403 : Forbidden You do not have permission to access Server

[jhannink]

I have a strange behaviour when trying to share dashboards with other users on my jupyterhub instance, this does only seem to work between Admin users.

If a non-admin is trying to access a shared dashboard via the Dashboards tab the following happens:

• Server is starting up
• Authorize page does not appear, instead we get a 403 : Forbidden You do not have permission to access Server

This is the error log for a non-admin user

[I 2022-02-24 18:03:06.433 JupyterHub log:189] 302 GET /hub/dashboards/dashboard-test -> /user/julius/dash-dashboard-test (julius-test@[secret]) 7.92ms
INFO:tornado.application:SuperviseAndProxyHandler http_get 56595 
DEBUG:tornado.application:No user identified
WARNING:tornado.application:Detected unused OAuth state cookies
DEBUG:tornado.application:Redirecting to login url: /hub/api/oauth2/authorize?client_id=jupyterhub-user-julius-dash-dashboard-test&redirect_uri=%2Fuser%2Fjulius%2Fdash-dashboard-test%2Foauth_callback&response_type=code&state=[secret]
ERROR:tornado.application:Uncaught exception GET /user/julius/dash-dashboard-test/ ([secret])
HTTPServerRequest(protocol='http', host=[secret], method='GET', uri='/user/julius/dash-dashboard-test/', version='HTTP/1.1', remote_ip=[secret])
Traceback (most recent call last):
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/tornado/web.py", line 1704, in _execute
    result = await result
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/websocket.py", line 102, in get
    return await self.http_get(*args, **kwargs)
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 849, in http_get
    return await self.proxy(self.port, path)
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 843, in proxy
    return await self.oauth_proxy(port, path)
TypeError: object NoneType can't be used in 'await' expression
[E 2022-02-24 18:03:06.622 JupyterHub auth:280] User <User(julius-test 0/1 running)> not allowed to access Server at /user/julius/dash-dashboard-test/
[W 2022-02-24 18:03:06.623 JupyterHub web:1787] 403 GET /hub/api/oauth2/authorize?client_id=jupyterhub-user-julius-dash-dashboard-test&redirect_uri=%2Fuser%2Fjulius%2Fdash-dashboard-test%2Foauth_callback&response_type=code&state=[secret] ([secret]): You do not have permission to access Server at /user/julius/dash-dashboard-test/
[W 2022-02-24 18:03:06.660 JupyterHub log:189] 403 GET /hub/api/oauth2/authorize?client_id=jupyterhub-user-julius-dash-dashboard-test&redirect_uri=%2Fuser%2Fjulius%2Fdash-dashboard-test%2Foauth_callback&response_type=code&state=[secret] (julius-test@[secret]) 48.27ms

vs once I made user julius-test an admin via the jupyterhub admin panel

[I 2022-02-24 18:01:02.364 JupyterHub log:189] 200 GET /hub/dashboards/dashboard-test (julius-test@[secret]) 49.53ms
[I 2022-02-24 18:01:02.365 JupyterHub spawner:1526] Spawning python3 -m jhsingle_native_proxy.main --destport=0 python3 '{-}m' voila '{presentation_path}' '{--}port={port}' '{--}no-browser' '{--}Voila.base_url={base_url}/' '{--}Voila.server_url=/' --progressive --presentation-path=./Dashboards/Dashboard.ipynb --ip=127.0.0.1 --port=56588 '{--}debug' --debug
Setting debug
Starting jhsingle-native-proxy server on address 127.0.0.1 port 56588, proxying to port 0
URL Prefix: /user/julius/dash-dashboard-test
Auth Type: oauth
Command: ('python3', '{-}m', 'voila', '{presentation_path}', '{--}port={port}', '{--}no-browser', '{--}Voila.base_url={base_url}/', '{--}Voila.server_url=/', '{--}debug')
INFO:tornado.application:SuperviseAndProxyHandler http_get 56595 
DEBUG:tornado.application:No user identified
DEBUG:tornado.application:Redirecting to login url: /hub/api/oauth2/authorize?client_id=jupyterhub-user-julius-dash-dashboard-test&redirect_uri=%2Fuser%2Fjulius%2Fdash-dashboard-test%2Foauth_callback&response_type=code&state=[secret]
[I 2022-02-24 18:01:02.770 JupyterHub base:944] User julius:dash-dashboard-test took 0.427 seconds to start
[I 2022-02-24 18:01:02.770 JupyterHub proxy:286] Adding user julius to proxy /user/julius/dash-dashboard-test/ => http://127.0.0.1:56588
18:01:02.771 [ConfigProxy] info: Adding route /user/julius/dash-dashboard-test -> http://127.0.0.1:56588
18:01:02.771 [ConfigProxy] info: Route added /user/julius/dash-dashboard-test -> http://127.0.0.1:56588
18:01:02.771 [ConfigProxy] info: 201 POST /api/routes/user/julius/dash-dashboard-test 
ERROR:tornado.application:Uncaught exception GET /user/julius/dash-dashboard-test/ (127.0.0.1)
HTTPServerRequest(protocol='http', host='127.0.0.1:56588', method='GET', uri='/user/julius/dash-dashboard-test/', version='HTTP/1.1', remote_ip='127.0.0.1')
Traceback (most recent call last):
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/tornado/web.py", line 1704, in _execute
    result = await result
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/websocket.py", line 102, in get
    return await self.http_get(*args, **kwargs)
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 849, in http_get
    return await self.proxy(self.port, path)
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 843, in proxy
    return await self.oauth_proxy(port, path)
TypeError: object NoneType can't be used in 'await' expression
[I 2022-02-24 18:01:02.774 JupyterHub events:107] Server julius:dashboard-test is ready
[I 2022-02-24 18:01:02.774 JupyterHub log:189] 200 GET /hub/dashboards-api/dashboard-test/progress (julius-test@[secret]) 145.21ms
INFO:tornado.application:SuperviseAndProxyHandler http_get 56595 
DEBUG:tornado.application:No user identified
WARNING:tornado.application:Detected unused OAuth state cookies
DEBUG:tornado.application:Redirecting to login url: /hub/api/oauth2/authorize?client_id=jupyterhub-user-julius-dash-dashboard-test&redirect_uri=%2Fuser%2Fjulius%2Fdash-dashboard-test%2Foauth_callback&response_type=code&state=[secret]
ERROR:tornado.application:Uncaught exception GET /user/julius/dash-dashboard-test/ ([secret])
HTTPServerRequest(protocol='http', host=[secret], method='GET', uri='/user/julius/dash-dashboard-test/', version='HTTP/1.1', remote_ip=[secret])
Traceback (most recent call last):
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/tornado/web.py", line 1704, in _execute
    result = await result
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/websocket.py", line 102, in get
    return await self.http_get(*args, **kwargs)
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 849, in http_get
    return await self.proxy(self.port, path)
  File "/opt/homebrew/Caskroom/miniforge/base/lib/python3.9/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 843, in proxy
    return await self.oauth_proxy(port, path)
TypeError: object NoneType can't be used in 'await' expression
[I 2022-02-24 18:01:02.974 JupyterHub log:189] 200 GET /hub/api/oauth2/authorize?client_id=jupyterhub-user-julius-dash-dashboard-test&redirect_uri=%2Fuser%2Fjulius%2Fdash-dashboard-test%2Foauth_callback&response_type=code&state=[secret] (julius-test@[secret]) 17.32ms

Configuration

• Installed jupyterhub via pip
• jupyterhub_config: Basic config from here
• Using GenericOAuthenticator to sign in via a self-hosted Keycloak Instance using openid-connect

[jhannink]

By the way, my jupyterhub == 2.1.1 and that seemed to be the issue. Using jupyterhub == 1.4.2 resolved the issue for now :smiley:

Any plans on how to proceed with jupyterhub >= 2?

[cmosguy]

@jhannink I just ran into this problem, you said you had to downgrade the jupyterhub version to make this work?

[jhannink]

Yep, downgrading to 1.4.2 solved it for me

[cmosguy]

@danlester are you able to fix this ASAP? I would love to be able to use this, but cannot because of this issue. What is the point of deploying this and having 403 for others when viewing your dashboard?

[jhannink]

Definately, support for jupyterhub > 2.0 would be cool :smiley:

[danlester]

This is tracked in #96 and I've just added a comment.