Config ideas for refreshing external keys in z2h environment?

I have a running docker-based hub infrastructure where I’m using Authenticator.refresh_user to refresh/regenerate infrastructure API keys that are then passed (live) to the spawned jupyter instances via per-user filesystem mounts (being updated/refreshed by the hub before the keys expire for the end-user, every few hours - with the user automatically pulling in the updates via boto RefreshableCredential overrides)

I’m attempting to build up a similar key refreshing environment in kubernetes (z2h). My issue is I’m unsure how to approach getting the continously updated (hub) keys to the (running) spawned jupyter pods.

Searching through the forum, one solution that struck me was to use the spawned-instance’s Hub API key to have the instance request updated key from the hub (found from this post JupyterLab extension to get info from hub api )

Using that approach I’m wondering if I would have to extend the hub’s REST API because the updated keys are currently being stored in the auth_state database and I don’t see any REST calls for access that.

Given @minrk comments in How to refresh oauth tokens it seems like the hub may be doing this itself soon for the OAuth access tokens - so I’m planning to dig in the repo a bit looking for any leads

Has anyone else addressed having the hub send key updates out to running spawned instances or have any other ideas on how to approach this?

JupyterHub should allow admins to access the auth_state for a user:

1 Like

Ah, props @manics!

Assuming the REST “pull” technique is the only solution (I have my fingers crossed that someone else might have a different approach) then that code is a great lead!

Though if I have to go down that route, I expect I’ll have to write quite a bit, given that I need a user (who typically wouldn’t be an admin) to have the ability to pull only certain elements of that structure (and only for themselves)

Thanks again for the lead!

It’s also worth bearing I’m mind that if you need to augment JupyterHub creating a service is an option:

Since the service can run as an admin you should be able to obtain the auth_state whilst adding whatever user restrictions you require.

1 Like