Binderhub + Jupyterhub 4 - Error creating user xxxxxx: HTTP 403: Forbidden

Binder
1

Hi :wave:,

I am trying to run a single instance BinderHub based on the scripts provided in binderhub/testing/local-binder-local-hub at main · jupyterhub/binderhub · GitHub. I’ve successfully setup single instance hubs previously without an issue like this.

In setting up another instance of a binderhub, I am now hitting an error using during the launch of the user server - (everything builds ok).

I see the following in the server logs:

Error creating user curvenote-binder-base-c1rhebyn: HTTP 403: Forbidden
    b'{"status": 403, "message": "Action is not authorized with current scopes; requires any of [admin:users]"}'
[E 230519 15:53:24 builder:691] Retrying launch of https://github.com/curvenote/binder-base after error (duration=0s, attempt=1): HTTPError()
[I 230519 15:53:28 launcher:197] Creating user curvenote-binder-base-jmxbpyz6 for image curvenote-2dbinder-2dbase-fc751c:516048bd6b2577dc8ae4c35d0c8f7f51e6839153
[E 230519 15:53:28 launcher:207] Error creating user curvenote-binder-base-jmxbpyz6: HTTP 403: Forbidden

After trying to debug and also comparing to one of my working deployments I can see that this latest deployment is using jupyterhub 4.0 while other working deployments are using jupyterhub 3.x, I’m assuming that this is the issue (perhaps new/improved permissions management in v4?) - maybe incorrectly, but assuming that it is, I am trying to modify the configuration to add the scopes to the appropriate service.

I’ve added the load_roles to my jupyterhub_config.py, here’s a relevant section including what I added. I’m not clear if this is the right way to go or whether it is indeed the binder service that is trying to create that user.

...
c.JupyterHub.services = [
    {
        "name": binderhub_service_name,
        "admin": True,
        "command": ["python3", "-mbinderhub", f"--config={binderhub_config}"],
        "url": "http://localhost:8585",
        "environment": {
            "JUPYTERHUB_EXTERNAL_URL": os.getenv("JUPYTERHUB_EXTERNAL_URL", "")
        },
    }
]
c.JupyterHub.default_url = f"/services/{binderhub_service_name}/"
c.JupyterHub.load_roles = [{
	"name": "binder",
	"services": [binderhub_service_name], 
	"scopes": ["access:services", "admin:users", "admin:servers"]
}]

PS I’m also struggling a bit to work across the docs, as it’s not always clear how to relate settings in a config.yml to the binderhub_config.py and juptyerhub_config.py

I’m about to downgrade to jupyterhub 3.1.1 to see if this resolves this, but i would be great to get this working on 4 (if this is the issue), and I’d be happy to open a PR with updated testing scripts if I can get is working.

To summarize my key questions:

  • is this a jupyterhub 4 related issue?
  • how can I assign the scopes properly in jupyterhub_config.py or otherwise add to the configuration to deal with that?

Any help / pointers appreciated!
Steve

2

ok just reverting jupyterhub to 3.1.1 did not resolve this, differences between my other deployments aside, I’m not sure what else can be causing this

3

figuring out that

    loadRoles:
      user:
        scopes:
          - self
          - "access:services"

as per the docs here

means

c.JupyterHub.load_roles = [
	{
		"name": "user",
		"description": "Allow users to access binder service",
		"scopes": ["self", "access:services"]
	}
]

in a jupyterhub_config.py file,

2 Likes