I've Keycloack deployed and run in k8s cluster with helm release.
There is a client 'styx' configured for JupyterHub in 'dev' realm.
The client has 'Client authentication' turned on.
When the correct username and password are entered and redirect happen from Keycloack back to JupyterHub it fails on retrieving user info (HTTP 403 error from Keycloack).
[E 2023-01-11 02:34:20.026 JupyterHub oauth2:386] Error fetching user data 403 GET https://ceres.themodelvault.com/realms/dev/protocol/openid-connect/userinfo:
[E 2023-01-11 02:34:20.027 JupyterHub web:1798] Uncaught exception GET /hub/oauth_callback?state=eyJzdGF0ZV9pZCI6ICIzZWZiZjQzNzM4ZDA0ZmM2YTZmODdjYzk4MDAxZjkxNCIsICJuZXh0X3VybCI6ICIvaHViLyJ9&session_state=129fa2d5-c9d3-4d13-8539-7611f0e05604&code=3d9031f9-3889-4ad4-a676-4d2276e5907f.129fa2d5-c9d3-4d13-8539-7611f0e05604.0526b372-e282-401f-af45-6ea2ca2647fd (::ffff:10.0.106.200)
HTTPServerRequest(protocol='http', host='styx-dev.themodelvault.com', method='GET', uri='/hub/oauth_callback?state=eyJzdGF0ZV9pZCI6ICIzZWZiZjQzNzM4ZDA0ZmM2YTZmODdjYzk4MDAxZjkxNCIsICJuZXh0X3VybCI6ICIvaHViLyJ9&session_state=129fa2d5-c9d3-4d13-8539-7611f0e05604&code=3d9031f9-3889-4ad4-a676-4d2276e5907f.129fa2d5-c9d3-4d13-8539-7611f0e05604.0526b372-e282-401f-af45-6ea2ca2647fd', version='HTTP/1.1', remote_ip='::ffff:10.0.106.200')
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 1713, in _execute
result = await result
File "/usr/local/lib/python3.9/site-packages/oauthenticator/oauth2.py", line 222, in get
user = await self.login_user()
File "/usr/local/lib/python3.9/site-packages/jupyterhub/handlers/base.py", line 801, in login_user
authenticated = await self.authenticate(data)
File "/usr/local/lib/python3.9/site-packages/jupyterhub/auth.py", line 491, in get_authenticated_user
authenticated = await maybe_future(self.authenticate(handler, data))
File "/usr/local/lib/python3.9/site-packages/oauthenticator/generic.py", line 165, in authenticate
user_data_resp_json = await self._get_user_data(token_resp_json)
File "/usr/local/lib/python3.9/site-packages/oauthenticator/oauth2.py", line 387, in fetch
raise e
File "/usr/local/lib/python3.9/site-packages/oauthenticator/oauth2.py", line 366, in fetch
resp = await self.http_client.fetch(req, **kwargs)
tornado.httpclient.HTTPClientError: HTTP 403: Forbidden
UPD: Fixed with https://keycloak.discourse.group/t/issue-on-userinfo-endpoint-at-keycloak-20/18461
Fixed with openid scope as explained in https://keycloak.discourse.group/t/issue-on-userinfo-endpoint-at-keycloak-20/18461
Related
We have JupyterHub installed in k8s cluster with authentication through KeyCloak. JupyterHub is installed by jupyterhub Helm chart version 2.0.0 from https://jupyterhub.github.io/helm-chart repository.
When a user is authenticated and run a server the page with message "Your server is starting up. You will be redirected automatically when it's ready for you." doesn't show any progress and hub logs the following error: Action is not authorized with current scopes; requires any of [read:servers]"
Full log is:
[I 2023-01-11 16:41:08.977 JupyterHub app:2775] Running JupyterHub version 3.0.0
[I 2023-01-11 16:41:08.978 JupyterHub app:2805] Using Authenticator: oauthenticator.generic.GenericOAuthenticator-15.1.0
[I 2023-01-11 16:41:08.978 JupyterHub app:2805] Using Spawner: kubespawner.spawner.KubeSpawner-4.2.0
[I 2023-01-11 16:41:08.978 JupyterHub app:2805] Using Proxy: jupyterhub.proxy.ConfigurableHTTPProxy-3.0.0
[I 2023-01-11 16:41:09.049 JupyterHub roles:183] Role attribute user.scopes has been changed
[I 2023-01-11 16:41:09.061 JupyterHub app:1934] Not using allowed_users. Any authenticated user will be allowed.
...
...
...
[W 2023-01-11 16:41:44.763 JupyterHub base:89] Blocking Cross Origin API request. Referer: https://styx-dev.themodelvault.com/hub/spawn-pending/stasdavydov, Host: styx-dev.themodelvault.com, Host URL: http://styx-dev.themodelvault.com/hub/
[W 2023-01-11 16:41:44.763 JupyterHub scopes:804] Not authorizing access to /hub/api/users/stasdavydov/server/progress. Requires any of [read:servers], not derived from scopes []
[W 2023-01-11 16:41:44.763 JupyterHub web:1796] 403 GET /hub/api/users/stasdavydov/server/progress (::ffff:10.0.138.202): Action is not authorized with current scopes; requires any of [read:servers]
[W 2023-01-11 16:41:44.766 JupyterHub log:186] 403 GET /hub/api/users/stasdavydov/server/progress (#::ffff:10.0.138.202) 4.57ms
The same problem happen when stop the server: API request failed (403): Action is not authorized with current scopes; requires any of [delete:servers].
UPD: I found similar problem explained but didn't see a solution: https://discourse.jupyter.org/t/cross-origin-issue-upgrading-from-1-5/15428
Appreciate for any suggestions about how to fix.
In AWX 21.0.0, when I set a notification Webhook to a target API and I test it, I got the following message:
Error sending notification webhook: 503
If, from the AWX server I try to call the same external URL with curl, I got a response without issue.
After some logs search, we found these:
Blockquote
2022-12-19 08:42:27,917 ERROR [b38e3ee645b5457b8e726338581efb81] awx.main.notifications.webhook_backend Error sending notification webhook: 503
2022-12-19 08:42:27,919 ERROR [b38e3ee645b5457b8e726338581efb81] awx.main.tasks.system Send Notification Failed Error sending notification webhook: 503
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/tasks/system.py", line 293, in send_notifications
sent = notification.notification_template.send(notification.subject, notification.body)
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/models/notifications.py", line 185, in send
return backend_obj.send_messages([notification_obj])
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/main/notifications/webhook_backend.py", line 81, in send_messages
raise Exception(smart_str(_("Error sending notification webhook: {}").format(r.status_code)))
Exception: Error sending notification webhook: 503
It doesn't help us much, but at least, we got some logs.
It appears that it was because a proxy configured in AWX. Excluding the target from using that proxy make it work.
I'm trying to use the Google API Client to gain access to a Google Doc. I get the following error:
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://docs.googleapis.com/v1/documents/1Dc82X_w8UsyZnJe5JEh4E0wNdfbw-_nhVWXwgEJ4HVg?alt=json returned "The caller does not have permission". Details: "The caller does not have permission">
The error comes up in the file extract_text.py, which I got from here: https://developers.google.com/docs/api/samples/extract-text
Specifically, the error shows up at this line when it's obtaining the document's ID:
doc = docs_service.documents().get(documentId=documentID).execute()
The error states that my request has invalid authentication credentials (https://cloud.google.com/asset-inventory/docs/faq). I have made sure that I setup the OAuth correctly.
I'm trying to set up jupyterhub. The 8000 is used for a different program, so I have to use a different port.
I change the file /etc/jupyterhub/jupyterhub_config.py add/uncomments:
c.JupyterHub.hub_port = 9003
c.JupyterHub.ip = '111.111.11.1'
c.JupyterHub.port = 9002
c.ConfigurableHTTPProxy.api_url = 'http://127.0.0.1:9000'
when I tried to running jupyterhub, I got the error:
[W 2020-06-03 14:48:48.930 JupyterHub proxy:554] Stopped proxy at pid=47639
[W 2020-06-03 14:48:48.932 JupyterHub proxy:643] Running JupyterHub without SSL. I hope there is SSL termination happening somewhere else...
[I 2020-06-03 14:48:48.932 JupyterHub proxy:646] Starting proxy # http://111.111.11.1:9002/
14:48:49.301 [ConfigProxy] info: Proxying http://111.111.11.1:9002 to (no default)
14:48:49.307 [ConfigProxy] info: Proxy API at http://127.0.0.1:9000/api/routes
14:48:49.315 [ConfigProxy] error: Uncaught Exception
[E 2020-06-03 14:48:49.437 JupyterHub app:2718]
Traceback (most recent call last):
File "/home/user/miniconda/2020.02/python/3.7/lib/python3.7/site-packages/jupyterhub/app.py", line 2716, in launch_instance_async
await self.start()
File "/home/user/miniconda/2020.02/python/3.7/lib/python3.7/site-packages/jupyterhub/app.py", line 2524, in start
await self.proxy.get_all_routes()
File "/home/user/miniconda/2020.02/python/3.7/lib/python3.7/site-pack#c.JupyterHub.hub_ip = '127.0.0.1'
ages/jupyterhub/proxy.py", line 806, in get_all_routes
resp = await self.api_request('', client=client)
File "/home/user/miniconda/2020.02/python/3.7/lib/python3.7/site-packages/jupyterhub/proxy.py", line 774, in api_request
result = await client.fetch(req)
tornado.httpclient.HTTPClientError: HTTP 403: Forbidden
What is the correct way to install jupyterhub on a port other than 8000?
Thanks.
I think some of these parameters are now obsolete, so it may depend which version you are running, but I'll assume JupyterHub 1.0+.
There are a few different services that make up JupyterHub, and the 'hub' service, confusingly, as not actually the one you are concerned with. The proxy is the main entrypoint to the application, and it proxies traffic to the hub by default, and to specific user Jupyter servers if the traffic is to a /user/ URL.
In addition, the 'hub' service also has an API endpoint that user servers can access directly (this doesn't go through the proxy). And the proxy has an extra API endpoint too, for direct access from the hub...
It is the proxy service that defaults to port 8000. To change to 80, for example try this:
## The public facing URL of the whole JupyterHub application.
#
# This is the address on which the proxy will bind. Sets protocol, ip, base_url
c.JupyterHub.bind_url = 'https://0.0.0.0:80'
I followed the documentation here: and here: Trying to integrate to a Personality Insights service via Android Java.
However, after the app runs, and using the correct username and password as mentioned in the guide... (the guide is not clear (2nd bullet point in "Before you begin") on which set of credentials to use - It says get the "service credentials" and credentials from the new service created - I tried with both and both fail with the same error below.)
Error:
12-11 01:49:56.201 29584-29632/? I/CredentialUtils: JNDI string lookups is not available. 12-11 01:49:56.269 29584-29632/? D/NetworkSecurityConfig: No Network Security Config specified, using platform default 12-11 01:49:56.723 29584-29632/? D/OkHttp: --> POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 http/1.1 (1297-byte body) 12-11 01:49:56.803 29584-29632/? D/OkHttp: <-- 401 Not Authorized https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 (78ms, unknown-length body) 12-11 01:49:56.863 29584-29632/? E/WatsonService: POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13, status: 401, error: Not Authorized 12-11 01:49:56.865 29584-29632/? E/ERROR: Unauthorized: Access is denied due to invalid credentials
com.ibm.watson.developer_cloud.service.exception.UnauthorizedException: Unauthorized: Access is denied due to invalid credentials at com.ibm.watson.developer_cloud.service.WatsonService.processServiceCall(WatsonService.java:492) at com.ibm.watson.developer_cloud.service.WatsonService$2.execute(WatsonService.java:254) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:105) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:87) at android.os.AsyncTask$2.call(AsyncTask.java:306) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:244) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:761) 12-11 01:49:56.866 29584-29584/?
This is the code I am using; I am trying to pass a "text" input to the service.
service = new PersonalityInsights("2017-10-13");
service.setUsernameAndPassword("{myUsername}", "{myPassword}");
Profile profile = service.getProfile(text).execute();
System.out.println(profile);
return profile.toString();
I am using the com.ibm.watson.developer_cloud:personality-insights:3.8.0 dependency.
I tried connecting to the URL in the error (https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 ) via a browser. It prompts for a username/password combo. I entered my details from my IBM Cloud Lite service but it throws the HTTP Error 405. Is this how it's supposed to work on the browser?
For someone in the future;
Instead of service.setUsernameAndPassword(username, password);, I tried service.setUsernameAndPassword("username", "password"); and it worked.