Skip to content

Security(M-08): every authenticated realm user is admitted by default (allow_all = True) #176

Description

@dcmcand

Summary

The Keycloak authenticator sets allow_all = True, so every user whose token is valid for the configured client is admitted to the hub. In a shared or broadly provisioned realm, users intended for other services enter the JupyterHub trust domain and can consume resources.

Severity: Medium · CWE-863 (Incorrect Authorization)
Validation: Confirmed against HEAD f932d80 on 2026-07-14 (assessed at 69c84f7; unchanged since).

Evidence

  • config/jupyterhub/00-gateway-auth.py:557-560 sets c.Authenticator.auto_login = True and c.Authenticator.allow_all = True, with an inline comment noting any KC-authenticated user is admitted and that deployments should tighten via admin_groups/allowed_groups.
  • There is no default allowed_groups restriction; profile and storage controls do not gate baseline hub access.

Impact

Admission depends only on holding a valid token for the client. In a multi-tenant or broadly provisioned realm, users provisioned for other services gain hub access and can consume compute. This admission decision is also what exposes them to the scope surface described in the H-01 issue.

Remediation

  • Require an explicit platform-access group or client role, and default to deny when absent.
  • Separate admission from administrator and profile authorization.
  • Apply resource quotas.

Acceptance criteria

  • A valid realm user without the platform grant is denied.
  • Grant removal takes effect within a documented interval.

Source: data-science-pack 0.1.0 security assessment (pinned commit 69c84f72df259ec755ed40bfc83f20158c550d55), finding M-08.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: securitySecurity findings and hardening workpriority: medium ⚡Medium priority - standard queue

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions