Hi ,
I am trying to run a single instance BinderHub based on the scripts provided in binderhub/testing/local-binder-local-hub at main · jupyterhub/binderhub · GitHub. I’ve successfully setup single instance hubs previously without an issue like this.
In setting up another instance of a binderhub, I am now hitting an error using during the launch of the user server - (everything builds ok).
I see the following in the server logs:
Error creating user curvenote-binder-base-c1rhebyn: HTTP 403: Forbidden
b'{"status": 403, "message": "Action is not authorized with current scopes; requires any of [admin:users]"}'
[E 230519 15:53:24 builder:691] Retrying launch of https://github.com/curvenote/binder-base after error (duration=0s, attempt=1): HTTPError()
[I 230519 15:53:28 launcher:197] Creating user curvenote-binder-base-jmxbpyz6 for image curvenote-2dbinder-2dbase-fc751c:516048bd6b2577dc8ae4c35d0c8f7f51e6839153
[E 230519 15:53:28 launcher:207] Error creating user curvenote-binder-base-jmxbpyz6: HTTP 403: Forbidden
After trying to debug and also comparing to one of my working deployments I can see that this latest deployment is using jupyterhub 4.0 while other working deployments are using jupyterhub 3.x, I’m assuming that this is the issue (perhaps new/improved permissions management in v4?) - maybe incorrectly, but assuming that it is, I am trying to modify the configuration to add the scopes to the appropriate service.
I’ve added the load_roles
to my jupyterhub_config.py
, here’s a relevant section including what I added. I’m not clear if this is the right way to go or whether it is indeed the binder service that is trying to create that user.
...
c.JupyterHub.services = [
{
"name": binderhub_service_name,
"admin": True,
"command": ["python3", "-mbinderhub", f"--config={binderhub_config}"],
"url": "http://localhost:8585",
"environment": {
"JUPYTERHUB_EXTERNAL_URL": os.getenv("JUPYTERHUB_EXTERNAL_URL", "")
},
}
]
c.JupyterHub.default_url = f"/services/{binderhub_service_name}/"
c.JupyterHub.load_roles = [{
"name": "binder",
"services": [binderhub_service_name],
"scopes": ["access:services", "admin:users", "admin:servers"]
}]
PS I’m also struggling a bit to work across the docs, as it’s not always clear how to relate settings in a config.yml
to the binderhub_config.py
and juptyerhub_config.py
I’m about to downgrade to jupyterhub 3.1.1 to see if this resolves this, but i would be great to get this working on 4 (if this is the issue), and I’d be happy to open a PR with updated testing scripts if I can get is working.
To summarize my key questions:
- is this a jupyterhub 4 related issue?
- how can I assign the scopes properly in
jupyterhub_config.py
or otherwise add to the configuration to deal with that?
Any help / pointers appreciated!
Steve