Can't get NativeAuthenticator to work

[kpeeters]

From a default install which worked fine, I did

sudo tljh-config set auth.type nativeauthenticator.NativeAuthenticator
sudo tljh-config reload

That didn't work (could not log in as admin anymore, and there was no difference in the login screen). The log obtained with journalctl -u jupyterhub does not show anything when attempting to log in.

Lacking logs, I also tried

git clone https://github.com/jupyterhub/nativeauthenticator.git
cd nativeauthenticator
pip install -e .

as instructed at https://native-authenticator.readthedocs.io/en/latest/quickstart.html (in the hope that my install did not work because I simply did not have nativeauthenticator yet). That did not work either, unfortunately.

Any pointers? What is the correct procedure, and how can I get some more logging info out of tljh so I can debug things like this in the future myself? Thanks!

[leportella]

Hi @kpeeters, NativeAuth has an option to import the database from the FirstUse database. However, by default when installing NativeAuth eberybody should #, even admin. The admin listed on the config file will automatically have access to the system.

Could this be the problem?

[kpeeters]

I understand that; the problem is that the login screen is exactly the same as with FirstUse, there is no option to #. It's probably reading the settings about which authenticator to use from two different places, with the part of the code that produce the login form seeing one setting, and the part that does the actual validation seeing the other. But I can't find it.

[leportella]

This is something I am fixing for the next version (login will have a link for #). To check if you are using Native Auth you can go to /hub/# to see if it is working :)

[kpeeters]

Ah, you may want to write that somewhere in the docs ;-) It worked now, in the sense of producing a # form, but I can't login as my admin account anymore, and journalctl says Config option `import_from_firstuse` not recognized by `NativeAuthenticator`.

[ingoglia]

I also experienced this issue.
It doesn't seem possible to use this feature, unless you can somehow customize the installer to install with the NativeAuthenticator instead? Is that possible? Because it seems as though, the admin account gets created, and then you are automatically locked out when you switch over. I would try the FirstUse database migrator, but the documentation is a bit fuzzy on what config file I am supposed to put the information.

[RobinTTY]

Is there any update on this? Had the exact same problem when trying to switch to NativeAuthenticator and couldn't find a method to get around it. The authenticator works great but I have no more admin user I'm able to login with to approve the users after activating it.

Also as mentioned before setting auth.NativeAuthenticator.import_from_firstuse doesn't work and only results in the error import_from_firstuse not recognized by NativeAuthenticator appearing in the logs.

Is there maybe a method to create a new admin user using the console for NativeAuthenticator? Had no luck with the regular sudo tljh-config add-item users.admin <username> command.

Edit: Actually it seems like I can just register the admin account through the # page and have access again. The documentation for NativeAuthenticator actually states "It is important to notice that admin must also create a new user through #.", so if this is expected behavior it is a little confusing to say the least 😛

[t3chbg]

I am having the same problem described by @kpeeters back in March 2019 - After enabling Native Authentication the Login and # pages are exactly the same.
@leportella any chance you able to look at issue jupyterhub/nativeauthenticator#98 and advise what the issue is or alternatively assist with a solution?

We conducting a workshop with about 40 students next week Tuesday, 25th and it would be appreciated if my problem can get resolved prior to then.

[leportella]

Sorry for my absence. Will take a look later today

[leportella]

How are the Admins being created on FirstUse? I tested with the admin being configured on jupyterhub_config.py and it works.

[leportella]

@RobinTTY admins must create their accounts if you didn't import it from the FirstUseAuthenticator as you can see here: https://github.com/jupyterhub/nativeauthenticator/blob/2fede2bfc109c9107064eb4a7c48dd4e4d6a79ee/nativeauthenticator/nativeauthenticator.py#L236.

The admin definitions are being absorbed from the jupyter_config.py file, as defined here: https://github.com/jupyterhub/nativeauthenticator/blob/2fede2bfc109c9107064eb4a7c48dd4e4d6a79ee/nativeauthenticator/nativeauthenticator.py#L183.

Also, I would recommend get the last version from the Github not pypi because I didn't updated it yet

[RobinTTY]

@leportella Ah ok, thank you.

[leportella]

I just uploaded the last master version to pip: https://pypi.org/project/jupyterhub-nativeauthenticator/0.0.5/

CHANGELOG: https://github.com/jupyterhub/nativeauthenticator/blob/master/CHANGELOG.md

[InCogNiTo124]

@leportella one thing which coould improve tljh is to show requests for authorization in the admin page. if not possible, at least a button "REQUESTS" which takes the admin to /authorization :)

[ibayer]

Reading through all the comments I'm still not sure what to do.

I have a working tljh setup with a admin user that I can use to log in.
If I now add the nativeauthenticator to my config /opt/tljh/config/config.yaml

users:
  admin:
  - admin
auth:
  type: nativeauthenticator.NativeAuthenticator

then reload the config tljh-config reload.

(Following the doc https://tljh.jupyter.org/en/latest/howto/auth/nativeauth.html and using
sudo tljh-config set auth.type nativeauthenticator.NativeAuthenticator changes the config in the same way.)

I can't log-in with my admin user anymore and get Invalid username or password .

I also tried to to # again using the old admin user and password. After # I get
the response Your information have been sent to the admin .

Now if I try to log-in again still gives me Invalid username or password .
Seems like I'm stuck in a situation where I need an admin user to approve my first admin user.

Looks like I'm missing a crucial step. It would be really great if someone who got this working could give me a hint.

[ibayer]

log file from journalctl -u jupyterhub

Mar 18 19:14:23 my-domain systemd[1]: Started jupyterhub.service.
Mar 18 19:14:25 my-domain python3[12586]: [I 2021-03-18 19:14:25.852 JupyterHub app:2332] Running JupyterHub version 1.2.2
Mar 18 19:14:25 my-domain python3[12586]: [I 2021-03-18 19:14:25.852 JupyterHub app:2362] Using Authenticator: nativeauthenticator.nativeauthenticator.NativeAuthenticator
Mar 18 19:14:25 my-domain python3[12586]: [I 2021-03-18 19:14:25.852 JupyterHub app:2362] Using Spawner: tljh.user_creating_spawner.UserCreatingSpawner
Mar 18 19:14:25 my-domain python3[12586]: [I 2021-03-18 19:14:25.852 JupyterHub app:2362] Using Proxy: jupyterhub_traefik_proxy.toml.TraefikTomlProxy-0+unknown
Mar 18 19:14:25 my-domain python3[12586]: [I 2021-03-18 19:14:25.868 JupyterHub app:1412] Loading cookie_secret from /opt/tljh/state/jupyterhub_cookie_secret
Mar 18 19:14:25 my-domain python3[12586]: [W 2021-03-18 19:14:25.946 JupyterHub configurable:190] Config option `blacklist` not recognized by `NativeAuthenticator`.
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.002 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed.
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.052 JupyterHub app:2399] Initialized 0 spawners in 0.002 seconds
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.055 JupyterHub app:2611] Not starting proxy
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.056 JupyterHub app:2647] Hub API listening on http://127.0.0.1:15001/hub/
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.056 JupyterHub app:2662] Starting managed service cull-idle
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.056 JupyterHub service:339] Starting service 'cull-idle': ['/opt/tljh/hub/bin/python3', '-m', 'jupyterhub_idle_culler', '--timeout=600', >
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.058 JupyterHub service:121] Spawning /opt/tljh/hub/bin/python3 -m jupyterhub_idle_culler --timeout=600 --cull-every=60 --concurrency=5 -->
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.078 JupyterHub proxy:320] Checking routes
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.079 JupyterHub app:2722] JupyterHub is now running at http://:8000
Mar 18 19:14:26 my-domain python3[12586]: [I 2021-03-18 19:14:26.362 JupyterHub log:181] 200 GET /hub/api/users (cull-idle@127.0.0.1) 45.36ms
Mar 18 19:14:27 my-domain python3[12586]: [C 2021-03-18 19:14:27.601 JupyterHub app:2810] Received signal SIGTERM, initiating shutdown...
Mar 18 19:14:27 my-domain python3[12586]: /opt/tljh/hub/lib/python3.8/site-packages/jupyterhub/app.py:2812: DeprecationWarning: Task.all_tasks() is deprecated, use asyncio.all_tasks() instead
Mar 18 19:14:27 my-domain python3[12586]:   t for t in asyncio.Task.all_tasks() if t is not asyncio.Task.current_task()
Mar 18 19:14:27 my-domain python3[12586]: /opt/tljh/hub/lib/python3.8/site-packages/jupyterhub/app.py:2812: DeprecationWarning: Task.current_task() is deprecated, use asyncio.current_task() instead

extract from pip3 freeze

jupyterhub==1.3.0
jupyterhub-nativeauthenticator==0.0.7

[ibayer]

Adding the file /opt/tljh/config/jupyterhub_config.d/native_auth.py allowed me to # with admin user admin.

cat /opt/tljh/config/jupyterhub_config.d/native_auth.py 
c.JupyterHub.authenticator_class = 'nativeauthenticator.NativeAuthenticator'
c.Authenticator.admin_users = {'admin'}

To understand why this works I found the following link very helpful:
https://tljh.jupyter.org/en/latest/topic/escape-hatch.html#extending-jupyterhub-config-py
btw I didn't have to install NativeAuthenticator separately.

Thanks for providing tljh!

[consideRatio]

Closing as resolved via #295 (comment), thanks for helping each other out!

Also note that it could be relevant to track #264

[mtav]

I was considering opening a new issue, but after searching around a bit, I see that the problem is known and being worked on in #264, and the documentation improvement I was going to suggest already suggested in #564.

However, since I just spent quite some time on this problem, I am going to document what I figured out here.

In addition to the solution by @ibayer , there is another one using tljh-config:

sudo tljh-config set auth.type nativeauthenticator.NativeAuthenticator
sudo tljh-config set auth.NativeAuthenticator.admin_users admin
sudo tljh-config reload

The problems I had (and I assume others too) is that based on the current tljh documentation and the NativeAuthenticator documentation, we should just do the following:

sudo tljh-config set auth.type nativeauthenticator.NativeAuthenticator
sudo tljh-config set auth.NativeAuthenticator.admin_users {'admin'}
sudo tljh-config reload

However this leads to the following configuration:

$ sudo tljh-config show
users:
  admin:
  - admin
auth:
  type: nativeauthenticator.NativeAuthenticator
  NativeAuthenticator:
    admin_users: '{admin}'

And the expected admin username is then "{admin}" instead of "admin".

Signing up as "{admin}" seems to work, but then leads to this error when signing in:

  500 : Internal Server Error
  Error in Authenticator.pre_spawn_start: UnboundLocalError local variable 'unix_username' referenced before assignment
  You can try restarting your server from the home page.

I suppose there might be an even better way by setting it so that it is a list, like for users.admin, but I have not figured out how to do it and have found no documentation indicating how to do it either. "tljh-config add-item" also did not work.