Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JupyterHub: update jupyterhub component default version to 5.2.1 #493

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+36 −3
Open

JupyterHub: update jupyterhub component default version to 5.2.1 #493

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2bf1170
upgrade to jupyterhub v5
mishaschwartz Jan 20, 2025
d557adc
review suggestions
mishaschwartz Jan 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,22 @@
[Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
------------------------------------------------------------------------------------------------------------------

[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
## Changes

- JupyterHub: update `jupyterhub` component default version to [5.2.1](https://github.com/Ouranosinc/jupyterhub/releases/tag/5.2.1-20241114)

This implements all changes between JupyterHub version
[4.1.6 and 5.2.1](https://jupyterhub.readthedocs.io/en/stable/reference/changelog.html).

This update requires the following manual upgrade steps:

- If your local environment file sets the `c.DockerSpawner.image_whitelist` config option in the
`JUPYTERHUB_ENABLE_MULTI_NOTEBOOKS` environnment variable. Change `c.DockerSpawner.image_whitelist`
to `c.DockerSpawner.allowed_images`.
mishaschwartz marked this conversation as resolved.
Show resolved Hide resolved

If you have changed any of the default `jupyterhub` settings you may need to consult the [JupyterHub upgrade
guide](https://jupyterhub.readthedocs.io/en/latest/howto/upgrading-v5.html) to see if any of those settings
have been changed.

[2.8.0](https://github.com/bird-house/birdhouse-deploy/tree/2.8.0) (2025-01-17)
------------------------------------------------------------------------------------------------------------------
Expand Down
2 changes: 1 addition & 1 deletion birdhouse/components/jupyterhub/default.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# are applied and must be added to the list of DELAYED_EVAL.

export JUPYTERHUB_DOCKER=pavics/jupyterhub
export JUPYTERHUB_VERSION=4.1.5-20240426
export JUPYTERHUB_VERSION=5.2.1-20241114
export JUPYTERHUB_IMAGE='${JUPYTERHUB_DOCKER}:${JUPYTERHUB_VERSION}'
export JUPYTERHUB_IMAGE_URI='registry.hub.docker.com/${JUPYTERHUB_IMAGE}'

Expand Down
3 changes: 3 additions & 0 deletions birdhouse/components/jupyterhub/jupyterhub_config.py.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,9 @@ c.Spawner.disable_user_config = True

c.DockerSpawner.default_url = '/lab'
c.DockerSpawner.remove = True # delete containers when servers are stopped
c.DockerSpawner.allowed_images = {c.DockerSpawner.image: c.DockerSpawner.image} # v5.0+
${JUPYTERHUB_ENABLE_MULTI_NOTEBOOKS} # noqa

c.DockerSpawner.pull_policy = "always" # for images not using pinned version
c.DockerSpawner.debug = True
c.JupyterHub.log_level = logging.DEBUG
Expand Down Expand Up @@ -223,6 +225,7 @@ blocked_users = {'authtest', '${CATALOG_USERNAME}', 'anonymous'}
c.Authenticator.blacklist = blocked_users # v0.9+
c.Authenticator.blocked_users = blocked_users # v1.2+

c.Authenticator.allow_all = True # v5.0+
Comment on lines 225 to +228
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This combination is extremely confusing and prone to misinterpretation.
Please provide the doc reference and some comment.

https://jupyterhub.readthedocs.io/en/latest/reference/api/auth.html#jupyterhub.auth.Authenticator.allow_all

Even after reading the doc details, it feels config to "allow all" after an explicit set of blocked users.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to maintain the previous behaviour which is what is mentioned a few times both in the link you provided and the upgrade guide (https://jupyterhub.readthedocs.io/en/latest/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users).

We use Magpie as the source of truth for who our users are so we do not want jupyterhub to filter/block those users further.

Can you clarify what the confusion is please? That would help me draft a better comment to help.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, I vaguely remember in Magpie, there was a way to only allow Jupyterhub login to some subset of users (using group membership) so not all authenticated users are automatically granted Jupyterhub access. Is that true or I am just imagining things?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that is possible. But again, that's using Magpie for the source of truth. This is just saying that any user that can authenticate should be allowed.

This is the current behaviour, the configuration changes for JupyterHub just means that we have to be explicit about it now.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with all mentioned points.

It is potentially confusing for new users since the Magpie auth is not that obvious from that place (c.MagpieAuthenticator is not the same base as c.Authenticator, so it's a stretch to figure out they work together, not to say it is way higher in the config).

Also, reading c.Authenticator.blocked_users followed by c.Authenticator.allow_all immediately raised a "hold on, what, why?" flag for me. I had to deep-dive into Jupyterhub docs to (partially) understand their convoluted management of pre/post user-login and accessible operations. The naming of the parameters are not intuitive. "Allow all" in the context of auth would be understood by pretty much anyone as open access, but "access all [what]" (users, resources, actions, notebooks, all-of-the-above) is not obvious.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allow all" in the context of auth would be understood by pretty much anyone as open access

But we are not the one controlling and choosing the naming. Adding more documentation comments to help the reader?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly. This is why I ask for comments to mitigate the bad naming misinterpretation.


# ------------------------------------------------------------------------------
# Shutdown idle user server based on configured timeouts.
Expand Down
2 changes: 1 addition & 1 deletion birdhouse/env.local.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ export GEOSERVER_ADMIN_PASSWORD="${__DEFAULT__GEOSERVER_ADMIN_PASSWORD}"
# allow jupyterhub user selection of which notebook image to run
# see https://jupyter-docker-stacks.readthedocs.io/en/latest/using/selecting.html
#export JUPYTERHUB_ENABLE_MULTI_NOTEBOOKS="
#c.DockerSpawner.image_whitelist = {
#c.DockerSpawner.allowed_images = {
# os.environ['JUPYTERHUB_IMAGE_SELECTION_NAMES'].split()[0]: os.environ['JUPYTERHUB_DOCKER_NOTEBOOK_IMAGES'].split()[0],
# os.environ['JUPYTERHUB_IMAGE_SELECTION_NAMES'].split()[1]: os.environ['JUPYTERHUB_DOCKER_NOTEBOOK_IMAGES'].split()[1],
# os.environ['JUPYTERHUB_IMAGE_SELECTION_NAMES'].split()[2]: os.environ['JUPYTERHUB_DOCKER_NOTEBOOK_IMAGES'].split()[2],
Expand Down
15 changes: 15 additions & 0 deletions docs/source/migration_guide.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,21 @@
Migration Guide
===============

Version 2.9
-----------

Version 2.9 updates JupyterHub to version 5.

To upgrade to version 2.9 from an earlier version:

- If your local environment file sets the `c.DockerSpawner.image_whitelist` config option in the
`JUPYTERHUB_ENABLE_MULTI_NOTEBOOKS` environnment variable. Change `c.DockerSpawner.image_whitelist`
to `c.DockerSpawner.allowed_images`.

If you have changed any of the default `jupyterhub` settings you may need to consult the [JupyterHub upgrade
guide](https://jupyterhub.readthedocs.io/en/latest/howto/upgrading-v5.html) to see if any of those settings
have been changed.

Version 2.4
-----------

Expand Down
Loading