User-specific default spawner URL on JupyterHub - jupyter

I recently set up JupyterLab on our university server and will now let other users access the hub. Is there a possibility to configure, which is the default Jupyter application (notebook, lab, voila etc.) by user?
In jupyterhub_config.py which is in /etc/jupyter/, there is only a global option which URL to use as default:
c.Spawner.default_url = '/lab'
How can I differentiate the behaviour by user? Is it possible to only allow certain users the use of lab and notebook and limit other users to using voila?

Related

LDAP User login succesful without Role membership

My Rundeck detail Rundeck version: 4.10.0
install type: DEB
OS Name/version: Debian 11
DB Type/version: h2
A LDAP user without a Role membership can properly login but can not see any Projects - so far fine.
How can i block such a user to Login at all?
We have one "userBaseDn" Group (userBaseDn="cn=Users,ou=PROD,dc=company,dc=com") in which all users are stored. But of course, only users in following roleBaseDn (roleBaseDn="cn=Rundeck_Admins,cn=Applications,ou=PROD,dc=company,dc=com") Group should have access to Rundeck Web UI.
I expect, only users in Group "Rundeck_Admins" can Login to Rundeck at all
Currently, you can only restrict that using an ACL policy (the user can log in but cannot view/edit/run any project/job, as you say), please take a look at this.
Alternatively, you can create a specific branch in your LDAP server only for Rundeck users.
Currently, means there will be a change on this behavior?
As far a i understand LDAP right, for a specific LADP branch in which a place users, i have to manage users twice. 1st, in user directory and 2nd in the specific Rundeck Group. For me quite unhandy...

Microsoft Single Sing On - Block access from outside network

Assuming some web sites allow users to log in via Microsoft Login. Can we enforce that this users will only be able to use this setting only from within the Organization network in Intune? If yes, how? (Reference link)
Example: User is logging in to Bitbucket via Microsoft Login. He is unable to access Microsoft Login on his personal laptop. However, If he is using the Organization computer he should be able to access.
I believe this setting can be applied via IP Address? Or maybe there is another option.

Access to AmazonWorkspaces

I am setting up an Amazon Workspace instance, and need to provide the user with a password to log in. The invite email only contains the registration code.
How do I set up a user password to enable the user to login into Amazon workspace only (no console access)?
I am creating an AmazonWorkspace from a custom bundle, and adding a user to Simple AD.
Individual workspaces created in Amazon WorkSpaces are assigned to, and used by, individuals who are defined in a Directory.
From Manage Directories for Amazon WorkSpaces:
Amazon WorkSpaces uses a directory to store and manage information for your WorkSpaces and users. You can use one of the following options:
AD Connector — Use your existing on-premises Microsoft Active Directory. Users can sign into their WorkSpaces using their on-premises credentials and access on-premises resources from their WorkSpaces.
Microsoft AD — Create a Microsoft Active Directory hosted on AWS.
Simple AD — Create a directory that is compatible with Microsoft Active Directory, powered by Samba 4, and hosted on AWS.
Cross trust — Create a trust relationship between your Microsoft AD directory and your on-premises domain.
If you have your own Active Directory, then use it. If you do not have Active Directory, the simplest option is to choose Simple AD, which is a Active Directory-compatible Samba service. (Charges apply)
The user is selected when the WorkSpace is created. Amazon WorkSpaces will send a registration code to the end user. The end user then uses an Amazon WorkSpaces client to connect with the service. They provide the Registration Code to configure the client (once only), then login with their AD credentials.
To set the user password for AmazonWorkspace, set user password on the WorkMail application for that user. Directory service manages users for both AmazonWorkspaces and WorkMail, and the password is shared across.
The user must exist, but can be disabled. Email address can be anything, in my case users do not use AWS email.
Users defined in IAM are not visible from AmazonWorkspaces and WorkMail. If a user has console, S3, ec2, etc.. access in addition to Workspace, they would need to be defined separately in IAM and Directory.

TFS REST API: How to "Make requests on behalf of others"?

I want my VSTS extension (installed on-prem TFS2015.3) to be able to do specific requests on behalf of a admin/service account ("Make requests on behalf of others")
Background: I manipulate (WorkItem) Process Template, specifically the GLOBALWORKFLOW (only on team-project level) in my extensions typescript, but the user of the extension in Web Access is NOT a project-admin so he is not allowed to use the function updateWorkItemTypeDefinition() - Non-Project-Admins get "Access denied" even if I gave that custom group every permission available ("Edit project-level-information" permissions for project-level GLOBALWORKFLOWs? Still didn't work for custom groups, only for Project Admin Accounts).
It seems I'm forced to impersonate a project admin /service account which is allowed to change the global workflow in the project
How do I impersonate in extension typescript code on-prem TFS and REST (1. not .NET and 2. without changing to basic auth, saw that solution already somewhere else - but I'm very sure I cannot request that change in my organization)
Thanks for your help
You can impersonate user through vsts-node-api.
There are many function to impersonate user, such as Basic, NTLM, PWA (VSTS) etc..., you can check these function here.
import * as vm from 'vso-node-api';
// your collection url
var collectionUrl = "XXX";
let authHandler = vm.getNtlmHandler("[user name]","[password]","[workstation optional]","[domain optional]");
var connect = new vm.WebApi(collectionUrl, authHandler);
There is the sample that you could refer to.

error when trying to install MSMQ

Have VS-2003, VS-2005, VS-2008
Tried enabling MSMQ in Add/Remove Windows Components and get this
'A local user is authenticated as an anonymous user and cannot access active directory. You need to log on as a domain user to access Active directory.'
I am trying to do development on my machine and want to set up a private Q so that I can develop a MSMQ application.
This is similar to this situation: I am on my machine as an admin. Am logged into VPN and trying the above.
link text
Uncheck the "active directory integration" option in the "add windows component" gui. It is not needed for private queues.