Jupyter Hub API creating new users

We have deployed z2jh and are customizing the chart to add in some extra features.
We would like to implement some authentication potentially JSON web tokens but we believe we will need to have preexisting accounts on the underlying unix system.

Our thoughts are to we need to carry out the following steps on the Hub API prior to passing a JSON web token

  • Create a new user using the post create user call
  • Patch the user to be an admin user

We were puzzled when we found other Hub API calls that allowed us to create tokens for users

  • Create a user token
    We found the if we enter this token in a new browser tab an authorization header token XXXXX we could spawn and new single-node pod and login as the user. Is this something we should use in a production environment or should we rely on something to redirect after the JSON web token is authenticated?

This solution works for know predefined users like jovyan or user that are defined in our chart as admin.
However, we encounter errors when we try to create new users that do not have a predefined unix account.
We have set the c.LocalAuthenticator.create_system_users = True but we get
RuntimeError: Failed to create system user testuser2: adduser: Only root may add a user or group to the system.
We have tried to implement sudospawner but given the suggestions in the following link and that we by default we are using kubespawner are we off the track

We have tested manually adding the user by connecting to the container as root and running an adduser -q --gecos ‘“”’ --disabled-password testuser3
The hub API call then works

Note in order to make calls to the hub API we need to define a hub → service → binder → apiToken and add as an authorization header.

Answer some of my own questions so others can gain insight…

The hub api appears to have a catch 22 situation as it must be running as root to add in linux users but the z2jh helm chart refers docker container that run under a dedicated non root user for security reasons. But it appears to me local accounts should only be used in a non security environment (I may be wrong)

If I turn off LocalAuthenticator and use JSONWebTokenAuthenticator(with LocalAuthenticator turned off ) for authentication I can authenticate the user and somehow hub creates the user and it is visible when you list users.

z2jh is entirely containerised, so users only exist in the Jupyterhub DB, and each user runs in a separate container (Kubernetes pod). It sounds like you want to run Jupyterhub directly on a server or VM instead of using Kubernetes.

@mulliganp were you able to figure this out? I came to the same “catch 22” conclusion here, and this appears to be the only documentation of such.

I figured this out. In my custom authenticator I had two classes:

  1. JSONWebTokenAuthenticator, which extends the Authenticator class
  2. JSONWebTokenLocalAuthenticator, which extends the LocalAuthenticator class

In the hub.config.JupyterHub.authenticator_class of my config.yaml I was specifying the latter, which was trying to create system users on the hub, as LocalAuthenticator is designed to do. Changing the value to the former fixed it. Hope this helps someone.