Zero-to-jupyterhub-k8s: Accessing the JupyterHub api

Hi, I have the same issue with you, I fix it by adding the following to jupyterhub_config:

c.JupyterHub.proxy_api_ip = xxxx
c.JupyterHub.proxy_api_port = xxx
c.JupyterHub.proxy_auth_token = '1dfa277014fac9f3d054e203325e8e44c80432c8c8f8bfafd8f2ac1603c3458d'
c.JupyterHub.api_tokens = {'1dfa277014fac9f3d054e203325e8e44c80432c8c8f8bfafd8f2ac1603c3458d' : 'my-user-name'}

I know the token is kind of duplicate and you don't need to have your username when you call "api/users", so in theory you don't need the the last config (c.JupyterHub.api_tokens)

However, without the last config it is not working.

Hmmm, perhaps this is a bit too complex and detailed to be part of the guide.

If you want to do this though, look at this configuration

https://github.com/jupyterhub/binderhub/blob/6b66588a5de280677f6e95ebd1a31b6cc551128b/testing/minikube/jupyterhub-helm-config.yaml#L8-L15

Declare and use that apiToken to make requests. To make a request you use for example curl, to the proxy-public service with the correct port, which i think will be 31303, just make sure to provide a header along with it with the apiToken.

# provide a header something like this is the curl request
'authorization: token <the token that you generated using: openssl rand -hex 32>'

@odewahn Hi, have you been able to fix your issue? I'm seeing the same problem even though I set the api token in config.yaml.
@consideRatio can you explain it more? I need to access to hub api from every jupyterlab instances I have on kubernetes cluster and I don't know how it's possible.

@frouzbeh I have not done it myself, I'd need to read up a bit to learn this.

This is a way to get credentials to access it as an admin at least. But, perhaps you already have non-admin credentials, coupled to the specific user of the JupyterLab instance available to you already, hmmm...

hub:
  services:
    myServiceName:
      admin: true
      apiToken: "aec7d32df938c0f55e54f09244a350cb29ea612907ed4f07be13d9553d18a8e4"

Hi @consideRatio,
defining a service with an apiToken inside hub I was able to get a working curl line to interact with JupyterHub; is there any documentation about all these "secrets" in the yaml config file?
There's the proxy.secretToken, the hub.cookieSecret and also the hub.services.*.apiToken. What's the purpose of all these fields?

For anyone that may need some pointers, this is my current (partial) configuration file jupyterhub.yaml:

hub:
  # Image that manages the user login and jupyterlab creation.
  # Use the same tag used when installing with helm.
  image:
    name: jupyterhub/k8s-hub
    tag: 0.9.0-beta.4.n000.h72e54ee

  services:
    testService:
      admin: true
      apiToken: "aec7d32df938c0f55e54f09244a350cb29ea612907ed4f07be13d9553d18a8e4"

auth:
  type: "custom"
  custom:
   className: "nativeauthenticator.NativeAuthenticator"
  admin:
    users:
      - admin1
  whitelist:
    users:
      - test1
      - test2

which I apply with:
helm upgrade --install jhub jupyterhub/jupyterhub --version=0.9.0-beta.4.n000.h72e54ee --values jupyterhub.yaml.

Then I'm able to interact with the Jhub API server with:
curl -L -H "accept: application/json" -H "Authorization: token aec7d32df938c0f55e54f09244a350cb29ea612907ed4f07be13d9553d18a8e4" http://host:port/hub/api/users |python -m json.tool

It would be useful to have some notes like these in the documentation, I think; I've lost some hours wandering around the doc and the source code, before reaching this post.

Here's some links to the relevant JupyterHub documentation:

• https://jupyterhub.readthedocs.io/en/stable/getting-started/security-basics.html#proxy-authentication-token
• https://jupyterhub.readthedocs.io/en/stable/getting-started/security-basics.html#cookie-secret
• https://jupyterhub.readthedocs.io/en/stable/getting-started/services-basics.html

Do you have a suggestion on where you'd like to see these cross-linked?

Thanks for the quick response; the links you provided were useful to understand the need for different secrets.
I've also just discovered the reference page, containing detailed info on many k8s options available.

1. I would refer to it probably at step 3 of the jhub setup, where proxy.token is defined but not explained: https://zero-to-jupyterhub.readthedocs.io/en/latest/setup-jupyterhub/setup-jupyterhub.html#prepare-configuration-file

2. & 3. Probably a personalization section in the same setup-jupyterhub.html page with a link pointing to the jhub docs and to the z2jh reference page would be enough.

Do you have any suggestions on how to setup a service that creates users using nativeauthenticator?
https://github.com/jupyterhub/nativeauthenticator/issues/93#issuecomment-597699592

Just coming in to give my two cents.

Similar to a few folks in here I share the sentiment that documentation is not clear on this, specifically the docs dealing with Zero-To-Jupyterhub (Z2J). It would be nice to note a few advance config.yaml parameters than can be set and how we can extend it using the actual (and extended) JupyterHub documentation. Had no idea, following the Z2J documentation, that config.yaml can be set with extraConfig: binder:, nor services:.

Perhaps I might have just missed the links, but why there isn't reference to API token being set via the config.yaml file within the Using JupyterHub’s REST API page was beyond me for a few hours. The link @consideRatio posted above was all I needed to click things into place. Literally a page, "Customize config.yaml Further," with a copy and paste code of a large configuration setting is all there likely is really needed for some developers to go "oh!"

Closed and encompassed as a note in the issue linked above.