; profile and storage controls do not gate baseline hub access.Impact
Admission depends only on holding a valid token for the client. In a multi-tenant or broadly provisioned realm, users provisioned for other services gain hub access and can consume compute. This admission decision is also what exposes them to the scope surface described in the H-01 issue.
Remediation
Acceptance criteria
Source: data-science-pack 0.1.0 security assessment (pinned commit
69c84f72df259ec755ed40bfc83f20158c550d55), finding M-08.