Token set to an empty string as /servers returned an empty string - why? #10
Comments
|
Thanks @consideRatio for the detailed breakdown 👍
Out of curiosity, do you have a link to a diff or PR related to that change? Thanks! |
|
Also this link share extension was initially made to share links to test RTC on the dev Binder for JupyterLab, which starts a separate Jupyter Server with jupyter-server-proxy: In that case when running on Binder, there are 2 running servers:
The extension should list both, but the end user needs the token from the (first) front server to access the instance. |
|
Thanks @jtpio for your input! I've made no progress since last but is not done trying.
These are two PRs that I was thinking could potentially have something to do with this. But I'm not sure at all. |
|
Just a quick note for context - in a conversation with @ellisonbg about this, he suggested something might be happening by virtue of the Github authenticator we're using where this problem manifests, that has to monkeypatch the base authentication classes in JupyterHub, and changes/eliminates the token generation. Binder doesn't use Github auth, so that difference might be the source of the problem. Not 100% sure it is, but I wanted to capture Brian's point here in case it helps tracking down the problem... @yuvipanda might also have some thoughts here perhaps? |
|
For reference, these are logs when starting up a user server that doesn't have a token set. My guess is that we observe a difference because of the difference of using SingleuserNotebookApp vs NotebookApp (Or ServerApp). An important clue to guess this for me has been that @fperez clarified that mybinder.org doesn't start user pods with So, what is the difference between SingleUserNotebookApp and NotebookApp then? I'm not sure, here are some traces of code that may be relevant.
|
|
@consideRatio did you manage to make it work in the end? I'm using the latest (1.1.1) zero-to-jupyterhub-k8s helm chart and trying to figure out how to make it work with the newly released RTC in jupyterhub. The extension indeed returns a link with no token and I could not manage to share any notebook with |
|
not sure if this helps any.. if you comment out
I should add to get that token showing up I first login to jupyterhub with the If I have |
|
In JupyterHub, you can just set the token to be the value of the env variable |
When running under a JupyterHub, only the currently running notebook server process is accessible from the browser (via the proxy), so only the token set for the current server will work. Any additional servers running (via jupyter-server-proxy) will still need this token, so multiple servers running in a JupyterHub (a currently unknown pattern) can't work anyway. So when we are running in a JupyterHub, we just use the provided token in the share URL. No network call is made. Fixes jupyterlab-contrib#10
To use real time collaboration in JupyterLab, we need jupyterlab-contrib/jupyterlab-link-share#10 to be fixed. jupyterlab-contrib/jupyterlab-link-share#21 is a proposed solution, and I'm testing it out here to see if it works properly. Ref berkeley-dsep-infra#3027
|
I've updated to 0.2.3, but I'm still getting a link with an empty token in a JupyterHub (1.5.0) context. Is there anything else I need to do? |
|
@yuvipanda you got this to work. What versions of jupyterlab and jupyterhub was used? Note that its also relevant to know the version of jupyterhub used in the singleuser-server in this case I think. |
is the versions on the user container image. I'm running JupyterHub 1.5 on the hub image as well |
|
Thanks for those details, @yuvipanda! Here's the diff with the same command on my server: --- yuvipanda-deps.txt 2021-11-22 16:53:28.306201127 +0100
+++ dlukes-deps.txt 2021-11-22 16:53:48.021584625 +0100
@@ -1,22 +1,16 @@
-jupyter-client 6.1.12
-jupyter-contrib-core 0.3.3
-jupyter-contrib-nbextensions 0.5.1
+jupyter 1.0.0
+jupyter-archive 3.2.1
+jupyter-client 7.0.6
+jupyter-console 6.4.0
jupyter-core 4.9.1
-jupyter-highlight-selected-word 0.2.0
-jupyter-latex-envs 1.4.6
-jupyter-nbextensions-configurator 0.4.1
-jupyter-resource-usage 0.6.0
-jupyter-rsession-proxy 1.4
jupyter-server 1.11.2
jupyter-server-proxy 3.1.0
-jupyter-shiny-proxy 1.1
jupyter-telemetry 0.1.0
-jupyter-tree-download 1.0.1
jupyterhub 1.5.0
+jupyterhub-systemdspawner 0.15.0
jupyterlab 3.2.4
-jupyterlab-geojson 3.1.2
jupyterlab-link-share 0.2.3
jupyterlab-pygments 0.1.2
jupyterlab-server 2.8.2
jupyterlab-widgets 1.0.2
-notebook 6.4.5
+notebook 6.4.6I'm guessing the problem might be that I'm using SystemdSpawner, whereas you're using Docker? The rest of the differences either look like non-essential packages, or I have newer versions. |
|
I'm guessing if I whitelist the token env var in |
|
|
|
the API token env var is to test manually, the lab extension doesn't need that. I'm not sure what could be happening. If you view source on your jupyterlab page, is there a json blob in the HTML (page config)? If so, does it have a key for |
|
Thanks for the pointers! Well |
|
So whitelisting |
|
@dlukes ah, you're probably running into the case @minrk mentioned in #21 (comment) |
|
Oh, OK, thanks :) So it looks like I might get it to work if I downgrade JupyterHub to <1.5? But it also sounds like the entire token/permissions system is still in flux. I think I might hold off on link sharing for a bit more in that case, it's not such a core piece of functionality for me, and revisit it once it settles down a bit. |
|
@dlukes I am super curious why it doesn't work for you, while it does work for me even though we have very similar hub versions... |
|
Me too! I realize you're also running JupyterHub 1.5. The big difference seems to be SystemdSpawner vs. Docker; I thought whitelisting |
|
The token may be available if you run a |
|
could you be more specific what you mean with "notebook-based server" and "jupyter-server-based server" |
|
Ah, sorry. There are currently two implementations of the jupyter server. The old one, in the In JupyterHub 1.x, the default behavior of In both 1.x and 2.x, you can specify which to use with the environment variable: # notebook, default in 1.x
JUPYTERHUB_SINGLEUSER_APP="notebook.notebookapp.NotebookApp"
# jupyter_server, default in 2.0
JUPYTERHUB_SINGLEUSER_APP="jupyter_server.serverapp.ServerApp" |
@yuvipanda Maybe that's the reason your setup works while mine doesn't? I'm using labhub. |
|
@dlukes that seems the most likely explanation |
|
This isn't actually fixed. |
|
I also have this issue. We are running jupyterhub ((it is the littlest jupyterhub setup) with Google authentication, and when I click the share button it leads to a link like this with no token: https://jupyterhub-dev.cheme.cmu.edu/user/[email protected]/lab?token= In a terminal, there is a $JUPYTERHUB_API_TOKEN, which works fine if I add it to that url. Is there some setting that will put hte token in the URL? |
To use real time collaboration in JupyterLab, we need jupyterlab-contrib/jupyterlab-link-share#10 to be fixed. jupyterlab-contrib/jupyterlab-link-share#21 is a proposed solution, and I'm testing it out here to see if it works properly. Ref berkeley-dsep-infra/datahub#3027
I think this may not be an issue with this extension, but it may influence people using it. Anyhow, I figure I can write down notes while debugging this here.
The issue
I tried to use this extension on my recently deployed JupyterHub (v1.4.1) with quite recent versions of most things, including
jupyterlab==3.1.0a10. It works visually and so, but a web response from/jupyterlab_link_share/serversresults in a token set to an empty string which in turn results in a link that doesn't include a token.Why?
Why does
/jupyterlab_link_share/serversreturn an empty string token for me on hub.jupytearth.org while it returns a token on mybinder.org?No clue.
What code base is responsible for returning a response when visiting
/jupyterlab_link_share/servers?It seems like this code:
jupyterlab-link-share/jupyterlab_link_share/handlers.py
Lines 6 to 17 in a1bf019
That code references notebookapp list_running_servers... Have that function changes between versions? No it had not.
I wonder if list_running_servers have started returning different details because of a change in JupyterHub's script entrypoint
jupyterhub-singleuserhas changed between between 1.3.0 and 1.4.1?Hmmmm it seems like
jupyter --runtime-dirreturns a runtime directory path, and within that path I findnbserver-<pid>.jsonwith details representing the JSON structure returned.What sets this file, and why is it set without a token or not?
Differences observed
jupyter --versiondifferencesjupyter --versionand miscJSON Response from /server at mybinder.org
When pressing the share button I observed a request like this https://hub.gke2.mybinder.org/user/jupyterlab-cont-rlab-link-share-ati8onmk/jupyterlab_link_share/servers?1622512360400 result in the following response.
[ { "base_url": "/user/jupyterlab-cont-rlab-link-share-ati8onmk/", "hostname": "0.0.0.0", "notebook_dir": "/home/jovyan", "password": false, "pid": 18, "port": 8888, "secure": false, "sock": "", "token": "QkLNLf04RQyJSldyJMzu0A", "url": "http://0.0.0.0:8888/user/jupyterlab-cont-rlab-link-share-ati8onmk/" } ]JSON Response from /server at hub.jupytearth.org
When pressing the share button I observed a request like this https://hub.jupytearth.org/user/consideratio/jupyterlab_link_share/servers?1622512267115 result in the following response.
[ { "base_url": "/user/consideratio/", "hostname": "0.0.0.0", "notebook_dir": "/home/jovyan", "password": false, "pid": 1, "port": 8888, "secure": false, "sock": "", "token": "", "url": "http://0.0.0.0:8888/user/consideratio/" } ]ps auxat mybinder.orgps auxat hub.jupytearth.orgThe text was updated successfully, but these errors were encountered: