Nativeauthenticator broken in jupyterhub/k8s-hub:1.1.3-x due to jupyterhub 2.0.0b3 bump


I was a bit confused that the recent jupyterhub/k8s-hub images were still tagged 1.1.3-xxx, but now include jupyterhub 2.0. I would have expected the image tag to be 2.0 as well since this was a breaking change. Was that intentional?

In our case, the 2.0.0b3 version of jupyterhub broke nativeauthenticator, causing hub not to start. We had to use an older hub image before the 2.0 bump to get it working again.

$ docker run -it --entrypoint /bin/bash jupyterhub/k8s-hub:1.1.3-n134.h03e4a766
jovyan@7a9e131f6fbd:/srv/jupyterhub$ pip list | grep jupyterhub
jupyterhub                       2.0.0b3
jupyterhub-firstuseauthenticator 0.14.1
jupyterhub-hmacauthenticator     1.0
jupyterhub-idle-culler           1.2.1
jupyterhub-kubespawner           1.1.1
jupyterhub-ldapauthenticator     1.3.2
jupyterhub-ltiauthenticator      1.2.0
jupyterhub-nativeauthenticator   1.0.5
jupyterhub-tmpauthenticator      0.6
jovyan@7a9e131f6fbd:/srv/jupyterhub$ python3
Python 3.8.10 (default, Sep 28 2021, 16:10:42)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nativeauthenticator
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/dist-packages/nativeauthenticator/", line 4, in <module>
    from nativeauthenticator.nativeauthenticator import NativeAuthenticator
  File "/usr/local/lib/python3.8/dist-packages/nativeauthenticator/", line 16, in <module>
    from .handlers import (
  File "/usr/local/lib/python3.8/dist-packages/nativeauthenticator/", line 7, in <module>
    from jupyterhub.utils import admin_only
ImportError: cannot import name 'admin_only' from 'jupyterhub.utils' (/usr/local/lib/python3.8/dist-packages/jupyterhub/


Relevant GitHub issue:

Yup, I opened that issue to give the nativeauthenticator team a heads up about the situation. Not sure if they would have seen this post.

My concern/question for this thread was: should the k8s-hub Docker image tag also be bumped to 2.0-something to give people a warning that it includes breaking changes with the jupyterhub 2.0 python package.

And would it make sense to remove nativeauthenticator from the image until a 2.0-compatible version becomes available?

Ideally yes it would have a 2.0.0-dev tag.

In practice it would require some CI development work since dev tags are generated automatically based on the most recent tag.

In the past Z2JH releases were infrequent so it was common to use the latest dev chart, but since 1.0.0 releases are much more frequent so for production deployments it’s usually best to stick with tagged releases.

1 Like

We could create a 2.0.0-dev tag for the commit where we started shipping hub 2.0

If a dev tag doesn’t work with our tooling, we could mark it 2.0.0-alpha.1, I suppose.