NativeAuthenticator doesn't work with LocalProcessSpawner

[mttcnnff]

My use case:

• I'm running jupyterhub in a containerized production environment as a service in amazon ECS
• I'm using an NFS to persist user's home directories, which is great
• I'd like to persist which users exist and their password hashes between new builds of the container so I don't have to recreate users everytime I redeploy my service
• I'd like to use NativeAuthenticator as my persisted user/user_info store to solve that 👆problem

The problem:

• When a user is created they are only created in the db and not on the host machine itself
• This means that when the process spawner tries to spawn a process it cannot because it can't find the user to spawn the process under

Error Message:

Error in Authenticator.pre_spawn_start: KeyError "getpwnam(): name not found

[leportella]

I'm sorry it is not clear to me what you are trying to do.

If you are trying to keep the info, couldn't you keep the passwords.dbm (or passwords.dbm.db depending on the system) and set it as the default path on the authenticator?

[mttcnnff]

Essentially the issue is that users are being created and authenticated using the NativeAuthenticator (and thus the db), but are not being created on the machine actually running jupyter hub. Causing a failure when the process spawner tries to spawn a process for a new user (that user being present in the db, but absent in the /etc/passwd of the machine itself)

Is that clearer? Let me know what I'm glossing over please! 🙏😊

[valvesss]

Same problem here! The users are only allowed to read directories if they are in a group of the system (i.e. jupyterhub). As users are stored in a DB the system can't find them. There's any approach to automatically create users on machine (i.e. adduser) when they are authorized by the admin?

P.S.: I'm proud to see Brazilians projects! Como brasileiro fico feliz de verdade, continue o bom trabalho :)

[minrk]

See jupyterhub/jupyterhub#2948 for some discussion. I think we want a LocalNativeAuthenticator variant:

from jupyterhub.auth import LocalAuthenticator

class LocalNativeAuthenticator(NativeAuthenticator, LocalAuthenticator):
    pass

that allows the creation of system users so that NativeAuth can be used with spawners that require local users (systemd, default, sudo, etc.)

[minrk]

We do have some confusing naming conventions here - Local is what jupyterhub uses to refer to local system users (System might have been better). Native in this case refers to "native to jupyterhub" not, for instance, native to the system on which it is running. So while LocalNative is using following both of these conventions, it's not an obvious name to folks who aren't already familiar with LocalAuthenticator and NativeAuthenticator.

We should also cover in the docs that NativeAuthenticator cannot be used with the default Spawner, and make sure to get the quickstart docs to result in running servers, which they do not currently due to the implicit use of default Spawner.

The alternative is to use pre_spawn hooks to implement something like what we do in tljh to create prefixed users only for the lifetime of the server.

[stefaneidelloth]

The above mentioned custom class can be directly entered in the config file:

c.Authenticator.admin_users = {'admin'}
c.Authenticator.open_signup = True
c.LocalAuthenticator.create_system_users = True
from jupyterhub.auth import LocalAuthenticator
from nativeauthenticator import NativeAuthenticator
class LocalNativeAuthenticator(NativeAuthenticator, LocalAuthenticator):
  pass
c.JupyterHub.authenticator_class = LocalNativeAuthenticator
c.Spawner.default_url = '/lab'

[ibayer]

Due to the limitations mentioned here, is the nativeauthenticator expected to work with the little jupyter hub?

I'm was using the great features provided by NativeAuthenticator for months till suddenly the login page started to cause
issues. The only option I found to resolve this was to disable NativeAuthenticator.

Details are here: jupyterhub/the-littlest-jupyterhub#631

[shreeishitagupta]

c.Authenticator.admin_users = {'admin'}
c.Authenticator.open_signup = True
c.LocalAuthenticator.create_system_users = True
from jupyterhub.auth import LocalAuthenticator
from nativeauthenticator import NativeAuthenticator
class LocalNativeAuthenticator(NativeAuthenticator, LocalAuthenticator):
  pass
c.JupyterHub.authenticator_class = LocalNativeAuthenticator
c.Spawner.default_url = '/lab'

After this i am getting this error
Traceback (most recent call last):
File "/home/fkuser/.local/lib/python3.7/site-packages/jupyterhub/app.py", line 1741, in init_users
await maybe_future(f)
File "/home/fkuser/.local/lib/python3.7/site-packages/jupyterhub/auth.py", line 829, in add_user
await maybe_future(self.add_system_user(user))
File "/home/fkuser/.local/lib/python3.7/site-packages/jupyterhub/auth.py", line 895, in add_system_user
raise RuntimeError("Failed to create system user %s: %s" % (name, err))
RuntimeError: Failed to create system user test: adduser: Only root may add a user or group to the system.

and also new server is not spawning for the user that i am creating on the system as well.
500 : Internal Server Error
Error in Authenticator.pre_spawn_start: SubprocessError Exception occurred in preexec_fn.

[lambdaTotoro]

@shreeishitagupta
It looks like that you're not running JupyterHub as root (error message: Only root may add a user or group to the system.), so that would explain why you can't create new system users.

[shreeishitagupta]

@lambdaTotoro Yes that i understood. Even if i myself add a system user i am not able to spawn jupyter server for that user getting this only after logging in
500 : Internal Server Error
Error in Authenticator.pre_spawn_start: SubprocessError Exception occurred in preexec_fn.

[lambdaTotoro]

That might still be a problem with root/user permissions. As I understand it, the default setup in pretty much anything jupyterhub expects that jupyterhub is being run as root, not a normal user. There's ways to set it up, but they require some more work.

But that is not a question that concerns nativeAuthenticator, so I'd try the jupyterhub repository (where similar problems have been discussed in the past, for example in jupyterhub/jupyterhub#1527) or their discourse page.

[lambdaTotoro]

I'll close this issue, the current documentation for self-approval has a way to automatically create system accounts for users when they login.