Sudospawner and internal_ssl

Hi, need help please…
I’ve installed JupyterHub as a non-root user. Everything works ok. Next, I want to enable internal_ssl.
After doing so, a notebook will not launch because move_certs ( attempts to copy the internal certs to the user’s ~/$HOME/.jupyterhub. Fails with: permission denied - the non-root jupyterhub user cannot write to a user’s $HOME/

Wondering if there is a solution to this out there?

These solutions may work for a small deployment (there are hacky and not real solutions):

  1. Depending on your home directory permissions, you can change the ownership of ~/.jupyterhub to the same group as the jupyterhub service and make sure it is group writable.

  2. Link the SSL files to everyone’s ~/.jupyterhub and comment out the call to move_certs

  3. Make SETUID root so it can copy the files (RISKY)

  4. Use Sudo to call spwaner

Hopefully someone can offer a real solution…

Thanks! for the suggestion.

I came up with this in the meanwhile: Subclassing SudoSpawner, and overriding move_certs(). Seems to work…

– We “fix” the permissions issue by:
– 1. subclassing SudoSpawner and overriding the move_certs method
– 2. We need corresponding sudo script to do the move…
– in:

from sudospawner import SudoSpawner
class MySudoSpawner(SudoSpawner):
    async def move_certs(self, paths):
        import pwd,os,re,sys

        key = paths['keyfile']
        cert = paths['certfile']
        ca = paths['cafile']

        user = pwd.getpwnam(
        uid = user.pw_uid
        gid = user.pw_gid
        home = user.pw_dir
        os.system('sudo /home/jupyterhub/ ....')
        return {"keyfile": key, "certfile": cert, "cafile": ca}

c.JupyterHub.spawner_class = MySudoSpawner

A much better solution than any of mine. :slight_smile: