Can not get admin UI in JupyterHub 2.2.0

JupyterHub
1

I have created a jupyterhub_config.py with the following values

c.JupyterHub.db_url = '/etc/jupyterhub/jupyterhub.sqlite'
c.JupyterHub.load_roles = [
    {
        'name': 'server1',
        'description': 'Start and stop user servers.',
        'scopes': ['servers'],
        # 'scopes': ['admin:groups', 'admin:users', 'admin:servers'], # also does not work
        'users': ["user1"],
    },
    {
        'name': 'admin',
        'users': ["user1"],
    }
]

But no matter what combination of scopes or roles I try when I call https://jupyter.example.com/hub/admin#/ I do not get get a list of users.
In the network tab I see
https://jupyter.example.com/hub/api/users?offset=0&limit=50

{"status": 403, "message": "Action is not authorized with current scopes; requires any of [list:users]"}

https://jupyter.example.com/hub/api/groups?offset=0&limit=50

{"status": 403, "message": "Action is not authorized with current scopes; requires any of [list:groups]"}
1 Like
2 
c.JupyterHub.load_roles = [
    {
        'name': 'admin',
        'users': ['demo'],
    },

works for me with the latest JupyterHub (user demo is an admin). Are you sure your configuration file is being loaded? Can you enable debug logging and show us the full JupyterHub logs from startup?

4

Ok here is an idea (as well as the debug log). In my config I use an authenticator_class to set a (customized) oauth authentication, which maybe causes the scopes to be lost.

from oauthenticator.generic import GenericOAuthenticator

c.JupyterHub.load_roles = [
    {
        'name': 'admin',
        'users': ["user@example.com"],
    }
]
c.Authenticator.delete_invalid_users = True
c.Authenticator.auto_login = True
c.Authenticator.enable_auth_state = True
c.Authenticator.refresh_pre_spawn = True


class CustomOAuthenticator(GenericOAuthenticator):

    async def authenticate(self, handler, data=None):
        ...

    async def refresh_user(self, user, handler=None):
        ...


c.JupyterHub.authenticator_class = CustomOAuthenticator

c.GenericOAuthenticator.token_url = 'https://{{ auth_url }}/o/token/'
c.GenericOAuthenticator.authorize_url = 'https://{{ auth_url }}/o/authorize/'
c.GenericOAuthenticator.userdata_url = 'https://{{ auth_url }}/o/userinfo/'
c.GenericOAuthenticator.oauth_callback_url = 'https://{{ server_name }}/hub/oauth_callback'
c.GenericOAuthenticator.username_key = 'sub'
c.GenericOAuthenticator.auth_refresh_age = 9800

Running jupyterhub with the debug flag

jupyterhub -f /etc/jupyterhub/jupyterhub_config.py --debug

returns the following log

[D 2022-03-14 09:07:39.441 JupyterHub application:753] Loaded config file: /etc/jupyterhub/jupyterhub_config.py
[I 2022-03-14 09:07:39.450 JupyterHub app:2769] Running JupyterHub version 2.2.0
[I 2022-03-14 09:07:39.450 JupyterHub app:2799] Using Authenticator: builtins.CustomOAuthenticator
[I 2022-03-14 09:07:39.450 JupyterHub app:2799] Using Spawner: dockerspawner.dockerspawner.DockerSpawner-12.1.0
[I 2022-03-14 09:07:39.451 JupyterHub app:2799] Using Proxy: jupyterhub.proxy.ConfigurableHTTPProxy-2.2.0
[D 2022-03-14 09:07:39.452 JupyterHub app:2730] Could not load pycurl: No module named 'pycurl'
    pycurl is recommended if you have a large number of users.
[I 2022-03-14 09:07:39.453 JupyterHub app:1606] Loading cookie_secret from /var/snap/amazon-ssm-agent/5163/jupyterhub_cookie_secret
[D 2022-03-14 09:07:39.453 JupyterHub app:1773] Connecting to db: sqlite:////etc/jupyterhub/jupyterhub.sqlite
[D 2022-03-14 09:07:39.470 JupyterHub orm:955] database schema version found: 833da8570507
[I 2022-03-14 09:07:39.523 JupyterHub proxy:496] Generating new CONFIGPROXY_AUTH_TOKEN
[D 2022-03-14 09:07:39.523 JupyterHub app:2022] Loading roles into database
[D 2022-03-14 09:07:39.525 JupyterHub app:2032] Overriding default role admin
[I 2022-03-14 09:07:39.538 JupyterHub app:1924] Not using allowed_users. Any authenticated user will be allowed.
[D 2022-03-14 09:07:39.544 JupyterHub app:2281] Purging expired APITokens
[D 2022-03-14 09:07:39.548 JupyterHub app:2281] Purging expired OAuthCodes
[D 2022-03-14 09:07:39.550 JupyterHub app:2114] Loading role assignments from config
[I 2022-03-14 09:07:39.565 JupyterHub app:2123] Admin role specifies static users list
[I 2022-03-14 09:07:39.565 JupyterHub app:2125] Admin role does not specify services, preserving admin membership in database
[D 2022-03-14 09:07:39.589 JupyterHub app:2427] Initializing spawners
[D 2022-03-14 09:07:39.593 JupyterHub app:2558] Loaded users:

[I 2022-03-14 09:07:39.593 JupyterHub app:2838] Initialized 0 spawners in 0.004 seconds
[W 2022-03-14 09:07:39.596 JupyterHub proxy:687] Running JupyterHub without SSL.  I hope there is SSL termination happening somewhere else...
[I 2022-03-14 09:07:39.596 JupyterHub proxy:691] Starting proxy @ http://127.0.0.1:8000
[D 2022-03-14 09:07:39.596 JupyterHub proxy:692] Proxy cmd: ['configurable-http-proxy', '--ip', '127.0.0.1', '--port', '8000', '--api-ip', '127.0.0.1', '--api-port', '8001', '--error-target', 'http://172.17.0.1:8081/hub/error']
[D 2022-03-14 09:07:39.600 JupyterHub proxy:610] Writing proxy pid file: jupyterhub-proxy.pid
09:07:39.756 [ConfigProxy] info: Proxying http://127.0.0.1:8000 to (no default)
09:07:39.759 [ConfigProxy] info: Proxy API at http://127.0.0.1:8001/api/routes
[D 2022-03-14 09:07:39.812 JupyterHub proxy:728] Proxy started and appears to be up
[D 2022-03-14 09:07:39.815 JupyterHub proxy:821] Proxy: Fetching GET http://127.0.0.1:8001/api/routes
09:07:39.825 [ConfigProxy] info: 200 GET /api/routes
[I 2022-03-14 09:07:39.825 JupyterHub app:3087] Hub API listening on http://172.17.0.1:8081/hub/
[D 2022-03-14 09:07:39.825 JupyterHub proxy:343] Fetching routes to check
[D 2022-03-14 09:07:39.826 JupyterHub proxy:821] Proxy: Fetching GET http://127.0.0.1:8001/api/routes
09:07:39.828 [ConfigProxy] info: 200 GET /api/routes
[D 2022-03-14 09:07:39.828 JupyterHub proxy:346] Checking routes
[I 2022-03-14 09:07:39.828 JupyterHub proxy:431] Adding route for Hub: / => http://172.17.0.1:8081
[D 2022-03-14 09:07:39.829 JupyterHub proxy:821] Proxy: Fetching POST http://127.0.0.1:8001/api/routes/
09:07:39.831 [ConfigProxy] info: Adding route / -> http://172.17.0.1:8081
09:07:39.832 [ConfigProxy] info: Route added / -> http://172.17.0.1:8081
09:07:39.833 [ConfigProxy] info: 201 POST /api/routes/
[I 2022-03-14 09:07:39.833 JupyterHub app:3154] JupyterHub is now running at http://127.0.0.1:8000
[D 2022-03-14 09:07:39.834 JupyterHub app:2762] It took 0.401 seconds for the Hub to start
[I 2022-03-14 09:07:41.483 JupyterHub log:189] 302 GET / -> /hub/ (@10.0.16.132) 0.91ms
[I 2022-03-14 09:07:42.864 JupyterHub log:189] 302 GET / -> /hub/ (@10.0.74.187) 0.69ms
[D 2022-03-14 09:07:44.985 JupyterHub base:326] Refreshing auth for user@example.com
[I 2022-03-14 09:07:45.213 JupyterHub jupyterhub_config:134] saving user data into file
[I 2022-03-14 09:07:45.213 JupyterHub jupyterhub_config:141] saving user data into file /etc/jupyterhub/sessions/user@example.com.json
[D 2022-03-14 09:07:45.213 JupyterHub roles:454] Assigning default role to User user@example.com
[D 2022-03-14 09:07:45.224 JupyterHub scopes:491] Checking access via scope admin:users
[D 2022-03-14 09:07:45.225 JupyterHub scopes:389] Unrestricted access to /hub/admin via admin:users
[D 2022-03-14 09:07:45.225 JupyterHub scopes:491] Checking access via scope admin:servers
[D 2022-03-14 09:07:45.225 JupyterHub scopes:389] Unrestricted access to /hub/admin via admin:servers
[D 2022-03-14 09:07:45.253 JupyterHub user:399] Creating <class 'dockerspawner.dockerspawner.DockerSpawner'> for user@example.com:
[W 2022-03-14 09:07:45.255 JupyterHub dockerspawner:92] DockerSpawner.remove_containers is deprecated in DockerSpawner 0.10.0, use DockerSpawner.remove instead
[I 2022-03-14 09:07:45.257 JupyterHub log:189] 200 GET /hub/admin (user@example.com@10.0.16.132) 285.51ms
[I 2022-03-14 09:07:45.442 JupyterHub log:189] 302 GET /logo -> /hub/logo (@10.0.16.132) 1.02ms
[D 2022-03-14 09:07:45.478 JupyterHub log:189] 304 GET /hub/static/js/admin-react.js (@10.0.16.132) 1.19ms
[W 2022-03-14 09:07:45.577 JupyterHub base:93] Blocking Cross Origin API request.  Referer: https://jupyter.example.com/hub/admin, Host: jupyter.example.com, Host URL: http://jupyter.example.com/hub/
[D 2022-03-14 09:07:45.577 JupyterHub scopes:491] Checking access via scope list:users
[D 2022-03-14 09:07:45.577 JupyterHub scopes:386] No access to /hub/api/users via list:users
[W 2022-03-14 09:07:45.577 JupyterHub scopes:499] Not authorizing access to /hub/api/users. Requires any of [list:users], not derived from scopes []
[W 2022-03-14 09:07:45.578 JupyterHub web:1787] 403 GET /hub/api/users?offset=0&limit=50 (10.0.16.132): Action is not authorized with current scopes; requires any of [list:users]
[W 2022-03-14 09:07:45.578 JupyterHub log:189] 403 GET /hub/api/users?offset=0&limit=50 (@10.0.16.132) 3.48ms
[W 2022-03-14 09:07:45.581 JupyterHub base:93] Blocking Cross Origin API request.  Referer: https://jupyter.example.com/hub/admin, Host: jupyter.example.com, Host URL: http://jupyter.example.com/hub/
[D 2022-03-14 09:07:45.582 JupyterHub scopes:491] Checking access via scope list:groups
[D 2022-03-14 09:07:45.582 JupyterHub scopes:386] No access to /hub/api/groups via list:groups
[W 2022-03-14 09:07:45.582 JupyterHub scopes:499] Not authorizing access to /hub/api/groups. Requires any of [list:groups], not derived from scopes []
[W 2022-03-14 09:07:45.582 JupyterHub web:1787] 403 GET /hub/api/groups?offset=0&limit=50 (10.0.16.132): Action is not authorized with current scopes; requires any of [list:groups]
[W 2022-03-14 09:07:45.583 JupyterHub log:189] 403 GET /hub/api/groups?offset=0&limit=50 (@10.0.16.132) 3.34ms
[D 2022-03-14 09:07:45.591 JupyterHub log:189] 200 GET /hub/static/js/admin.js?v=20220314090739 (@10.0.16.132) 1.03ms
[D 2022-03-14 09:07:45.658 JupyterHub log:189] 200 GET /hub/static/components/moment/moment.js?v=20220314090739 (@10.0.16.132) 1.25ms
[D 2022-03-14 09:07:45.662 JupyterHub log:189] 200 GET /hub/static/js/jhapi.js?v=20220314090739 (@10.0.16.132) 1.55ms
[D 2022-03-14 09:07:45.665 JupyterHub log:189] 200 GET /hub/static/js/utils.js?v=20220314090739 (@10.0.16.132) 1.07ms
5

This may be the problem, this is mostly likely due to a problem with your front-end proxy (e.g. Nginx/Apache). Please can you give us more details about your whole setup, including your proxy configuration file(s)? Thanks!

6

Thanks for the quick reply and help, very much appreciated! I wanted to make sure that we internally have a thorough look at it and exclude all other problem. I found Empty Admin page when the hub is behind nginx proxy · Issue #3737 · jupyterhub/jupyterhub · GitHub and CORS issues behind nginx ingress after updating to JupyterHub 2.1.1 - #3 by ktaletsk which seem to fit my problem very well. I am trying to follow the discussions there now and will report back when I have new insights.

1 Like
7

I found a solution: I configure nginx (our reverse proxy)

proxy_set_header X-Scheme https;

instead of proxy_set_header X-Scheme $scheme; I can now see the admin interface.

1 Like