Open consideRatio opened 4 months ago
manics
commented
4 months ago It's required for hub authentication. Without auth BinderHub has admin permissions on JupyterHub to create a temporary user with token authentication for the server.
jupyterhub-singleuser is included in repo2docker images.
consideRatio
commented
4 months ago jupyterhub-singleuser is included in repo2docker images.
Ah, the failure I observed was on a minimalistic Dockerfile (https://github.com/binderhub-ci-repos/cached-minimal-dockerfile), so then this is just a difference for when repo2docker builds with a Dockerfile at least.
Thanks for helping me understand things @manics, I don't get it fully yet:
Without auth BinderHub has admin permissions on JupyterHub to create a temporary user with token authentication for the server.
Ah yes it seems that the creation of users is done when auth isn't enabled, which then btw contradicts the comment in https://github.com/jupyterhub/binderhub/pull/1544/commits/39980f09f354580637b5b2d16079074409666552#diff-dfa1149c9b40dd3c7c372015a9fb7b9a68507e6fdc0246a9d521483f072d120bR71-R72. My understanding reading this code block is that the permissions needed are to read user data when auth is enabled, and to create users when auth is disabled (then self.create_users is initialized true).
manics
commented
4 months ago Yes, the code comment is incorrect, the PR comment is correct though https://github.com/jupyterhub/binderhub/pull/1544#issuecomment-1277497482
I've tried adding jupyterhub to the minimal test image before for exactly this reason, but IIRC there were some problems when using pip (maybe some missing wheels for a dependency?) so I switched to Conda. I think it's worth trying again though since it makes testing easier.
In this documentation about enabling auth it sais:
I'm wondering what makes this required? If it is, then the repo we build an image from requires jupyterhub as well - a requirement not presented otherwise for anonymous binderhub deployments like mybinder.org.